Operations & Administration
Systems inventory, security controls, HR and personnel management.
Systems Inventory
This page lists the technology systems SHHA uses. For each system, we document what it does, who administers it, and how it is accessed.
Items marked TODO need information filled in by someone with direct knowledge of that system.
1. Microsoft 365
Microsoft 365 is SHHA's primary platform for email, mailing lists (Microsoft Groups), shared role mailboxes, and file storage (SharePoint).
| Type | Cloud-based (Microsoft-hosted) |
| Primary admin | Anna (office staff) handles day-to-day membership changes; IT admin handles mailbox permissions and configuration |
| Backup admin | TODO: Identify and document a backup administrator |
| Login | admin.microsoft.com (admin), outlook.com (email), SharePoint links (files) |
| Licensing | Only office staff and IT admin need paid licenses; volunteers are free external guests |
2. QuickBooks
Used for SHHA financial accounting.
| Type | Cloud-based |
| Primary admin / user | TODO: Who is the primary user? (Treasurer? Office staff?) |
| Backup | TODO: Is there a backup user with access? |
| Login | TODO: URL and login method |
| Notes | TODO: Version (Online vs Desktop), billing, who pays for the subscription |
3. Membership Database
TODO: Document the membership database system.
| System name | TODO: What system/software is used? |
| Type | TODO: Cloud-based or local? |
| Primary admin | TODO: Is Ryan the primary outside admin? |
| Backup admin | TODO: Is there a backup? |
| Data stored | TODO: What member data is in this system? (names, addresses, dues status, etc.) |
4. Gusto
Used for payroll and employee benefits administration.
| Type | Cloud-based |
| Primary admin | TODO: Who manages Gusto? (Office manager? Treasurer?) |
| Backup | TODO: Is there a backup admin? |
| Login | app.gusto.com |
| Notes | TODO: How many employees are on payroll? Billing responsibility? |
5. SHHA Website
The public-facing website at sandiahomeowners.org.
| Type | TODO: What platform/CMS runs the website? (WordPress, Squarespace, custom?) |
| Hosting | TODO: Where is it hosted? Cloud-based? |
| Primary owner | TODO: Who manages content updates? |
| Backup owner | TODO: Is there a backup person? |
| Outside consultant | TODO: Is there a web consultant? If so, who? How are they paid? |
| Login | TODO: Admin URL and login method |
6. GRIT Newsletter
The GRIT is SHHA's community newsletter, currently produced monthly.
| Production tool | TODO: What software is used for layout? (InDesign, Canva, Google Docs, etc.) |
| Distribution method | TODO: Print, email, or both? |
| Editor / layout person | TODO: Who currently does layout and editing? |
| Gmail account | shhagrit@gmail.com — TODO: document what this Gmail is used for (submissions? Google Drive access? legacy?) |
| Related page | See the GRIT Layout Monthly Guide in the Specialty Topics chapter for the step-by-step production process |
7. Square
Used for Sandia Tram ticket sales and advertising payments.
| Type | Cloud-based |
| Primary user | TODO: Who manages Square transactions? |
| Backup | TODO: Is there a backup? |
| Login | squareup.com |
| Notes | TODO: What specific transactions go through Square? Revenue amounts? |
8. Other Systems
TODO: Are there additional systems not listed above? Examples might include:
- Bulk email / email blast service (Mailchimp, Constant Contact, etc.)
- Google Workspace (shared Google Calendar for Board reminders uses Gmail — is there a full Google account?)
- Domain registrar for sandiahomeowners.org — TODO: who manages DNS and domain renewal?
- Any other SaaS tools or vendor portals
Controls & Security
This page documents access controls, cybersecurity practices, and data backup procedures for SHHA systems.
Items marked TODO need information filled in. These questions originated from Andrea's controls review.
Access Controls — Who Has Access to What?
Microsoft 365 Admin Access
| Global Administrator | TODO: Who currently has Global Admin access? (There should be a primary and a backup.) |
| User / Group management | Anna (office staff) manages day-to-day membership. IT admin handles mailbox permissions. |
| Who manages access? | TODO: Is there a documented process for granting/revoking admin access? Who approves changes? |
Other System Access
| System | Primary Access | Backup Access |
|---|---|---|
| QuickBooks | TODO | TODO |
| Membership Database | TODO | TODO |
| Gusto (Payroll) | TODO | TODO |
| SHHA Website (admin) | TODO | TODO |
| Square | TODO | TODO |
| Domain registrar | TODO | TODO |
| Google accounts | TODO | TODO |
Cybersecurity
Current Practices
- TODO: Do we enforce multi-factor authentication (MFA) for Microsoft 365 admin accounts?
