One thing's for sure, there are many choices when it comes to hardware, software and everything in between. How can you know if you have the right infrastructure for moving forward? Many organizations have an IT Assessment done as their organizations grow to determine the best strategic plan for moving forward.

1. Thrive. Grow. Achieve.
De-Mystifying the
IT Assessment
Nate Solloway
May 11, 2016

2. WHAT’S ON TAP?
• What we do
• Why do an IT Assessment?
• Is this a threat to my IT Staff?
• Procedure
• Network Infrastructure
• Network Security
• Disaster Recovery
• What’s New?
• IT Budget Review
2

3. WHY DO AN ASSESSMENT?
3

4. WHY? PLANNING FOR THE FUTURE
• IS IT TIME FOR UPGRADES?
• PREPARING FOR AN RFP
• TIME TO INTRODUCE NEW TECHNOLOGY
• IMPROVE BUSINESS PROCESSES
• PCI OR HIPPA COMPLIANCE
• SEEKING CYBER-INSURANCE
4

5. WHY? WAS THERE A PROBLEM?
• WAS THERE A SERVER OUTAGE?
• AN AUDIT IS COMING UP
• STAFF NEED ASSESSING OR THERE IS POTENTIAL LOSS OF STAFF
• RECURRING ISSUES
• SECURITY CONCERNS
5

6. ITEMS FOR REVIEW
• STAFF
• TECHNOLOGY
• INFRASTRUCTURE
• POLICIES, PROCEDURES AND PRIVACY
• PLANNING FOR A MOVE?
• SOFTWARE , AMS
• IT PLANNING FOR THE NEXT FEW YEARS
6

7. WHAT ABOUT MY IT STAFF?
7

8. COACHES NOT ADVERSARIES
8

9. LOOKING FOR AN ASSET MANAGER, NOT
A STOCK BROKER
• THEY ARE PART OF YOUR TEAM
• EXPERIENCES FROM OTHER SIMILAR ORGANIZATIONS
• TRAINING RECOMMENDATIONS
• IN-HOUSE OR THE CLOUD?
9

10. HOW DOES THE PROCESS WORK - IT
INFRASTRUCTURE ASSESSMENT?
Raffa Assessment Methodology
IT Structure Analysis
- Perform Interviews with key stakeholders
- Identify current/future IT needs in line with your vision
- Review current system architecture
- Review current servers and storage hardware configurations
- Review network configurations and their capacities

11. IT INFRASTRUCTURE ANALYSIS
Review domain configurations
Review enterprise back-office components and their
configurations
Review existing security requirements and compliance
Review disaster recovery requirements and strategies
including existing data backup/restore mechanisms, hardware,
software
Review current Total Cost of Ownership (TCO)

12. WHO AM I CONNECTED TO?
12
My
Network
Hosting
VOIP
Managed
Services

13. DOES YOUR NETWORK LOOK LIKE THIS?
13

14. OR THIS?
14

15. EVERYONE HAS SOMETHING TO
PROTECT
• Intellectual Property
• Human Resources Information
• Your Financial Data
• Your Customer Databases
• Your Customer’s Data
• Marketing and Sales Data
It’s not Just About
compliance with
state and federal
regulations.
It’s about
protecting your
company, your
employees and
your customers
Is it time for a Security and Compliance Assessment?
Financial
Healthcare Legal
Professional Services

16. WHAT ARE OUR DATA CONCERNS?
• UNAUTHORIZED ACCESS
• CONCERNS WITH IN-HOUSE STAFF
• EXTERNAL THREATS
• PRIVACY AUDIT
16

17. SECURITY CONSIDERATIONS AND
ACTIONS
Strong password
policy is the first
line of defense
against a data
breach
STRONG PASSWORD POLICIES
Benefit: Strong password policies help to reduce the risk of a breach. Policies should also
provide guidance to reduce the risk of human error breaches. Strong passwords should meet
these standards at a minimum:
• Lower case characters
• Upper case characters
• Numbers
• "Special characters"(@#$%^&*()_+|~-=`{}[]:";'<>/)
• Contain at least 12 but preferably 15 characters.
Is it Time for a Security and Compliance Assessment?

18. COMPLIANCE DEFINITIONS
Definitions are
generally accepted
by most states
However,
exceptions do
exist on a state by
state basis
Personal Information: An individual’s first name or first initial and last name plus
one or more of the following data elements:
1. Social Security number,
2. Driver’s license number or state- issued ID card number
3. Account number, credit card number or debit card number combined with any
security code, access code, PIN or password needed to access an account and
generally applies to computerized data that includes personal information.
Personal Information shall not include publicly available information that is lawfully
made available to the general public from federal, state or local government
records, or widely distributed media. In addition, Personal Information shall not
include publicly available information that is lawfully made available to the general
public from federal, state, or local government records.
Breach of Security: The unlawful and unauthorized acquisition of personal
information that compromises the security, confidentiality, or integrity of personal
information.
DEFINITIONS
Is it Time for a Security and Compliance Assessment?

19. FEDERAL, STATE & PRIVATE
REQUIREMENTS
It is important to
understand that
these laws don’t
only apply to
health and
financial
institutions.
HIPAA: Health Insurance Portability and Accountability Act, a US law designed to
provide privacy standards to protect patients' medical records and other health
information provided to health plans, doctors, hospitals and other health care providers.
Developed by the Department of Health and Human Services, these new standards
provide patients with access to their medical records and more control over how their
personal health information is used and disclosed. They represent a uniform, federal floor
of privacy protections for consumers across the country. State laws providing additional
protections to consumers are not affected by this new rule.
The Gramm-Leach-Bliley Act: (GLB Act or GLBA), is a federal law enacted to control
the ways that financial institutions deal with the private information of individuals. The Act
consists of three sections:
1. The Financial Privacy Rule, which regulates the collection and disclosure of private
financial information
2. The Safeguards Rule, which stipulates that financial institutions must implement
security programs to protect such information
3. The Pretexting provisions, which prohibit the practice of pretexting (accessing private
information using false pretenses).
The Act also requires financial institutions to give customers written privacy notices that
explain their information-sharing practices.
Is it Time for a Security and Compliance Assessment?

20. FEDERAL, STATE & PRIVATE
REQUIREMENTS
The Payment Card
Industry Council
established rules
governing how
credit card data
would be secured
Short for Payment Card Industry (PCI) Data Security Standard (DSS), PCI DSS is a standard
that all organizations, including online retailers, must follow when storing, processing and
transmitting their customer's credit card data.
The Data Security Standard (DSS) was developed and the standard is maintained by
The Payment Card Industry Security Standards Council (PCI SSC). To be PCI complaint
companies must use a firewall between wireless networks and their cardholder data environment,
use the latest security and authentication such as WPA/WPA2 and also change default settings for
wired privacy keys, and use a network intrusion detection system.
The PCI DSS standard, as of September 2009 (DSS v 1.2), includes 12 requirements for best
security practices
PRIVATE REQUIREMENTS
Payment Card Industry (PCI) Data Security Standard (DSS)
Is it Time for a Security and Compliance Assessment?

21. SECURITY CONSIDERATIONS AND
ACTIONS
Security is as
much about
people and good
process and well
documented policy
as it is about your
IT infrastructure
PROCESS AND PEOPLE MANAGEMENT

22. DISASTER RECOVERY
22

23. 23

24. ARE YOU BEING SERVED?
24

25. IT BUDGET REVIEW
25

26. QUESTIONS?
26