Operations & Administration
Systems inventory, security controls, HR and personnel management.

Systems Inventory
This page lists the technology systems SHHA uses. For each system, we document what it does, who administers it, and how it is accessed. 
 Items marked TODO need information filled in by someone with direct knowledge of that system. 

 1. Microsoft 365 
 Microsoft 365 is SHHA's primary platform for email, mailing lists (Microsoft Groups), shared role mailboxes, and file storage (SharePoint). 
 
 
 Type Cloud-based (Microsoft-hosted) 
 Primary admin Anna (office staff) handles day-to-day membership changes; IT admin handles mailbox permissions and configuration 
 Backup admin TODO: Identify and document a backup administrator 
 Login admin.microsoft.com (admin), outlook.com (email), SharePoint links (files) 
 Licensing Only office staff and IT admin need paid licenses; volunteers are free external guests 
 
 

 2. QuickBooks 
 Used for SHHA financial accounting. 
 
 
 Type Cloud-based 
 Primary admin / user TODO: Who is the primary user? (Treasurer? Office staff?) 
 Backup TODO: Is there a backup user with access? 
 Login TODO: URL and login method 
 Notes TODO: Version (Online vs Desktop), billing, who pays for the subscription 
 
 

 3. Membership Database 
 TODO: Document the membership database system. 
 
 
 System name TODO: What system/software is used? 
 Type TODO: Cloud-based or local? 
 Primary admin TODO: Is Ryan the primary outside admin? 
 Backup admin TODO: Is there a backup? 
 Data stored TODO: What member data is in this system? (names, addresses, dues status, etc.) 
 
 

 4. Gusto 
 Used for payroll and employee benefits administration. 
 
 
 Type Cloud-based 
 Primary admin TODO: Who manages Gusto? (Office manager? Treasurer?) 
 Backup TODO: Is there a backup admin? 
 Login app.gusto.com 
 Notes TODO: How many employees are on payroll? Billing responsibility? 
 
 

 5. SHHA Website 
 The public-facing website at sandiahomeowners.org . 
 
 
 Type TODO: What platform/CMS runs the website? (WordPress, Squarespace, custom?) 
 Hosting TODO: Where is it hosted? Cloud-based? 
 Primary owner TODO: Who manages content updates? 
 Backup owner TODO: Is there a backup person? 
 Outside consultant TODO: Is there a web consultant? If so, who? How are they paid? 
 Login TODO: Admin URL and login method 
 
 

 6. GRIT Newsletter 
 The GRIT is SHHA's community newsletter, currently produced monthly. 
 
 
 Production tool TODO: What software is used for layout? (InDesign, Canva, Google Docs, etc.) 
 Distribution method TODO: Print, email, or both? 
 Editor / layout person TODO: Who currently does layout and editing? 
 Gmail account shhagrit@gmail.com — TODO: document what this Gmail is used for (submissions? Google Drive access? legacy?) 
 Related page See the GRIT Layout Monthly Guide in the Specialty Topics chapter for the step-by-step production process 
 
 

 7. Square 
 Used for Sandia Tram ticket sales and advertising payments. 
 
 
 Type Cloud-based 
 Primary user TODO: Who manages Square transactions? 
 Backup TODO: Is there a backup? 
 Login squareup.com 
 Notes TODO: What specific transactions go through Square? Revenue amounts? 
 
 

 8. Other Systems 
 TODO: Are there additional systems not listed above? Examples might include: 
 
 Bulk email / email blast service (Mailchimp, Constant Contact, etc.) 
 Google Workspace (shared Google Calendar for Board reminders uses Gmail — is there a full Google account?) 
 Domain registrar for sandiahomeowners.org — TODO: who manages DNS and domain renewal? 
 Any other SaaS tools or vendor portals

Controls & Security
This page documents access controls, cybersecurity practices, and data backup procedures for SHHA systems. 
 Items marked TODO need information filled in. These questions originated from Andrea's controls review. 

 Access Controls — Who Has Access to What? 

 Microsoft 365 Admin Access 
 
 
 Global Administrator TODO: Who currently has Global Admin access? (There should be a primary and a backup.) 
 User / Group management Anna (office staff) manages day-to-day membership. IT admin handles mailbox permissions. 
 Who manages access? TODO: Is there a documented process for granting/revoking admin access? Who approves changes? 
 
 

 Other System Access 
 
 System Primary Access Backup Access 
 
 QuickBooks TODO TODO 
 Membership Database TODO TODO 
 Gusto (Payroll) TODO TODO 
 SHHA Website (admin) TODO TODO 
 Square TODO TODO 
 Domain registrar TODO TODO 
 Google accounts TODO TODO 
 
 

 Cybersecurity 

 Current Practices 
 
 TODO: Do we enforce multi-factor authentication (MFA) for Microsoft 365 admin accounts? 
 TODO: Do we enforce MFA for all licensed users? 
 TODO: How do we handle password policies? (complexity requirements, rotation schedule) 
 TODO: Is there an incident response plan if an account is compromised? 
 TODO: Do we have phishing awareness guidelines for staff and volunteers? 
 

