Understanding IT Assessments

Introduction

Today’s IT environments are complex, and it can be difficult to keep all balls in the air at once. Between security, performance, firefighting, compliance, and risk mitigation, 100% efficiency 100% of the time is impossible. Although it is unrealistic to expect every IT system to always run at optimal levels, it is possible to pinpoint actual and potential issues early and address them to minimize disruptions and maximize efficiency.

IT assessments can be a powerful tool in your infrastructure protection and maintenance strategy. They can help identify major security issues or other problems that could be very costly down the road (if those issues aren’t addressed and repaired quickly). First, however, you need to understand the different types of assessments and how to use the results to improve your IT processes, policies, and practices in order to take an educated step toward the right assessment.

Do I need an IT assessment?

Let’s start by admitting that no one likes to be judged, and placing your organization’s IT environment under the microscope sounds like a fast track to Judgmentville. But just like your own annual checkup, conducting regular IT assessments ensures all systems are working properly and identifies areas that need improvement. Yes, it can be a bit uncomfortable, but the alternative is way worse.

So let’s rip off the proverbial Band-Aid and take a closer look at IT assessments — and while we’re at it, IT health checks and IT audits — and how, together, they can improve almost every aspect of your organization’s IT ecosystem.

Why IT Assessments, IT Health Checks, and IT Audits Are Important

At first glance, assessment, health check, and audit sound pretty synonymous, but when you dig a little deeper, each process plays a specific role in maintaining IT health and security. A simplified way to look at it is that audits give you the big picture, health checks take care of the day-to-day maintenance, and assessments give you your marching orders.

In broader terms:

An IT assessment is a comprehensive review of a company’s technology, infrastructure, security, policies, procedures, and IT system health that results in actionable suggestions for improvement.
A health check monitors systems to make sure they are performing as expected and addresses issues that crop up.
An audit measures how well your organization is meeting certain standards or conforming to a set of criteria.

How to Pick the Right IT Assessment Partner

The “whys” for scheduling regular IT assessments are fairly straightforward: Assessments help your IT team optimize system performance, increase system/data/network security, and identify issues and vulnerabilities early.

But to achieve these goals, IT assessments need to dig deep, so it is important to select the right service provider. Look for someone who looks beyond the business relationship and takes on the role of a trusted partner.

Be sure your assessment is done by someone who understands your business objectives and challenges so they can hone in on issues that may affect your company’s success. And finally, don’t forget to check credentials and references. Due diligence is key to seeing the maximum benefit from this partnership.

Now that you know the benefits of IT assessments, IT health checks, and IT audits, and you know what to look for in a service provider, let’s dive deeper into the practicalities and pitfalls of IT assessments.

IT Health Checks

IT health checks provide actionable insight into any major issues that require attention while helping you document and understand the major pain points in your IT environment.

Using a combination of automation and subject matter expertise, a comprehensive IT health check can do everything from pinpointing the root cause of a slow-running application to ensuring remote employees are working efficiently.

IT health checks are generally broken out into technology-specific focus areas. For example:

Microsoft

Microsoft 365
Azure infrastructure
Active Directory
Exchange
SharePoint
File servers

Networking

Wireless surveys
Device asset management
WAN and LAN
VoIP readiness
Routing and switching

Security

Unified communications
Firewalls
Antivirus
Anti-spam
Security posture
Security policies
Compliance
Microsoft 365 security

A la carte checks are also available to monitor the performance of essential functions, including backup health checks and disaster recovery assessments.

Resources

“3 Office 365 Features Your Business Should Be Using”

“6 Benefits of SD-WAN Technology”

IT Assessments

To ensure full coverage of your organization’s IT environment, IT assessments generally focus separately on infrastructure and wireless network capabilities.

Infrastructure Assessment

An infrastructure assessment is a comprehensive review of your current technology systems. The findings of the assessment are outlined in a detailed report that includes recommendations and best practices, which may prompt an IT impact assessment to determine the feasibility of the recommended changes.

Ideally, an infrastructure assessment will include a documented review of the following areas:

Servers

Virtualization
CPU/RAM and storage capacity
Asset lifecycle status
Network configuration

Security

Endpoints and devices
Passwords and policies
Firewall assessment
Antivirus configurations

Windows environment

Active Directory and domain controllers
Operating system lifecycle status
Microsoft 365 and Azure configurations

IT environment

Application delivery
Print environment
Cloud readiness/public cloud information
Policies and procedures

Data protection services

Backup
Disaster recovery

Wireless Network Assessment

These days, a reliable, secure wireless network is a business imperative. A wireless network assessment will help ensure your wireless network performs optimally. A well-done assessment will:

Show where in the office the Wi-Fi signal is weak or absent
Pinpoint the source of connectivity issues
Provide documented recommendations and suggested best practices for improvement

Resources

“Infrastructure Assessment: 5 Questions to Ask”

”Business Continuity & Remote Work Solutions”

“Are Wi-Fi Woes Bringing You Down?”

