# Operations & Administration Systems inventory, security controls, HR and personnel management. # Systems Inventory This page lists the technology systems SHHA uses. For each system, we document what it does, who administers it, and how it is accessed. *Items marked **TODO** need information filled in by someone with direct knowledge of that system.* ## 1. Microsoft 365 Microsoft 365 is SHHA's primary platform for email, mailing lists (Microsoft Groups), shared role mailboxes, and file storage (SharePoint).
**Type**Cloud-based (Microsoft-hosted)
**Primary admin**Anna (office staff) handles day-to-day membership changes; IT admin handles mailbox permissions and configuration
**Backup admin****TODO:** Identify and document a backup administrator
**Login**[admin.microsoft.com](https://admin.microsoft.com) (admin), [outlook.com](https://outlook.com) (email), SharePoint links (files)
**Licensing**Only office staff and IT admin need paid licenses; volunteers are free external guests
## 2. QuickBooks Used for SHHA financial accounting.
**Type**Cloud-based
**Primary admin / user****TODO:** Who is the primary user? (Treasurer? Office staff?)
**Backup****TODO:** Is there a backup user with access?
**Login****TODO:** URL and login method
**Notes****TODO:** Version (Online vs Desktop), billing, who pays for the subscription
## 3. Membership Database **TODO:** Document the membership database system.
**System name****TODO:** What system/software is used?
**Type****TODO:** Cloud-based or local?
**Primary admin****TODO:** Is Ryan the primary outside admin?
**Backup admin****TODO:** Is there a backup?
**Data stored****TODO:** What member data is in this system? (names, addresses, dues status, etc.)
## 4. Gusto Used for payroll and employee benefits administration.
**Type**Cloud-based
**Primary admin****TODO:** Who manages Gusto? (Office manager? Treasurer?)
**Backup****TODO:** Is there a backup admin?
**Login**[app.gusto.com](https://app.gusto.com)
**Notes****TODO:** How many employees are on payroll? Billing responsibility?
## 5. SHHA Website The public-facing website at [sandiahomeowners.org](https://sandiahomeowners.org).
**Type****TODO:** What platform/CMS runs the website? (WordPress, Squarespace, custom?)
**Hosting****TODO:** Where is it hosted? Cloud-based?
**Primary owner****TODO:** Who manages content updates?
**Backup owner****TODO:** Is there a backup person?
**Outside consultant****TODO:** Is there a web consultant? If so, who? How are they paid?
**Login****TODO:** Admin URL and login method
## 6. GRIT Newsletter The GRIT is SHHA's community newsletter, currently produced monthly.
**Production tool****TODO:** What software is used for layout? (InDesign, Canva, Google Docs, etc.)
**Distribution method****TODO:** Print, email, or both?
**Editor / layout person****TODO:** Who currently does layout and editing?
**Gmail account**shhagrit@gmail.com — **TODO:** document what this Gmail is used for (submissions? Google Drive access? legacy?)
**Related page**See the *GRIT Layout Monthly Guide* in the Specialty Topics chapter for the step-by-step production process
## 7. Square Used for Sandia Tram ticket sales and advertising payments.
**Type**Cloud-based
**Primary user****TODO:** Who manages Square transactions?
**Backup****TODO:** Is there a backup?
**Login**[squareup.com](https://squareup.com)
**Notes****TODO:** What specific transactions go through Square? Revenue amounts?
## 8. Other Systems **TODO:** Are there additional systems not listed above? Examples might include: - Bulk email / email blast service (Mailchimp, Constant Contact, etc.) - Google Workspace (shared Google Calendar for Board reminders uses Gmail — is there a full Google account?) - Domain registrar for sandiahomeowners.org — **TODO:** who manages DNS and domain renewal? - Any other SaaS tools or vendor portals # Controls & Security This page documents access controls, cybersecurity practices, and data backup procedures for SHHA systems. *Items marked **TODO** need information filled in. These questions originated from Andrea's controls review.* ## Access Controls — Who Has Access to What? ### Microsoft 365 Admin Access
