COVID-19: Checklist for your IT

The Federal Government has adopted strong measures in the struggle against the coronavirus. You should check the following points to ensure that your IT is always operational when offices are closed, travelling is restricted etc.

1. Replacement regulations: In order to maintain control of all IT-based processes it is mandatory to always have access to all systems and data. For this purpose, the access control concepts and replacement regulations should be checked and adjusted if necessary. This relates to SAP key users, server administrators and the persons responsible for financial accounting, payment approval, and the internal control tool. For delegation of authority two or if possible three persons should be assigned to each function.
   
   
2. Task force: Quick and coordinated decisions are vital in a crisis. Consequently, a crisis team acting across all departments should be appointed, as the interests of the entire business must be safeguarded. The task force should be flexibly accessible and communicate at regular intervals in order to be able to respond appropriately to the volatile situation. For this purpose, it should be equipped with the necessary authorities for taking decisions quickly.
   
   
3. "Holiday ban" periods for central functions in companies are absolutely necessary, even if it is not always easy to communicate this. It must be ensured at all times that all departments are and remain equipped with the basic know-how.
   
   
4. Firefighter accounts: A last protection against the failure of the authorisation and replacement concept are "firefighter" accounts, which are equipped with clearly defined, but extended rights in case of emergency. For security reasons, the passwords for such accounts should be shared among several employees. For example, four employees could be given access to the accounts and the passwords, with at least two authentications always being required to use them. Ideally, such "firefighter" accounts should also have a secure remote access option for emergencies.
   
   
5. Internet connectivity: Increased working from home presents several challenges to the infrastructure of a company. Its basis is a stable Internet connection. It must be checked here whether the capacity of company's current Internet connection is sufficient for the many external accesses by the employees working from home or whether an extension of the bandwidth is necessary.
   
   
6. VPN capacity: For exploiting the full potential of the Internet connection it must be ensured that sufficient VPN connections - i.e. external connections to the company network - are available. Normally, the number of connections is rather small compared with the entire staff, as only a few employees work from home. However, remote workplaces for an extended group of people require immediate action. An essential and simple method to save the capacity of the VPN is to inform the employees how to use the VPN access correctly to ensure that it is only used when it is really needed. What should be checked in any case is whether the infrastructure permits a sufficient number of connections and data throughput.
   
   
7. Telephone lines: Without direct contact in the office, telephone calls between employees will be more frequent. Here it is necessary to check whether enough telephone lines are available. If not, their number must be increased or employees must be encouraged to switch to mobile phones. A sensible measure to prevent telephone system overload is more communication of employees with teams using web conferences or other communication solutions. In some cases it may be advisable to equip only secretariats with the relevant licenses and have them organise such conferences centrally. 
   
   
8. Laptops and remote access: A condition for everything described in the preceding points is that there are mobile devices for all essential employees which were or can be distributed to them. Where there are not enough laptops, employees may be provided with special working environments that they can use from their private devices. If such remote access is used, the BYOD ("Bring-your-own-device") policy should be reviewed and, if necessary, adapted to the state of emergency. It should also be ensured that only secure solutions such as Citrix are used.
   
   
9. Equipment testing: As long as no shutdown has been announced, the testing of the employees' software and hardware for working from home is recommended. Various questions need to be clarified in this context, such as: Is the technology ready for use? Are the employees sufficiently trained to use the (new) technology from home?
   
   
10. Video conferencing: For communication between the individual local offices of the company or with customers or business partners, video conferencing is an appropriate means for maintaining personal contact. This form of communication must be taken into account when checking the Internet connection, as it requires a lot of bandwidth. The right equipment (software and hardware) and suitable rooms must also be provided.
    
    
11. Access control: In the event of a shutdown or if the usability of the company's own premises is severely restricted, it is important to ensure that the persons authorised to access the premises are checked. It should be verified that there is a central locking system which permits that individual employees are given access while denying it to others.
    
    
12. Incoming mail: Mail must still be collected and forwarded. Since it is not very practical to forward mail directly to the home address, a process involving the scanning of documents and the subsequent exchange of data should be defined here. Both data protection and the secrecy of correspondence must be observed. Frequently, it is also not possible to use the e-mail system, as it may not be able to process such huge quantities of data. Secure file exchange platforms or data rooms are a good option here.
    
    
13. Printing: The same is true for the mail to be sent. Are there any documents that absolutely must be printed out? Is a signature required on the document? If it is not possible to use electronic signatures, a process must be set up to ensure that the documents are processed. Please note that the introduction of digital signatures is relatively easy for individual employees, but their introduction in a company requires a considerable lead time, especially when using electronic workflows.
    
    
14. Stockpiling: It is advisable to keep adequate quantities of essential hardware components, as manufacturers' supply chains might only work to a limited extent or break down completely. All hardware components necessary for daily work should be taken into account (laptops, headsets, hard drives, etc.).
    
    
15. Maintenance work: Carry out scheduled maintenance and hardware replacement earlier whenever possible in order to be well prepared for shutdowns, as then any necessary maintenance is no longer possible.
    
    
16. Communication to employees: Communicate the planned steps to your employees as early as possible to prevent uncertainties. If you introduce new processes or technology, you should provide instructions to employees.