What are some best practices when taking over IT at a new company? [closed]

security best-practices

Solution 1:

Honestly ... nothing, not a damn thing. I sit back and learn the job as it is done NOW by the people that are there. After some time and when you are sure you have a good handle on how things work now (not just technically, but politically, and inter-personally as well) you can start formulating lists of what you think should be changed.

If you don't understand where you are right now, your ideas of where you should be could and most likely will be wildly off from reality.

As for red flags:

  • Many many manual processes
  • No Change Control
  • No Documentation or worse wrong documentation
  • VP/C-levels that are WAY too involved in the day to day operations (like resetting servers when you aren't in the middle of an emergency and nobody else can do it)
  • Cheap equipment everywhere but the company claims to make XXX (million/billion) a year
  • Unhappy employees
  • Constant firefighting
  • No or poor monitoring system
  • "You need to talk to 'joe'" is the answer to every question you ask
    • and joe isn't in IT

As for must haves ... I think that depends on on what you do and how you do things... like I must have a digi terminal server hooked to a modem with a dedicated line as a last resort if I can't get to my Voice Routers... but you may not need that. Once again, sit back and take some time to figure out how things are and what peoples complaints are first before swooping in and wanting to change everything.

Solution 2:

This is all high level stuff:

Security:

  1. Audit who the admins are. Verify they should be admins.
  2. Determine what the IT controls are in place and the last time they were verified.
  3. Verify patch levels / OS and application updates.
  4. Perform at least minimal vulnerability scanning using readily available tools.
  5. Check physical security on servers and core networking equipment.

Environment/Performance:

  1. Determine what pain points exist in your data center.
  2. Find out what your SLAs and OLAs are and verify they are remotely reasonable.
  3. Put at least cursory performance monitoring on systems to ensure none of them are overloaded.
  4. Understand how key assets are deployed and have physical verification that they are where everyone says they are and they are configured as they are supposed to be.

Personnel:

  1. Meet with IT personnel one-on-one or in small groups outside of the work setting (lunch, for instance) to get to know how each one is as a person.
  2. Talk with folks who interact most with your IT staff to determine who are the hard workers, who have good people skills, who are brilliant but socially challenged, etc., so you can ensure they're in the proper places to do the job.
  3. Determine where your pain points are from the security and performance and make a call if it's the current people who are employed, lack of people, lack of tools, or some combination.

Related

How to obtain Cisco IOS firmware?
How to determine which file/inode occupies a given sector
Internet Explorer isn't auto-discovering http://wpad/wpad.dat auto-config
nginx error_log reports “bind() to 0.0.0.0:80 failed (48: Address already in use)”
What is the Scala identifier "implicitly"?
How to build sources jar with gradle?
How do you automatically set the focus to a textbox when a web page loads?
Python code to remove HTML tags from a string [duplicate]
Modifying a subset of rows in a pandas dataframe
What is username and password when starting Spring Boot with Tomcat?
Remove git mapping in Visual Studio 2015
How do I customize Visual Studio's private field generation shortcut for constructors?