- TODO: Do we enforce MFA for all licensed users?
- TODO: How do we handle password policies? (complexity requirements, rotation schedule)
- TODO: Is there an incident response plan if an account is compromised?
- TODO: Do we have phishing awareness guidelines for staff and volunteers?
Data Access
- TODO: How do we manage overall data access security? (e.g., conditional access policies, device restrictions)
- TODO: Are there any data classification policies (confidential vs. public)?
- TODO: How is sensitive financial data protected? (QuickBooks access, payroll data in Gusto)
Data Backup
Cloud-Based Systems
Most SHHA data resides in cloud services. Each provider has its own backup/redundancy:
| System | Backup Approach |
|---|---|
| Microsoft 365 (email, SharePoint) | Microsoft provides built-in redundancy and retention policies. TODO: Do we have a separate backup solution (e.g., third-party M365 backup)? What are our retention policy settings? |
| QuickBooks Online | Intuit maintains backups. TODO: Do we also export periodic backups locally? |
| Gusto | Gusto maintains payroll records. TODO: Do we keep local copies of payroll reports? |
| SHHA Website | TODO: Who backs up the website? How often? Where are backups stored? |
| Membership Database | TODO: How is the membership database backed up? |
Local Data
- TODO: Is any critical data stored only on local computers (office PCs) and not in the cloud?
- TODO: If so, how is that data backed up?
Other Security Considerations
- TODO: Do we have cyber liability insurance?
- TODO: When was the last security review or audit of our systems?
- TODO: Are there any compliance requirements (e.g., state HOA data retention laws)?
HR & Personnel Management
This page covers staff management, outside consultants, and volunteer administration. Much of this is non-IT operational information.
Items marked TODO need information from someone with direct knowledge (e.g., Jim Stewart, current President, or office manager).
Staff Management
Current Staff
TODO: List current office staff positions and names (e.g., Office Manager, Administrative Assistant).
Evaluation & Compensation
| Who gives yearly evaluations? | TODO: (President? Executive Committee? Office manager for junior staff?) |
| Who sets salaries? | TODO: (Board approval required? Budget process?) |
| Where are salary and benefits records? | TODO: (Gusto? QuickBooks? Paper files?) |
Hiring
| Who hires new staff? | TODO: (President? Executive Committee? Board vote?) |
| What is the hiring process? | TODO: (Job posting, interviews, background check, Board approval?) |
Work Priorities & Training
| Who assigns work priorities? | TODO: (President? Office manager self-directs?) |
| Who trains new staff? | TODO: (Outgoing staff? Office manager? Written procedures?) |
| President's specific role | TODO: Does the President have a defined role in day-to-day staff management, or is it delegated? |
Outside Consultants
TODO: Document each outside consultant or contracted service provider.
Legal Counsel
| Firm / attorney name | TODO |
| Compensation | TODO: Hourly, per project, or retainer? |
| Who oversees / approves work? | TODO: (President? Board?) |
| Who manages expenditure rate? | TODO |
Web Consultant
| Consultant name / firm | TODO |
| Compensation | TODO: Hourly, per project, or retainer? |
| Who oversees / approves work? | TODO |
| Scope of work | TODO: Website maintenance? Design? Both? |
Other Consultants
TODO: Are there other outside consultants (accounting/audit, landscaping, etc.)? List them here.
Volunteer Management
Adding Volunteers to Committees
| Who appoints committee members? | TODO: President? Committee chair? Both? (Refer to SHHA Bylaws for the formal process.) |
| Process | TODO: Document the step-by-step process for adding a new volunteer (nomination → approval → IT setup) |
| IT setup when adding | Committee chair notifies office staff → staff sends Microsoft invitation → volunteer accepts → staff adds to mailing list. See the Quick Start for New Volunteers page. |
Removing Volunteers from Committees
| Process | TODO: Who initiates removal? (Chair? Volunteer self-removal? Board?) |
| IT cleanup | Office staff removes from mailing list; IT removes SharePoint and mailbox access if applicable. |
Replacing a Committee Chair
| Process | TODO: (Refer to Bylaws — link needed.) Who nominates the new chair? Board approval required? |
| IT transition | Shared role mailbox access is transferred (revoke outgoing, grant incoming). See the FAQ section on email transitions. |
Insurance
| E&O (Errors & Omissions) insurance | TODO: Do we have E&O coverage? What does it cover? Policy details? |
| General liability insurance | TODO: Coverage details? Does it extend to volunteers? |
| D&O (Directors & Officers) | TODO: Do we have D&O insurance? |
| Cyber liability | TODO: Do we have cyber liability coverage? |
| Insurance broker / carrier | TODO: Company name and contact |