“3 Tips for Boosting Your Office Wi-Fi Experience”

Security Assessments

Over the past few years, cyberthreats have grown more frequent, more destructive, and more difficult to detect. When you couple those threats with ever-broader attack surfaces created by the new remote workforce and our growing use of IoT and personal devices, many organizations are falling short when it comes to security.

A security assessment can help minimize many of these security risks. During the assessment, a security expert conducts a technical review of your technology systems, physical security, and policies, looking for holes and weaknesses that could lead to a security incident.

A few of the core components of a security assessment include:

A security posture review to get actionable insight into your current security footprint and identify areas of concern and security gaps in your IT environment.
Vulnerability assessment and penetration testing to uncover internal and external vulnerabilities so you can remediate potential security problems before hackers find them. Penetration testing gives the added benefit of letting you see what hackers see and how they are exploiting vulnerabilities.
Security awareness testing to demonstrate how much your employees know about security awareness by testing their skills with a simulated phishing test and other social engineering tests that show how likely they are to accidentally reveal sensitive information.

A ransomware readiness assessment, which may be used to determine how prepared your organization is to deflect or bounce back from a ransomware attack.

Resources

“Prep Now or Pay Later: 4 Reasons to Get a Security Assessment”

"Vulnerability Assessments and Penetration Testing: The Dynamic Duo"

IT Audits

IT assessments and IT audits sound like they do the same thing, but they actually serve completely different purposes.

One key differentiator between IT assessments and IT audits is the order in which they occur. Generally, an assessment is conducted before an audit so issues can be resolved in advance of the audit.

The primary purpose of an IT audit is to provide third-party assurance and documentation that a company’s IT systems are meeting a specified set of criteria.

For example, if we look at access control, an assessment would determine whether the company uses multifactor authentication, but an audit would actually test the system to make sure the authentication process works as intended.

Additionally, failing an audit tends to have more significant consequences than failing an assessment. When an assessment identifies a deficiency, the assessment team offers suggestions to remediate the problem, which can be implemented or ignored.

Ignoring the suggestion may lead to problems with the audit, but generally, there are no direct consequences. However, depending on the industry, failing an IT audit or a security audit can lead to noncompliance penalties and possible legal fees.

Resources

“3 Technology Trends You Shouldn’t Ignore”

“The 10 Most Important Cyber Security Tips for Your Business”

Right IT Assessments for Your Business

IT assessments are not a one-size-fits-all endeavour. The type and timing of assessments should be tailored to your organization’s specific needs.

For example, each organization decides its own acceptable level of risk, and based on that decision, a security assessment could be conducted in different ways.

Vulnerability assessments and penetration testing can be done internally (i.e., addressing insider threats), externally (i.e., approaching the assessment from a hacker’s perspective), or both. Which strategy you take will depend on where the company’s main threats are thought to originate.

Organizations also have to decide how frequently to conduct IT assessments. Industry standards suggest doing some tests quarterly, others annually or biannually, and still others anytime new applications or software are added to the company infrastructure. However, these are just suggestions, and a company’s risk tolerance, among other factors, will determine the actual timing of assessments.

PRO-TIP: Ensure that you speak the same language as your IT partner.

At IT Weapons, our executive summary is delivered post-executive assessment. It is always geared toward a non-technical audience. This assessment is a key benefit of our initial partnership — it is the first step we take in our journey together and should be built on trust. No sugar coating, or hiding behind excessive jargon. These assessments are the key to your company’s security and infrastructure. We do not aim to be the gatekeeper of your tech; we aim to be your partner through honesty and transparency.

Resources

“The Anatomy of a Ransomware Attack”

”Information Security Services: Isn’t it time you felt safe?”

Warnings About “Free” Assessments

We’ve all heard the old adage, “If it sounds too good to be true, it probably is.” Well, it is a popular saying for a reason. If you’re considering having a “free” IT assessment run on your systems, be sure you know what you’re getting into first.

When you sign up for a free assessment, what you are likely to get is a couple of people wandering around the office and asking a few questions — maybe sitting down and chatting for an hour.

True IT assessments that provide valuable, actionable findings are time- and labor-intensive. Most high-caliber assessment providers aren’t going to exhaust efforts and offer expertise for free.

Then there is the risk involved in granting a third party access to your systems. Before you hand over the keys to the castle, look for red flags that this free assessment might end up costing your company thousands of dollars (or more!) to clean up an inadvertent security event or just shoddy work.

You know it’s time to walk away if:

The service provider wants to log in and start “assessing” on day one without first understanding your business and infrastructure.
They pressure you to act fast without time for proper due diligence.
The vendor doesn’t define the scope of the assessment at the beginning of the project and just wants to jump in.
They don’t prepare a contract including a confidentiality agreement.
The provider can’t or won’t provide a sample assessment or client references.

There is too much at stake during an IT assessment to hire the wrong people. It is crucial to take your time and find a true partner whose primary goal is improving your business’s security and performance.

These “free” assessments come at a price — and when it comes to protecting your company’s data, applications, and systems, that price may be way too high.