 Data Access 
 
 TODO: How do we manage overall data access security? (e.g., conditional access policies, device restrictions) 
 TODO: Are there any data classification policies (confidential vs. public)? 
 TODO: How is sensitive financial data protected? (QuickBooks access, payroll data in Gusto) 
 

 Data Backup 

 Cloud-Based Systems 
 Most SHHA data resides in cloud services. Each provider has its own backup/redundancy: 
 
 System Backup Approach 
 
 Microsoft 365 (email, SharePoint) Microsoft provides built-in redundancy and retention policies. TODO: Do we have a separate backup solution (e.g., third-party M365 backup)? What are our retention policy settings? 
 QuickBooks Online Intuit maintains backups. TODO: Do we also export periodic backups locally? 
 Gusto Gusto maintains payroll records. TODO: Do we keep local copies of payroll reports? 
 SHHA Website TODO: Who backs up the website? How often? Where are backups stored? 
 Membership Database TODO: How is the membership database backed up? 
 
 

 Local Data 
 
 TODO: Is any critical data stored only on local computers (office PCs) and not in the cloud? 
 TODO: If so, how is that data backed up? 
 

 Other Security Considerations 
 
 TODO: Do we have cyber liability insurance? 
 TODO: When was the last security review or audit of our systems? 
 TODO: Are there any compliance requirements (e.g., state HOA data retention laws)?

HR & Personnel Management
This page covers staff management, outside consultants, and volunteer administration. Much of this is non-IT operational information. 
 Items marked TODO need information from someone with direct knowledge (e.g., Jim Stewart, current President, or office manager). 

 Staff Management 

 Current Staff 
 TODO: List current office staff positions and names (e.g., Office Manager, Administrative Assistant). 

 Evaluation & Compensation 
 
 
 Who gives yearly evaluations? TODO: (President? Executive Committee? Office manager for junior staff?) 
 Who sets salaries? TODO: (Board approval required? Budget process?) 
 Where are salary and benefits records? TODO: (Gusto? QuickBooks? Paper files?) 
 
 

 Hiring 
 
 
 Who hires new staff? TODO: (President? Executive Committee? Board vote?) 
 What is the hiring process? TODO: (Job posting, interviews, background check, Board approval?) 
 
 

 Work Priorities & Training 
 
 
 Who assigns work priorities? TODO: (President? Office manager self-directs?) 
 Who trains new staff? TODO: (Outgoing staff? Office manager? Written procedures?) 
 President's specific role TODO: Does the President have a defined role in day-to-day staff management, or is it delegated? 
 
 

 Outside Consultants 
 TODO: Document each outside consultant or contracted service provider. 

 Legal Counsel 
 
 
 Firm / attorney name TODO 
 Compensation TODO: Hourly, per project, or retainer? 
 Who oversees / approves work? TODO: (President? Board?) 
 Who manages expenditure rate? TODO 
 
 

 Web Consultant 
 
 
 Consultant name / firm TODO 
 Compensation TODO: Hourly, per project, or retainer? 
 Who oversees / approves work? TODO 
 Scope of work TODO: Website maintenance? Design? Both? 
 
 

 Other Consultants 
 TODO: Are there other outside consultants (accounting/audit, landscaping, etc.)? List them here. 

 Volunteer Management 

 Adding Volunteers to Committees 
 
 
 Who appoints committee members? TODO: President? Committee chair? Both? (Refer to SHHA Bylaws for the formal process.) 
 Process TODO: Document the step-by-step process for adding a new volunteer (nomination → approval → IT setup) 
 IT setup when adding Committee chair notifies office staff → staff sends Microsoft invitation → volunteer accepts → staff adds to mailing list. See the Quick Start for New Volunteers page. 
 
 

 Removing Volunteers from Committees 
 
 
 Process TODO: Who initiates removal? (Chair? Volunteer self-removal? Board?) 
 IT cleanup Office staff removes from mailing list; IT removes SharePoint and mailbox access if applicable. 
 
 

 Replacing a Committee Chair 
 
 
 Process TODO: (Refer to Bylaws — link needed.) Who nominates the new chair? Board approval required? 
 IT transition Shared role mailbox access is transferred (revoke outgoing, grant incoming). See the FAQ section on email transitions. 
 
 

 Insurance 
 
 
 E&O (Errors & Omissions) insurance TODO: Do we have E&O coverage? What does it cover? Policy details? 
 General liability insurance TODO: Coverage details? Does it extend to volunteers? 
 D&O (Directors & Officers) TODO: Do we have D&O insurance? 
 Cyber liability TODO: Do we have cyber liability coverage? 
 Insurance broker / carrier TODO: Company name and contact