A tribute to the original [OpsReportCard.com](http://www.opsreportcard.com/)—now unavailable but still cherished by IT ops teams.

[Recreated with 💙 by Stitchflow](https://www.stitchflow.com/)

# The Operations Report Card

32 yes/no habits that separate high- from low-performing IT ops teams

## How'd you like to read?

ChecklistFlash Cards

### Your Ops Score

Export Results

0%

0Yes

0No

32Yet to answer

## A. Public Facing Practices

### Q1. Are user requests tracked via a ticket system?

This is so basic it pains me that I have to explain it.

### Q2. Are "the 3 empowering policies" defined and published?

There are three public-facing policies you must have if a sysadmin team is going to be able to get any work done.

### Q3. Does the team record monthly metrics?

You need to be data-driven when you make decisions or sway upper levels of management.

## B. Modern Team Practices

### Q4. Do you have a "policy and procedure" wiki?

Your team needs a wiki.

### Q5. Do you have a password safe?

This shows you have a mature way to manage passwords.

### Q6. Is your team's code kept in a source code control system?

When installing a new machine is an API call, we're all programmers now.

### Q7. Does your team use a bug-tracking system for their own code?

Bug-tracking systems are different than ticket systems.

### Q8. In your bugs/tickets, does stability have a higher priority than new features?

Adding new features is more fun than fixing bugs.

### Q9. Does your team write "design docs?"

Good sysadmin teams "think before they do." On a larger team it is important to communicate what you are about to do, or what you have done.

### Q10. Do you have a "post-mortem" process?

After a failure do you write up what happened so you can learn from it or do you just hope nobody notices and that it will all go away?

## C. Operational Practices

### Q11. Does each service have an OpsDoc?

Your DNS server dies.

### Q12. Does each service have appropriate monitoring?

It isn't a service if it isn't monitored.

### Q13. Do you have a pager rotation schedule?

Do you have a pager rotation schedule or are you a sucker that is simply on-call forever?

### Q14. Do you have separate development, QA, and production systems?

Developers do their work on their development servers.

### Q15. Do roll-outs to many machines have a "canary process?"

Suppose you have to roll out a change to 500 machines.

## D. Automation Practices

### Q16. Do you use configuration management tools like cfengine/puppet/chef?

Config Management (CM) software is a tool that coordinates the configuration of machines.

### Q17. Do automated administration tasks run under role accounts?

Often we set up automated procedures that run at predetermined times.

### Q18. Do automated processes that generate e-mail only do so when they have something to say?

Do you know the story of "The Boy Who Cried Wolf"?

## E. Fleet Management Processes

### Q19. Is there a database of all machines?

Every site should know what machines it has.

### Q20. Is OS installation automated?

Automated OS installations are faster, more consistent, and let the users do one more task so you don't have to.

### Q21. Can you automatically patch software across your entire fleet?

If OS installation is automated then all machines start out the same.

### Q22. Do you have a PC refresh policy?

If you don't have a policy about when PC will be replaced, they'll never be replaced.

## F. Disaster Preparation Practices

### Q23. Can your servers keep operating even if 1 disk dies?

It used to be that if there was one broken component in a computer, you had an outage.

### Q24. Is the network core N+1?

An outage for one person is a shame.

### Q25. Are your backups automated?

This question assumes you are doing backups.

### Q26. Are your disaster recovery plans tested periodically?

The last section was a bit of a lie.

### Q27. Do machines in your data center have remote power / console access?

This needs little explanation.

## G. Security Practices

### Q28. Do Desktops/laptops/servers run self-updating, silent, anti-malware software?

Viruses and malware are a fact of life.

### Q29. Do you have a written security policy?

Looking at existing policies is a good way to get ideas.

### Q30. Do you submit to periodic security audits?

This needs little explanation.

### Q31. Can a user's account be disabled on all systems in 1 hour?

This indicates a lot more about your team and the environment you run than just whether or not you can disable an account.

### Q32. Can you change all privileged (root) passwords in 1 hour?

This also indicates a lot more than what the question specifically asks.
