Sign in Subscribe
Everyone Featured

Cornerstones of IT: An Introduction

The Cornerstones of IT are fundamental concepts that should be understood by not only everyone in IT, but also by every manager in an organization that interacts with IT.

4 min read
Cornerstones of IT: An Introduction

The Cornerstones of IT are fundamental concepts that should be understood by not only everyone in IT but also by every manager in an organization who interacts with IT.

Because of the fundamental nature of this topic, these items are presented with as little technical content as possible.

Philosophy of IT

  • Purpose of IT - Supports the Business Processes that Supportwho the People that do the work of the business or organization.
  • Humbling Nature of IT - As with most Support roles, IT will typically hear mostly bad things and few praises about what is going on in the environment they manage.
  • Fighting Fires - If you don't monitor support requests, don't monitor the infrastructure's age or functionality, or don't take the time to do things properly the first time then most of your time will be spent "fighting fires".
    But hopefully not real fires.
  • Perception - It doesn't matter how fast your server is or how little things are down, even if you can prove it. What matters is how people perceive things to be.
    And that rarely matches with reality.
  • Security - The quickest way to end your career is through a problem with security. Everyone in a company is responsible for the security of the infrastructure. Never be afraid to push back on poorly informed requests.

Security

  • Least Privileged - Don't give anyone, including IT, more access than what is needed for their job.
  • Role Based - Security should be designed so that users aren't individually assigned access. Access should instead be granted to role-based groups.
  • Monitoring - Changes made to security settings, including User IDs, should be monitored daily, or more often, to watch for malicious or idiotic activity. Usage of any privileged access should be monitored as close to real-time as possible.
  • Reviews - Regular reviews, monthly or quarterly, should be done on all settings and security access. This is distinctly different from the change monitoring.

Backups

  • Backup Frequency - Your frequency of backups is driven by your Recovery Point Objective (RPO) which is how much data you are willing to lose in the event of a failure. This will also be dependent on the types of backups you take and how large the system is.
  • Backup Retention - How many or how long you keep them can be driven by various business decisions. For example, if a user overwrites a file and doesn't realize it for a day or two... you need multiple copies of backups to restore that file. You may even need years-old copies of your database to give a snapshot for reporting during audits, depending on your software and processes.
    • Previous Versions - The first level is to have a copy of what each file looked like yesterday.
    • Multiple Versions - The next level is to have a copy of what each file looked like every month for the past number of years.
  • Backup Level - Your backup level is often driven by your Recovery Time Objective (RTO) which is how long you can tolerate being down.
    • Full Machine Backups - When you need to make sure you can restore a server as quickly as possible, you need to backup the entire machine. Every partition on every disk. This is used for "Bare Metal" recovery, meaning the ability to recover from a backup directly to a brand new server or Virtual Machine.
    • Snapshots - With virtual technology and enterprise-grade hardware it is now possible to take regular snapshots of your servers. When this is done, new data is written somewhere else on the disk so that you can return a server instantly to a previous state.
    • File Backups - This is used when you can tolerate more time to full recovery. This can be handy if you keep a Disaster Recovery Drive somewhere and get it out once a month or if the server takes as long to rebuild the OS as it would take to restore it. A good example would be with a file server.
    • Application Backups - Different applications have specific methods of backing up. For example, you can't simply backup a SQL database file or Exchange mailbox file and reasonably expect it to work after being restored. To resolve this, these applications have a backup function that creates a file you can backup/restore successfully every time.

Availability/Redundancy

  • Redundancy is critical to availability. When a system goes down, how long can you wait to have it back online? Can you afford to have a redundant system fully ready to take over at a moment's notice?
  • Consider these critical pieces of your business:
    • Power - Power is critical to keep electronics running, but is sometimes difficult to verify redundancy.
    • Network Connectivity - It is important that computers and servers can communicate securely and reliably. The Internet is also critical to almost every business and organization.
    • Timely Replacement - The best time to replace something is right before it breaks.
    • Personnel - Cross-training is needed to provide sufficient availability during sickness, vacations, and ice storms.

Communication

  • With Users - Users must know of activities that are going on that may affect them. This is huge for perception control.
  • With Vendors - Every Vendor you use should be providing you with communication about the services they provide. They absolutely should be communicating if they're working within your network.
  • Within IT - Rapid and effective communication about changes and issues helps reduce headaches and double work within the IT department.

Training

  • User Training
    • Implementation Training - When you implement a new technology or have a significant change, training must be widespread, timely, and concise.
    • Ad-hoc Training - You should monitor your service desk calls for any recurring issues that can be resolved with department-specific training or simple "Tip of the Day" style messages.
    • Recurring Training - Some items, such as security awareness training, must be recurring because they are important for everyone to know but either aren't used or aren't easy to enforce use.
  • IT Employee Training - In addition to the user training, not replacing it.
    • Implementation Training - This type of training is more complex than the user version. In-depth training about how the solution was implemented, what pieces are critical to make it work, and what to do when things go wrong.
    • Ad-hoc Training - Similar to training users on how to function in the increasingly complex environment when there are new issues, IT also needs occasional training on issues that arise, things to watch out for, and new tricks to make jobs easier.
    • Technology Training - New technologies are constantly being released. IT needs to be prepared to handle them and the easiest way is to provide employees an opportunity to learn new topics they don't normally encounter during their day.