- This topic has 11 replies, 5 voices, and was last updated 2 years, 7 months ago by
.
-
Posts
-
-
Hello folks,
I’d like to hit you with a sort of a brain storming. Let’s say I am an IT provider for SMB sector and I’d like to offer my services for completely new customer. I have 0 knowledge about his IT environment, online services, etc. What would be your approach in making your first move with auditing such customer?
Points in my mind:
- Try to gather as much information from the customer (servers, services, etc).
- Connect my PC to their network, see what IP I get, what is gateway and DNS.
- Assume the DNS is also AD server.
- Check WAN connection, active network devices.
- Run network scanner to acquire live machines, ideally something like Angry IP or NMAP.
- Check with the customer if he knows the devices.
- Identify all devices, run HW scan.
- Run installed SW scan, check all paid licenses with customer, ask for certificate of purchase.
- Ask for know providers, contacts, online services in usage.
- Webhosting/domain/O365 logins.
- Servers:
- licenses, 3rd party SW & support
- other features in usage
- backups
- shares for users
- firewall config, GPO security baseline
- PCs:
- licenses, HW support (warranty), HW audit
- All SW installed, license keys
- assign user to a device
I will be really greatful for anything others might add.
Thanks, Cheers
Leos
-
That’s quite a comprehensive list you have there. My guess is that most of your customers will tell you that there must have an Excel sheet with their network documentation somewhere and that they will contact you as soon as they found it. 😉
Seriously, I’d say the questions you need to ask depend very much on the service you provide. Ask only what you really need to know to get the job done. This your customer, don’t make them work for you.
-
I can tell you that it is not the case. The people I come in contact with, usually owners of smaller companies, they do take care about every dime they spend. So they usually know what they pay for and to who.
For example, one of the customers have dozen of old CDs and licences, but when we were looking for Outlook 2013 licence they had on the PC, they claimed to know nothing about it, but two weeks later we found the license bound on the owner MS account.
I dont want my customer to work for me, but also, I want to provide professional services. If I come to a new door, and I am supposed to sign a contract with that door, I need to ask customer for licenses they have, and they need to provide it. Otherwise, it might be the case that they did not obtain it legally and I dont want to have anything in common with such case. So, they either have the license certificate, or they need to buy a new one.
Maybe my post said “ask customer” multiple times, but in the end its all about the licenses, access to online services, etc.
-
I don’t think that you are liable with regard to the licenses. You could also ask if they have stolen all the PCs in their network and demand to see the receipts.
What I meant is, you only need to ask for information that is required for the job. If they hire you to deploy a new web server, you don’t have to run a network scanner. So it really depends…
-
From legal perspective, you are right. I can hardly be sued by government for a such misuse. But from a co-operation perspective, the customer will try to point finger at you/me. I have already experience this. And for that reason, I want to be covered.
What the topic was about, it that I am signing an agreement with a customer to provide him IT services. Not a one time job. And my goal is to provide top-notch services, with added value, not just deploy something and go away.
-
-
Here some various points to add about IT audit :
Data Center
– Check physical security
– Audit access Logs
– Air conditioning (if possible with redondancy)
– System for environmental controls ( Smoke detectors, water, etc.)
– Fire protection system
– Uninterruptible Power Supply (UPS)
– Monitoring of temperature and humidityNetwork devices
– Installed printers (local and MFP)
– Access Points
– Voice and video systems -
-
Member Points: 0Rank: 1
Hello Leos,
Your point 2. seems useless to me because you can use one of their machine to do that task and because you are looking at the server later on your list, so you are doing the same job twice. A majority of the time, they have a configuration of one server that does everything, a switch that is most-likely not configured and non-manageable and the ISP router. SMB are rarely investing right of the bat in IT equipment.
Like Michael said, take the information you really need. Having all the hardware and software information will serve what purpose? If I were to take over a company IT department, I’d ask my customer if he has other paid support like Xerox. That helps to draw a line on what’s your responsibility.
Steven
-
Hello Steven,
well I like to use my own management machine for such actions as I already have all needed tools installed. You cant read everything from server, like devices with fixed IPs (Wifi antena for example) unless you do IP network scan.
What purpose is to have HW/SW inventory? Id say that is a standard information every company should have. Same as you have evidence of your emplyees, properties, cars, etc. There are some legal things each company has to follow. From given yearly company $ income you are also obgliged to have external auditors. And simply, because I like to do my job properly. If I am supposed to support someone, I need to know that their environment is in specific condition and that they have legally purchased the software. Why should I support something that was not legally obtained?
If you follow any IT best practices (ITIL, CIS Controls) then HW/SW audit is one of the main points you have to take care about… There are many reasons for that. One might be that you should simply know what software with what versions you have in your environment, so you can react to security threats or update outdated SW versions…
-
SMB are rarely investing right of the bat in IT equipment.
Well, thats right on one point. On the other hand, the reason is simple. They will tell you that they are SMB, they are not attractive to attacks or whatsoever. But then they do not realize, most of the attacks can come from their own employees. Like unsatisfied person selling all the data to someone else, because they know nobody is tracking the data movement and nooone can ever find out who did it….
BUT – these things are not a matter of cost… You can accomplish such things with your single Windows Server license, if you know how.. 🙂
-
-
Hi All,
Another thing you might want to know is who has managed the network up to that point and how privacy is managed
(E.g. GDPR or similar).Also understanding if there is a network management system would be useful … (es: Total Network Inventory o IT Asset Tool or Observium)
-
- You must be logged in to reply to this topic.
