Secure Your IT Infrastructure & Create Resiliency

Posted on October 22, 2020July 6, 2022

IT infrastructure is the combination of hardware, software, communications, data centers/hosting services, and human resources that allows an organization to deliver information technology services to its constituent communities.

IT resiliency refers to an organization’s ability to avoid or minimize business disruption when the IT infrastructure is challenged by planned or unplanned events, such as the novel Coronavirus. IT resiliency is at the core of an effective IT strategy, designed to ensure organizations can quickly get back to business after something goes wrong, as well as how to protect your organization from threats in the first place.

Planned or unplanned events that could impede your ability to deliver optimal services may include: production and/or migration failure of systems and/or applications, turnover among key IT staff, man-made and natural disasters, cyberattacks, and malicious activities by known or unknown parties. Any of these events may disrupt or even paralyze an enterprise if proper planning and controls are not in place.

What Are Measures to Improve IT Infrastructure Resiliency?

Document and Test Your Business Continuity Plan

Business Continuity Plans (BCPs) are essential to successfully conduct business seamlessly when disruption strikes. Having a working BCP in place in advance of a disruptive event helps to lessen the impact on people, processes, and systems.

AAFCPAs’ Business & IT Consulting practice advises clients to first answer the questions: “What do we need most?”, “How long can we be without?”, and “How much data can we afford to lose?” The answers to these questions generate a Recovery Time Objective (RTO) and Recovery Point Objective (RPO). From there, a specific plan to address the needs of each service may be developed.

Document and Test Your IT Disaster Recovery Plan

An IT Disaster Recovery Plan (DRP) is a documented and tested process or set of procedures which ensures your organization can recover IT systems, services, and data following an event. DRPs should be tailored to your business size, industry, and specific IT infrastructure. The plan will be multi-discipline and include other departments outside of IT. A risk-based approach will drive answers to “How will we work?”, “Where will we work?”, “What is the impact to the business and our constituents?”, and “Who will communicate to our constituents?” Once crafted, periodic testing of the DRP should be executed as part of your BCP in order to support business operations.

Sound Backup and Recovery Strategy

Organizations must implement strategies that protect both their data and their ability to access it. These strategies are only a single component of a comprehensive BCP and broader DRP.

The Backup and Recovery Strategy should include routinely scheduled backups of your business’ critical systems. Routine is subjective and driven by RTO and RPO requirements specific to the environment being backed up and recovered.

Robust Risk Assessment

Understanding where risks exist in your technology enterprise is paramount to your ability to effectively manage them. Risks come in many forms and are as individual as your organization. Risks exist in aged technology; outdated solutions; access control deficiencies of incoming, existing and departed staff; inappropriately configured systems; poor password management practices; and a lack of employee training and awareness, to name but a few.

AAFCPAs advises clients to perform regular top down risk assessments as a solution to help identify, prioritize, and remediate deficiencies.

How Can AAFCPAs Help?

AAFCPAs recommends performing an IT Risks and Controls assessment first. Once completed, visibility to high risk concerns will be unveiled and then may be addressed. If cyber security is of strong concern, network penetration and cyber assessments may also be employed. If you host private and/or confidential information covered by HIPPA, GDPR, PCI, or other local, state, federal, or international governing requirements, these services should be considered.

AAFCPAs’ Business & IT Consulting practice advises clients on improving their IT Resiliency with recommendations that are right-sized and tailored to be appropriate given each client’s resources and specific IT infrastructure requirements.

If you have any questions, please contact James Jumes, MBA, M.Ed. at 774.512.4062, jjumes@nullaafcpa.com; Vassilis Kontoglis at 774.512.4069, vkontoglis@nullaafcpa.com; or your AAFCPAs Partner.

About the Authors

James Jumes, MBA, M.Ed.

James joined AAFCPAs in 2013 to lead the Business Consulting Services practice. He has more than 25 years of experience working with information technology systems and diverse business operational processes. James is highly experienced in IT controls and assurance, SOX 404, and Service Organization Control (SOC) reports: SOC 1 (SSAE 18), SOC 2, SOC 2+ and 3 attestation reporting. James developed a unique methodology to delivering SOC reporting services, and he is an AICPA-approved Peer Review SOC Specialist, assisting peer review teams to review SOC 1, 2, 2+ and 3 engagements. He is a HITRUST Certified Common Security Framework (CSF) Practitioner, providing HITRUST CSF self-assessment consulting, or SOC 2 + HITRUST for assessing against the evolving compliance landscape shaped by HITECH, HIPAA, CMS and various other federal, state and business requirements.

Vassilis Kontoglis

Vassilis is a senior member of AAFCPAs' Business Process & IT Advisory practice with proven expertise in cyber security and IT risk assessments, data analytics and data visualization, and robotic process automation. He also has extensive expertise assessing IT general controls, and conducting System and Organization Control (SOC) attestations. He helps clients increase business process efficiency, effectiveness, and risk management.