Otto background

IT Environment Assessments: 5 Steps to Reduce Vulnerabilities and Drive Strategic Value

IT departments have the difficult task of incorporating technologies and building capabilities to align with the greater needs of their organization. As business requirements change (like we saw with the COVID-19 pandemic), IT teams must adopt and adapt new technologies to support the business’ strategy.

Because of this continuous evolution, and with a particularly demanding barrage of recent challenges and threats, having regular and consistent visibility into your IT environment is critical to maintain organizational productivity and security. The best way for IT to achieve visibility and alignment with the business is through an IT environment assessment.

What is an IT environment assessment?

An IT environment assessment is a practice used to discover and document an organization’s IT capabilities and potential cyber vulnerabilities. It provides needed visibility into the IT infrastructure so that IT teams can respond to business needs and external threats.

How to conduct an IT environment assessment?

A standard best practice for conducting your IT assessment checklist is to investigate and ultimately account for the 3 E’s (Environments, Endpoints, and Equipment):

1.  Environments:

  • Brick & Mortar Environment
    Brick & mortar is any type of environment where you manage the hardware for the infrastructure. This type of environment can range from a building owned by your business or a separate data center. Even cloud solutions live somewhere and it’s important to consider the physical aspects of hosting.
  • Cloud Environment
    Cloud environments are solutions where hardware, software, and the surrounding infrastructure are not your responsibility. Reference SaaS, PaaS, or any “as a Service”-labeled product.
  • Co-location (Colo) Environment
    If your business needs to have its own servers, but doesn't have the space/facilities to host them or wants to take advantage of the benefits of a colo provider, you’re likely renting a space on a rack in a data center and sharing space with other businesses.

Depending on the environment, you’ll likely want to account for:

  • Physical security (perimeter, building access, locking mechanism, alarms, video, interior partitions)
  • Logical security (firewalls, traffic monitoring and analysis)
  • Network circuits (WAN and last mile redundancy)
  • Power continuity (access to grid, off grid power capability and type, power failover)
  • Physical access (policies including hours and security to installed hardware)
  • Technical resources (on-site technical expertise if using a 3rd party provider)
  • Business viability (financial health of provider if other than your business)

2.  Endpoints

  • User devices such as desktop and notebook computers
  • File servers, database servers, and content servers
  • Kubernetes (K8s)
  • Hypervisors and virtual machines (VMs)
  • Other endpoints like tablets and VoIP handsets

3.  Equipment

  • Networking devices including routers, switches, VPN appliances
  • Power and battery backup systems
  • HVAC systems
  • Other equipment like copiers, multifunction printers, and video security systems

The steps you choose to perform in your IT assessment will greatly depend on these factors, which are often tied to your organization’s size and maturity. There are two main organizational structures that generally influence IT infrastructure: 1) the enterprise, and 2) small and mid-size businesses (SMBs).

Enterprise IT

  • Generally has wide diversity in environments, endpoints, and equipment
  • Large IT team with many moving parts
  • Dedicated teams/staff to support each part of the infrastructure
  • Assessments have a structured cadence and frequency
  • Substantial controls in place for prevention of incidents


  • Generally has more limited diversity in environments, endpoints, and equipment
  • Fewer feature-rich tools and capabilities
  • Smaller team dedicated to supporting infrastructure; duties are often shared and the team (or individual) may be spread thin
  • Assessments generally happen ad-hoc in response to incidents
  • Often relies upon 3rd party or outsourced vendor for assessment projects

Depending on your organization’s environment(s) and size, you can mix and match procedures to fit your capacity and business needs. The process list shared below is an example for you to build on based on unique considerations in your own environments and processes you may have already built yourself.

How to assess your IT environment

1.  Inventory all physical and virtual servers

  • List the names and functions of servers.
  • Note any relationships servers have to another/any business functions (application server, middleware server, and database server).

2.  Inventory all endpoints

  • List names and assigned users for every endpoint.
  • Include asset tags, date purchased, type and version of operating system.

3.  Inventory all cloud services

Note: It’s important to define which business unit is the “owner” of the service, and then work with the owner to align the service with company policies. Your IT team doesn’t have to “own” everything, but instead should enable the business to maintain compliance via support and education provided by you.

  • List product names, internal point of contact (POC), emergency POC, and vendor contact info.

4. Inventory office and datacenter locations

  • List other locations where employees work including leased or coworking spaces, and any related equipment at those locations such as network gear, servers, etc.

5.  Assess, review, and develop an action plan

With the above information collected, you can begin assessing the capabilities of your technology and where changes may need to be made. In your review, be sure to also include organizational material that outlines business policies, processes, and procedures so that you have a thorough understanding of how work is performed in order to make appropriate recommendations.

  • Identify overlap. Overlap is when multiple servers, services, or devices are used to perform the same task/service for the business.
  • Identify underlap. The opposite of overlap, is recognizing where applications can do something to cover a need, but aren’t being used correctly or to the fullest.
  • Identify potential vulnerabilities. With the full picture of your IT environment, you can work collaboratively with your SecOps team to identify security gaps or weaknesses.
  • Perform a gap analysis. Compare assessed capabilities with desired business requirements for an ideal “future state.”
  • Prioritize gaps. Decide on what to tackle first according to the item’s importance to the business and technical and process maturity.
  • Create an action plan for success. To better transform IT to align to the business requirements, create a plan with key deliverables, deadlines, and parties responsible.

Key things to look for when doing your IT environment assessment

As you inventory your IT environment, you’ll want to keep an eye out for:

  • Outdated software versions
  • Unauthorized software
  • Unauthorized personal devices connected to the network
  • Odd behavior such as unusual network traffic over switches, spiking CPU usage, or odd login events
  • Cross-checking firmware with recent security bulletins  

How often should I do an IT environment assessment?

Continual monitoring and documentation is crucial to the ease of any assessment cadence. Assessments should be performed at regular cadences depending on the nature of the assessment, the size of your organization, the environments being evaluated, and your organization’s risk tolerance (weekly, monthly, quarterly, and/or annually depending on these factors).

An IT environment assessment may also be required with a change of business direction or strategy, or new leadership. Major events such as an acquisition are also immediate triggers for conducting an IT assessment.

Why IT environment assessments are important

As businesses grow and work environments continue to change, IT needs to be a proactive partner in developing solutions for new challenges. IT teams cannot contribute to these discussions if they can’t articulate and demonstrate awareness of what the business can and can’t do from technical and process capability perspectives.

Cyber security and vulnerability management cannot be overlooked either. As supply chain attacks continue to become more prevalent, it’s more important than ever for IT to provide the business with the visibility needed to assess its vulnerability to cyber attacks. Knowing which services and applications the business runs on is vital to this discussion.

Ready to get started? Here’s what to prioritize.

Whether you already have some components of an assessment process in place or are starting from scratch, you can begin with these key components:

  • Know your environment. Maintain a baseline document that includes everything that makes your business run under the 3 E’s.  Every organization should have a baseline that can be updated whenever something new is added or tied into their environment.
  • Communicate with your teams. Find out what each team oversees in terms of endpoints and equipment. Assessments don’t just fall on the shoulders of IT; instead they are a substantial and strategic undertaking by an organization and require practice, collaboration, and thorough documentation to eventually become routine.
  • Prioritize around standard severity as well as current events.  Assessments can reveal anything from trivial issues to end-of-life (EoL) servers that are wildly out of date, no longer supported, and exposed to dangerous vulnerabilities. It’s up to your team to decide what your top adjustments are while going through the process. Use sources like common vulnerabilities and exposures (CVE) lists and current events as justification to nudge initiatives to the top of your organization’s priority list.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.