Diving into an existing technical environment can be a challenge. The servers and websites might be running smoothly. Or not. Documentation might be plenty and accurate — or out-of-date or missing altogether.
If you’re starting a new gig as an IT pro, here’s an action plan for inherited assets to get you going, fast.
Analyze server log files and Service Level Agreements (SLAs).
Analyze them. They will reveal the current state of the environment and how well commitments are being lived up to. It might take some sleuthing to find all the service providers and their account numbers. If there are multiple accounts at the same provider, consider merging those accounts (but first see if there’s a reason for the multiple accounts).
Look at open and historical support requests.
Are there a lot of them? Do they cluster around the same areas? Are there any discoverable patterns? How long does it take to close a ticket? Some things will be obvious and immediate. Others will require more digging and thought on your part.
Inventory on-premises and hosted servers, software and other equipment.
Know what is and isn’t operational, where it is and what it is running. Know how each asset is connected to the network. There are a number of programs that will help you construct an inventory. Check out this article to learn how to design a network map. However if starting from scratch, conduct a quick-and-dirty inventory using a spreadsheet to create an overview of existing assets.
Check server load.
See if everything is balanced. While no one deliberately puts an unbalanced load on a hosted server, the daily give and take of running applications might create overload. Check not just the size of the applications but also the load that each application puts on the servers’ resources. Sometimes even a fairly small application can gobble a disproportionate amount of CPU cycles, bandwidth or RAM.
Review software licenses.
Let’s hope that the new client or new employer is compliant with software license terms and conditions. It might be your responsibility to ensure compliance; take nothing for granted. Work with the team to ensure that all licenses are in place.
Find where the backups are. Are there backups? Do some go off-site, and if so, when and how? Backups often fall through the cracks when there is a changing of the guard. If the organization has offsite backups, ensure that they are accessible as soon as possible.
Change the keys.
Talk to management first, but changing administrative passwords and encryption keys might be urgent or prudent. Those include account passwords at hosting companies and other service providers, server logins, application logins, payment portals and more. Do not change passwords without permission from the management, and find out who else should have those passwords.
Check hosting and DNS records.
Check them all. Once you have access to all the hosting accounts — including domain-name registries — make sure that all the records are correct. Be sure that the technical and administrative contact information is correct. Ask management if they would you like be the technical contact; the CFO or other corporate officer should also be on the notification list.
Review password policy.
What is the site’s policy on passwords? Is there a policy? Do they have to be a strong mix of numbers and letters? Are they changed regularly? Who is responsible for maintaining the password file, issuing new passwords and supplying lost or forgotten passwords.
Make sure someone with authority is assigned to manage the password files.
Review application access.
Who has access to what applications? The principle of minimum access should apply here with access limited to those areas needed to do the job. Divide users into functional groups and manage access by group.
Safeguard server security.
Make sure that the individual applications are appropriately guarded. For example, make sure all the web applications backed by databases are protected against common security threats like cross-site scripting, Server Side Includes (SSI) and SQL injection attacks. Here’s a great resource to learn more about SQL injection attacks.
Review essential documentation.
Work with the appropriate line-of-business management to ensure that the documentation is both secure and available to whoever may need it in an emergency. If you are a contractor, the customer should have all documentation. If you’re an employee, make sure your boss knows where to find it. Make sure that unauthorized individuals can’t find physical or electronic documentation, especially if it includes account numbers, usernames, administrative logins or passwords.
Develop the big picture and little picture.
You also need to develop a picture of the overall operation. It helps to draw diagrams showing how the various pieces fit together to help map out the servers and websites, and how the websites relate to the business as a whole.