Improve your cybersecurity posture and efficiency by documenting your IT infrastructure

26 Nov 2024, by Slade Baylis

When it comes to your IT infrastructure, it’s hard  (if not impossible!) to know how secure you are, if you don’t know where everything is located and how it's all configured. This is because every endpoint is an entry point into your network, with each one having the potential to grant access to malicious third-parties should they be broken into.  That’s why having full knowledge about your systems is key to your security.  It’s important to know how many different servers, computers, laptops, phones, firewalls, and other systems you have, as well as if they’ve all been properly configured and protected against the latest threats.

The only way to have full knowledge and know for certain, is to ensure that your environment is properly documented.  This documentation should include details of where systems are located (both physically and in terms of what provider they're hosted with), how they're configured, and also how they are connected together.  It should also include all the procedures that staff members need to follow when interacting with and using your systems.  Documentating allows you to know whether you have adequate security in place, with the procedures ensuring things remain that way.

On top of improving your cybersecurity posture, there are other incentives for having documentation in place and for doing it properly.  This is because proper documentation can help make your organisation more efficient and productive.  Having a central repository of the information that your staff require about your systems reduces the amount of time they spend looking up information or having to audit your systems in order to discover how things are configured, time and time again. 

Proper documentation dramatically reduces the amount of time and effort that will be required to onboard new staff members and to train existing staff members.  It even saves time by preventing staff members from having to relearn things, as having access to documentation can help refresh one's memory and gain knowledge much quicker and easier than not having it in place.

How proper documentation can make you more efficient and productive

Without a system being documented, onboarding new staff members or helping existing staff members become familiar it, can take many different meetings and hand-guided explanations.  In some cases – depending on the complexity of the system - many training sessions may be required to fully cover how things are configured and why they are set up in the way that they are.

In a report released by McKinsey¹, they reported that around 19% of a knowledge-worker's day can be taken up by searching and gathering information – which amounts to around one and a half hours every single day!  Over the course of a year for a typical employee, this amounts to 395.2 hours of potentially wasted time, or 49.4 full days!  If this isn’t bad enough, another survey from 8x8 Inc² – a leading SaaS and VoIP provider out of the US – found that 49% of employees spent 30 minutes to 2 hours each day trying to track down information that they required in order to do their jobs, with 19% not being able to find the information that they needed at all within their current systems.

With this being the case, it’s easy to see why having a central system that documents most of the information that staff will need to know about your systems - or processes to follow when using them - can be massively beneficial towards increasing productivity.  Having a system documented as to the “what, why, where, and how” means that you can have staff learn how things are set up for themselves without needing to walk them through it each time.  Documentation saves time, not only for the person who would otherwise need to train them, but also for the trained staff member, as it allows them to go back to it whenever they feel they need a refresher. 

The goal when writing documentation should be to enable your staff to easily find out what is currently set up, why it was set up that way, where it is (as in which provider it’s with and where in the world it’s located), as well as how they should interact with these systems.

The benefits of having a Standard Operating Procedure (SOP)

Specifically talking about the “how” aspect mentioned above, a huge advantage for having your systems documented is the establishment of a Standard Operating Procedure (SOP).  Similar to a Standard Operating Environment (SOE) which establishes the standard configuration for a particular environment, a SOP establishes the procedures that should be followed when using and interacting with your environments and systems.

The goals of documenting procedures are:

• To ensure that best practices are followed: This ensures that things are done correctly, regardless of who is performing the task or their previous level of knowledge and training.

• To ensure that results are predictable and standardised: This ensures that the same outcomes are achieved every time the procedure is followed, eliminating the likelihood of errors and unexpected results, as well as potentially misconfigured and insecure systems.

• To prevent misunderstandings within the team: This ensures staff are able to know what the outcome should be, as well as removes any confusion regarding the steps that should be followed to achieve it.

• To increase efficiency when performing specific tasks: This ensures tasks are performed in the right order, with less confusion about what needs to be completed and when they need to be done. 

• To help train up staff who are unfamiliar with the procedures: This allows the trainer to more easily explain and walk through the process with each new staff member, or staff members that are unfamiliar with the process.  Training this way not only saves time for the trainer and the trainee, but it also allows for that staff member to self-train or to go back to that documentation whenever they feel the need for a refresher.

The importance of documentation for your cybersecurity posture

As discussed above, documentation is good for your organisation's bottom line, but it's also crucial to have it in place for your security posture. This is because if you don't have proper documentation set up of how your systems are configured, then you really have no way of knowing for certain that you're secure from cyberthreats.

What applications does your organisation rely on?  Which provider is hosting those systems?  Where is the data actually hosted?  What security applications or dedicated appliances are in place to protect them - such as EDR (Endpoint Detection and Response) software, Web Application Firewalls (WAFs), firewalls, vulnerability scanning appliances, etc?  Through having solid answers to these kinds of questions and ensuring that your organisation has documented your existing systems, you’re able to confirm at a glance whether your systems are protected against the latest types of threats, or if instead they’re vulnerable and exposed to cyberattacks. 

Depending on your objectives, there are many different ways and different standards to document your systems and processes to.  If you’re looking to meet international standards for managing information security – such as outlined in ISO/IEC 27000 family³ of security standards outlined by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) – then the level of documentation that will required will be quite high.  However, most organisations only look to create documentation for internal use, primarily to improve productivity and knowledge about their systems, and so they don’t look to meet these high standards. 

For basic documentation on IT infrastructure, there are three things that should be included at a minimum:

• Network diagrams: As they say, a picture is worth a thousand words. Having a visual guide as to what systems are set up, how they’re connected, and any security appliances that exist, allows you to get a quick idea of how everything is configured at a glance. 

• Asset lists: Whilst a well-made network diagram is very useful for getting an overall picture of how things are set up in an organisation, it’s also recommended to have a full asset list for each one of your systems. Having an asset inventory allows you to track your hardware and software, ensures they’re being updated or replaced as necessary, and also helps prevent unneeded expenditure through avoiding duplicating systems unnecessary.

• Policies & Procedures: As noted earlier, it’s important to ensure that the processes that you expect to repeat are sufficiently documented. By having your policies and processes documented, you’re able to achieve predictable and preapproved results, make more efficient use of staff time, and also ensure that your systems remain secure.

By having these three areas covered, you will be able to easily up-skill your staff when required, have a full overview of how your systems are configured and where they are located, as well as ensure that your infrastructure and applications remain secure over time.

Have questions about the best ways of documenting your environment?

If you’re unsure of where to begin with documenting your environment, let us know!  We can help you scope out your environment, advising what you should include, and the best ways of storing that information.

You can reach us via email at sales@micron21.com or call us on 1300 769 972 (Option #1).

Sources

1, McKinsey, “The social economy: Unlocking value and productivity through social technologies”, <https://www.mckinsey.com/industries/technology-media-and-telecommunications/our-insights/the-social-economy>
2, BusinessWire, “Over 50 Percent of Knowledge Workers Cannot Find the Information They Need at Work, National Survey Finds”, <https://www.businesswire.com/news/home/20191009005164/en/Over-50-Percent-of-Knowledge-Workers-Cannot-Find-the-Information-They-Need-at-Work-National-Survey-Finds>
3, ISO, “ISO/IEC 27000 family”, <https://www.iso.org/standard/iso-iec-27000-family>