**Global Administrator****TODO:** Who currently has Global Admin access? (There should be a primary and a backup.)
**User / Group management**Anna (office staff) manages day-to-day membership. IT admin handles mailbox permissions.
**Who manages access?****TODO:** Is there a documented process for granting/revoking admin access? Who approves changes?
### Other System Access
SystemPrimary AccessBackup Access
QuickBooks**TODO****TODO**
Membership Database**TODO****TODO**
Gusto (Payroll)**TODO****TODO**
SHHA Website (admin)**TODO****TODO**
Square**TODO****TODO**
Domain registrar**TODO****TODO**
Google accounts**TODO****TODO**
## Cybersecurity ### Current Practices - **TODO:** Do we enforce multi-factor authentication (MFA) for Microsoft 365 admin accounts? - **TODO:** Do we enforce MFA for all licensed users? - **TODO:** How do we handle password policies? (complexity requirements, rotation schedule) - **TODO:** Is there an incident response plan if an account is compromised? - **TODO:** Do we have phishing awareness guidelines for staff and volunteers? ### Data Access - **TODO:** How do we manage overall data access security? (e.g., conditional access policies, device restrictions) - **TODO:** Are there any data classification policies (confidential vs. public)? - **TODO:** How is sensitive financial data protected? (QuickBooks access, payroll data in Gusto) ## Data Backup ### Cloud-Based Systems Most SHHA data resides in cloud services. Each provider has its own backup/redundancy:
SystemBackup Approach
Microsoft 365 (email, SharePoint)Microsoft provides built-in redundancy and retention policies. **TODO:** Do we have a separate backup solution (e.g., third-party M365 backup)? What are our retention policy settings?
QuickBooks OnlineIntuit maintains backups. **TODO:** Do we also export periodic backups locally?
GustoGusto maintains payroll records. **TODO:** Do we keep local copies of payroll reports?
SHHA Website**TODO:** Who backs up the website? How often? Where are backups stored?
Membership Database**TODO:** How is the membership database backed up?
### Local Data - **TODO:** Is any critical data stored only on local computers (office PCs) and not in the cloud? - **TODO:** If so, how is that data backed up? ## Other Security Considerations - **TODO:** Do we have cyber liability insurance? - **TODO:** When was the last security review or audit of our systems? - **TODO:** Are there any compliance requirements (e.g., state HOA data retention laws)? # HR & Personnel Management This page covers staff management, outside consultants, and volunteer administration. Much of this is non-IT operational information. *Items marked **TODO** need information from someone with direct knowledge (e.g., Jim Stewart, current President, or office manager).* ## Staff Management ### Current Staff **TODO:** List current office staff positions and names (e.g., Office Manager, Administrative Assistant). ### Evaluation & Compensation
**Who gives yearly evaluations?****TODO:** (President? Executive Committee? Office manager for junior staff?)
**Who sets salaries?****TODO:** (Board approval required? Budget process?)
**Where are salary and benefits records?****TODO:** (Gusto? QuickBooks? Paper files?)
### Hiring
**Who hires new staff?****TODO:** (President? Executive Committee? Board vote?)
**What is the hiring process?****TODO:** (Job posting, interviews, background check, Board approval?)
### Work Priorities & Training
**Who assigns work priorities?****TODO:** (President? Office manager self-directs?)
**Who trains new staff?****TODO:** (Outgoing staff? Office manager? Written procedures?)
**President's specific role****TODO:** Does the President have a defined role in day-to-day staff management, or is it delegated?
## Outside Consultants **TODO:** Document each outside consultant or contracted service provider. ### Legal Counsel
**Firm / attorney name****TODO**
**Compensation****TODO:** Hourly, per project, or retainer?
**Who oversees / approves work?****TODO:** (President? Board?)
**Who manages expenditure rate?****TODO**
### Web Consultant
**Consultant name / firm****TODO**
**Compensation****TODO:** Hourly, per project, or retainer?
**Who oversees / approves work?****TODO**
**Scope of work****TODO:** Website maintenance? Design? Both?
### Other Consultants **TODO:** Are there other outside consultants (accounting/audit, landscaping, etc.)? List them here. ## Volunteer Management ### Adding Volunteers to Committees
**Who appoints committee members?****TODO:** President? Committee chair? Both? (Refer to [SHHA Bylaws](#bkmrk-e%26o-%28errors-%26-omissi) for the formal process.)
**Process****TODO:** Document the step-by-step process for adding a new volunteer (nomination → approval → IT setup)
**IT setup when adding**Committee chair notifies office staff → staff sends Microsoft invitation → volunteer accepts → staff adds to mailing list. See the *Quick Start for New Volunteers* page.
### Removing Volunteers from Committees
**Process****TODO:** Who initiates removal? (Chair? Volunteer self-removal? Board?)
**IT cleanup**Office staff removes from mailing list; IT removes SharePoint and mailbox access if applicable.
### Replacing a Committee Chair
**Process****TODO:** (Refer to Bylaws — link needed.) Who nominates the new chair? Board approval required?
**IT transition**Shared role mailbox access is transferred (revoke outgoing, grant incoming). See the FAQ section on email transitions.
## Insurance
**E&O (Errors & Omissions) insurance****TODO:** Do we have E&O coverage? What does it cover? Policy details?
**General liability insurance****TODO:** Coverage details? Does it extend to volunteers?
**D&O (Directors & Officers)****TODO:** Do we have D&O insurance?
**Cyber liability****TODO:** Do we have cyber liability coverage?
**Insurance broker / carrier****TODO:** Company name and contact