Ultimate Security and Complaince Guide to IT Services for SMEs

Making a change to the way you manage your IT services brings many challenges, as well as benefits. A common challenge is clarifying what your needs are, in other words, knowing what boxes there are for you to tick in the first place.

‘Ready-made’ best practice approaches shed some light on how to align the IT services of a small- to medium-sized enterprise (SME) with business needs. The Information Technology Infrastructure Library (ITIL) and the International Organisation for Standardisation (ISO) provide a set of practices for effective IT service management that are adaptable for the majority of businesses, large or small. The tricky part in any adaptation is knowing how to scale the best practice approach to fit the working culture of an SME: to fit your objectives, your staff and your existing IT services and systems.

The best practice framework for IT service management helps you to clarify your needs and how you will measure your progress towards fulfilling them.

Effective IT service management is essentially made up of the following steps:

1. Analyse the performance of your IT infrastructure

2. Clarify your business requirements, focusing on needs and objectives

3. Plan and deliver IT service management that is focussed on meeting your objectives

4. Measure your progress towards your objectives

5. Review the performance of your IT infrastructure on an ongoing basis to identify any new requirements

The process encourages you to measure and improve your service management continuously to help you align your IT with the changing needs and goals of your business.

How can you adapt this IT service management process for your SME?

People

Of course, you will need some people to manage and implement your IT service. In many cases, small and medium sized businesses cannot justify the cost of employing a Chief Information Officer (CIO) with legal sector experience due to a variety of reasons, including the existing workplace culture, knowledge and skills of staff as well as the motivation to change.

Even if a CIO isn’t exactly what you need, there are ways of adapting your IT service management process so that it fulfils the functions that you require from a CIO. These functions could include:

• Cyber security: Assessment of data security and how vulnerable your business is to cyber crime, as well as cyber risk management.

• Business continuity: Management of your disaster recovery position.
• Cyber resilience: Bringing together the capabilities of cyber security and business continuity in your security strategy, to enable you to respond to cyber attacks quickly while minimising damage to your critical business assets and continuing to operate under attack.

• Compliance: GDPR, assessment of your regulatory compliance position on IT systems or preparing IT systems for a regulatory inspection.

• General IT service management: Alignment of IT infrastructure with your business objectives, risk management, assessment of overall value for money and effectiveness, continual improvement initiatives.

• Systems integration: Planning a new management software implementation, as well as planning a new office or office move.

Your current practices are likely to fulfil some of these functions already, so you can reuse whatever you need from those practices. You might want to consider engaging external support by outsourcing some of your required functions to a managed service provider for IT who could provide a flexible virtual CIO service that complements the skillset of the people you have.

General IT management

Skills gaps and time constraints reduce the amount of resource you can dedicate to IT maintenance and support to help keep your business up and running. To cover the IT support service requirements for your business, you will need to consider which functions to prioritise, which could include:

• 24/7 service desk: do you need the option to liaise with an engineer at any time, or do you need onsite support?

• Network operations centre: how often do you need proactive troubleshooting and fault resolutions?

• Proactive monitoring: does your IT require 24/7 monitoring and alerting? Do you need a fixed remediation time?

• Vendor management: would a technical third party liaison be beneficial?

• Problem management: do you need a resource dedicated to proactively identifying trends and managing underlying problems through to resolution?

• Service reporting: what performance reports do you require?

• System maintenance: what resource do you need to maintain and update your software and hardware to prevent potential future problems, or implement standard changes to IT systems?

• Asset management: what recorded hardware devices do you have that need tracking?

Even though using a Service Level Agreement (SLA) might seem contrary to your ways of working, consider documenting and defining what kind of IT service is expected and who is responsible for delivering different components of the service. For example, you could use your neatly-packaged version of an SLA to state how often service reports are required, what information should be included in the reports, who is responsible for delivering the reports and who should read them. Your version of an SLA will help you to deliver a consistent service of a consistent quality.

Specific technical requirements

To identify your specific technical requirements, like cyber security, cyber resilience and compliance, you’ll need to design a set of measures that cover any policies you may have, technologies, hardware, software, cloud services and training. You also need to consider how you will manage, update and test your technical solutions regularly.

Your technical solutions might need to take the form of:

• Cyber security solutions

• Compliance solutions

• Anti-virus and malware

• Firewalls

• Data loss prevention and encryption

• Security policy management

• Email and messaging threat protection

When identifying what you need to put in place to tick every box for your SME’s IT service management, the key action to take is to adapt standard enterprise IT management processes for your needs.

For more information, see our  free guide to IT Security & Compliance for SMEs