ACELA IT & Security Risk Scorecard
How Much IT Risk Is Hiding in Your Business?
Take this 3-minute scorecard to assess your exposure to downtime, security gaps, backup uncertainty, poor documentation, and reactive IT support.
Most businesses are not dealing with just one IT problem. They are dealing with a mix of recurring support issues, weak documentation, inconsistent security controls, unclear backup outcomes, and too much dependence on whoever “just knows how things are set up.”
The ACELA IT & Security Risk Scorecard helps you quickly identify where your biggest risks may be hiding—across support, security, Microsoft 365, backups, vendor access, and operational discipline.
What You’ll Get
- A simple overall risk score
- A category-by-category breakdown
- Clear signs of where your environment may be exposed
- An option to review the results with ACELA
This is not a generic cyber quiz
Most “free assessments” ask a few broad questions about antivirus and passwords, then push you into a sales call.
This scorecard goes deeper into the things that actually create business risk:
- recurring issues that never get fixed at the root,
- missing documentation,
- weak onboarding and offboarding,
- unmanaged vendor access,
- Microsoft 365 misconfiguration,
- backup assumptions that have never been tested,
- and network decisions that make support and security harder than they should be.
That is where operational risk usually starts.
Instructions
Use four answer choices for every question:
- Yes, consistently
- Mostly
- Not sure
- No
Score them:
- Yes, consistently = 3
- Mostly = 2
- Not sure = 1
- No = 0
Support & Accountability
If support feels random, the environment usually is. ACELA’s model includes documented support intake, defined SLA handling, knowledge-base discipline, and clear ticket workflows instead of ad hoc technician behavior.
Questions
- Do your employees have a clear, consistent way to request IT support?
- Are support issues tracked through a formal ticketing process rather than emails, texts, or hallway conversations?
- Do you have defined expectations for response times and resolution targets?
- Do the same IT problems get fixed at the root, instead of coming back again and again?
Why this category matters
Weak support processes create slow response, finger-pointing, and repeat issues. Strong support should feel accountable and predictable.
Documentation & Operational Discipline
This is where ACELA should hit harder than competitors. Your process document is explicit that ACELA documents onboarding, offboarding, KBs, LOB software procedures, relationship notes, passwords, and client context so the environment is supportable by the team, not just one person.
Questions
- Could a qualified IT provider step into your environment without depending on one person’s memory?
- Are your key systems, admin accounts, vendors, and support procedures documented in an organized way?
- Do you have a documented process for employee onboarding and offboarding?
- When new systems, software, or vendors are added, are those changes documented and folded into ongoing support?
Why this category matters
A lot of businesses think they have IT documentation when they really have scattered notes and tribal knowledge. That becomes painful during outages, staffing changes, provider transitions, and audits.
Microsoft 365 & Identity Security
This is a strong ACELA differentiator. You use CIPP standards, GDAP, conditional access, MFA enforcement, bespoke admin accounts, user monitoring, blocked app registration, SSPR, and Intune as a standard management layer. Most smaller MSPs are not that disciplined in Microsoft 365.
Questions
- Is multi-factor authentication enforced for all Microsoft 365 users and all administrative accounts?
- Do you know exactly who has administrative access to Microsoft 365 today?
- Are former employees and old accounts disabled or removed promptly and consistently?
- Are Microsoft 365 security settings, tenant policies, and access controls reviewed against a standard instead of left as-is?
Why this category matters
A lot of risk in SMB environments lives inside Microsoft 365, especially around identity, admin access, stale accounts, and inconsistent policy settings.
Backup & Business Continuity
This should be one of the strongest sections because most competitors say “we back it up” and stop there. ACELA’s actual process is much more serious: 3-2-1 backup design, Veeam and SaaS backup use, cloud copies, retention rules, immutability where appropriate, alerting into Halo, validation checks, quarterly/annual checks, and guarded restoration processes.
Questions
- Are you confident your critical systems and data could actually be restored after a ransomware event, outage, or major mistake?
- Have your backups been tested or meaningfully validated within the last 12 months?
- Do you know what data is backed up, how long it is retained, and where the gaps are?
- Do you have a practical plan for how the business would continue operating during a major IT disruption?
Why this category matters
Backup exists in many environments. Restorable, monitored, understood backup is much rarer.
Vendor Access & Third-Party Risk
This is a real differentiator. ACELA’s process explicitly says vendors do not get unfettered access, unmanaged remote tools are blocked, vendor work is supervised, and access is controlled through managed accounts and MFA. That is unusually strong for SMB IT support.
Questions
- Do you know which software vendors, IT providers, or third parties currently have access to your systems?
- Is vendor access controlled through managed accounts and auditable methods, rather than whatever remote tool the vendor prefers?
- Are old vendor accounts, remote access tools, and one-off exceptions reviewed and cleaned up over time?
- When a vendor wants security controls weakened to “make something work,” does someone qualified review and approve that risk?
Why this category matters
A lot of SMB environments quietly accumulate unmanaged vendor access, outdated tools, and security exceptions no one remembers approving.
Network Security & Standardization
Another good place to separate from generic MSPs. ACELA standardizes network design where possible, uses segmentation, blocks inbound by default, avoids public RDP, isolates OT/ICS and IoT where needed, and pushes toward cloud-managed infrastructure that is easier to support and secure.
Questions
- Is your network designed and segmented intentionally, rather than grown organically over time?
- Are non-managed devices, guest devices, IoT, or operational equipment separated from core business systems where appropriate?
- Are firewall rules and remote access methods reviewed with security in mind, rather than left in place indefinitely?
- Are you avoiding risky shortcuts like exposed RDP, uncontrolled inbound access, or open-ended vendor tunnels?
Why this category matters
A surprising amount of business risk comes from network shortcuts that seemed harmless when they were added.
Want your full score and category breakdown?
With ACELA, you can expect...
Custom Designed Solutions
Based on best practices
Technology + Business Acumen
Full IT Services
End-to-end management
ACELA Managed Systems becomes a virtual extension of our clients’ businesses, helping them develop and maintain a technology strategy that aligns with their business needs and goals.