Documentation Best Practices – CompTIA A+ 220-1002 – 4.1

We often spend as much time on documentation as we do on technology. In this video, you’ll learn about the many and varied types of documentation that are commonly required in an information technology role.

<< Previous Video: Troubleshooting Mobile Device Security Next: Change Management >>

Different companies and different organizations have different processes and procedures. For example, a bank is going to have a completely different set of procedures than a trucking company. You’ll also find that different organizations will have different requirements for notifying people when there are outages or when there may be problems with the facilities.

There are also different procedures when an organization needs to test a new version of software and roll that new version of software out with the normal change control. The key to understanding any of these processes and procedures is to have the proper documentation. The centralized documentation allows everyone to be able to review next steps and understand the exact process in place.

Network administrators commonly have documentation that shows the network layout. This would be topology diagrams or network maps that can show you exactly the way a network may be designed. This may be a high level logical view that shows you which devices are connected to which other devices on the network, or it may be something that physically shows the rack where all of these devices happen to reside.

If you’ve ever had to troubleshoot problems from Microsoft or Cisco, then you’ve probably taken advantage of their online knowledge base. They have an extensive knowledge base of problems and solutions, and sometimes there are third parties that might even have a better knowledge base than the manufacturer themselves. Inside of your organization, you can build out your own knowledge base that covers issues that are specific to your organization. That way, if someone calls into the help desk with the same problem, you have some documentation that explains how that problem was resolved last time. These knowledge bases are completely searchable, and usually inputting a help-desk ticket will automatically provide you with some knowledge base articles that might apply to that particular problem.

Security administrators spend a lot of time creating a security policy for the organization. This is documentation that covers every aspect of IT security for the company. The documentation needs to be available for everyone. It’s commonly posted on the intranet, and any employee is able to access that information. Of course, no documentation stays the same. You’re always going to have updates depending on changes in the organization. So it’s very common to have documentation that can be edited online in a wiki type model so that people can make changes quickly and those changes can be seen by everyone in the organization.

Some documentation details processes and procedures you must follow as a point of law. These types of compliance are necessary to understand depending on the type of business that you happen to be in. This is usually a set of rules that is specific to the type of business that you’re in, and it may fall under a larger category for everyone who happens to be in your industry.

Organizations that don’t follow these compliance requirements may find penalties associated with that. These can be monetary penalties or fines. Someone can lose their job for not following these compliance regulations. And in some cases, someone could even be incarcerated. Some of these compliance regulations are specific to a region or a country, and other regulations may be covered worldwide. You need to understand the exact scope of the regulations and how they apply to your organization.

One type of regulation specific to finance is the Public Company Accounting reform and Investor Protection Act of 2002. This is often referred to as the Sarbanes-Oxley Act or the SOX regulations. Another set of regulations would be the Health Insurance Portability and Accountability Act. We often call this the HIPAA regulations. This is often associated with patient records and it’s designed to keep patient information private. And privacy with financial organizations is handled with the regulations from the Graham-Leach-Bliley Act of 1999, or GLBA.

There are also a set of rules that we create for our own organizations that regulate how people use technology. These are acceptable use policies, or AUPs, and they’re usually detailed in an employee handbook or an employee rules of behavior. The acceptable use policies cover how we use technology, so it may be topics such as how telephones are used, mobile devices, the computers on our desks, and the internet access that we use. These AUPs are used by an organization to protect themselves. If someone is dismissed, they can refer back to the AUPs to show a well documented breakdown of why someone was told to leave the organization.

It’s also common to document how passwords will change. In many organizations passwords have to be a certain complexity, and many passwords expire after 30 days, 60 days, or 90 days. In some organizations where data is even more critical, you may find them changing their passwords every 15 days or even faster. If someone is locked out of their account, there needs to be a well-documented process on how they regain access to their account. This should not be a trivial process. The person at the help desk needs to be very aware that the person they’re talking to is really the person who needs access to that particular account.

Sometimes this password recovery process is required because someone tried to use the wrong password over and over again and eventually locked out their account. This commonly occurs with user accounts that are having to type in a user name and remember what their password is. But if this happens with a service account, you may find there are background applications that are running that suddenly you’re not able to operate because they’re not able to log in.

And if someone leaves the organization, a good best practice is to disable their account rather than deleting their account. There may be files and decryption keys associated with that account, so you may want to keep that account around until you’re sure that you have access to the data.

It’s very common for the information technology department to keep track of all of the different technical assets in the organization. There’s usually a tracking system that can track all the switches, the routers, the computers, the monitors, and anything else relating to technology. These records will often document the make and the model of the component, where the component is located, when it was purchased, and other details about that particular component. This is often integrated with financial management software so the organization can properly depreciate the technology that they have purchased. When a device is added to the database, it’s common to add a tag to the device so that you can track that device no matter where it happens to go.