Is there a good backup? Really of everything? How much can you afford to lose, is a week still OK or is 1 hour of work lost already too much? How much history in backup is needed to protect against human error like accidental deletion, 1 day, 5 days, 2 weeks, or simply a duplicate of everything in case a HDD goes south without any history?
How important is it to plan for a worst-case-scenario like fire, flood, or similar, and therefore the need of having off-site backup? Also, what physical measures need to be considered, is there anything that insurance would require?

Having a backup is one thing. How do we make sure the backup is actually usable? Do we know, or better yet, have practised a recovery of a broken HDD? What if a whole computer needs to be replaced, are the settings (e.g. DNS, DHP, Print server) backed up, or potentially the system cloned in case nothing much is changing on the system itself?

Physical security...
Ever considered that someone might break in and walks out with a server? That happened even to big data centres, so why not a YWAM Base... I guess, it's good to be in a position to need (and have) a server room where the Base can store all local data, rather then in some corner at the end of the hallway. Of course, that room should be properly locked to add that extra bit of security.

Network security...
I don't think anyone would purposefully leave all doors open for script-kiddies or the like. But how secure does it need to be to prevent intrusion from outside, what's the real-world threat to a YWAM Base? Do we have to expect targeted attacks on our networks from someone out there? Or even worse, from the inside? Now hang on, an attack on our YWAM network from the inside... That would mean one of our own people or students. But we are all Christians and would never do that, right? Right?? Well, has it ever happened that some food walked out the kitchen, money gone missing, or similar? Is it really so unthinkable that someone on the inside would (try to) break into the system?
Therefore we need to think about password policy, disk encryption, physical access to servers, firewall, intrusion detection systems, staying up-to-date on security related topics (bugs, phishing, new attack strategies, etc.), do we need screen-savers that are password protected (maybe just for specific ministries like accounting), and much more.

Do we need a policy regarding anti-virus, firewall, and similar software for devices plugged in to the local network?
How would that apply to Linux and Apple devices? While some suggest that Apple is actually far easier to crack, the vulnerabilities in the wild speak rather for putting Windows and Android phones in a quarantine. Are there actually any/enough/sufficient related software options for mobile devices like iOS, Android, Windows Phone, available?

Safety "on the go"...
How can we make sure that those travelling are save? Connecting to public hot-spots isn't exactly what is called a "trusted network". What can we do that our Base, National, Regional, International Leaders/Elders are safe in their communication. On the go, as well as when at home?

What then happens when those who were travelling are coming back from outreach, holiday, speaking engagement? Or those arriving at our base, like new staff, students, guest speakers, etc. Do we need to check every device that connects to our networks? Every computer, Flash-drive, external HDD people connect to, smart-phones, tablets. That could be a time consuming task. But what is more costly, the time to check all those or the time, effort and potential loss when a virus, trojan, whatever, was brought in from the outside?

Do we really need to have a wireless access point on Base? Sure it is convenient for guests, those who come with their own laptops, for meetings, etc. Also not to forget the ever increasing number of mobile devices like smart phones and tablets which are not able to connect to a wired network. On the other hand, is it really necessary that every personally owned phone can connect to the network/internet during work hours?
I guess there are pros and cons, different situations might require different solutions. Still we have to evaluate the local situation and take appropriate measures rather then taking wireless for granted and a normal part of our lives.
In some situations, e.g. with limited internet quota personal mobile devices might simply need to be banned from the local network to avoid constant updating for weather, emails, etc. In other situation it might not matter at all.

Another point to think about with about is the fact that wireless access points are usually sitting inside the network. The firewall would then only control/protect outgoing connections but not the local network. What if wireless encryption would be broken and crackable within minutes, basically with no effort for the attacker? It happened to WEP, why not, at one point, to the newest encryption standard? The network then needs to be considered open and unprotected.
How do we properly secure wireless access points? Can we just take them down or do we depend so much on them that half our work halts? Do we need a sub-network for wireless with a extra firewall at the point where it connects to the overall network?

Using Google to host all emails might be a considerable solutions to some. Technically there should be backup and sure there is more expertise in security then most, if not all, of us have. However, Google might also be a more "intere3sting" target for attackers. On the other hand there might be people who don't trust Google for the simple fact that every email is scanned by the company.
Another option is to simply get some web space to host a website and the emails with that provider. Again, with a provider we probably trust their expertise in securing their systems against attacks and updating their systems with the latest patches, and trust for some backup. But again, do we trust that company to store our emails, including potential sensitive communication?
Or is it simply the best solution to have an email server on Base premises? After all, if internet is down, or what ever provider we might host emails with is inaccessible, we wouldn't be able to read any email. If it is on Base we still can read and answer emails, save them and send it out when internet is up again. But to continue with the theme, do we trust ourselves (more than others or at least enough) with hosting our emails? What the best way to secure the emails, a sub-network with it's own firewall, so that even if the email server is breached the rest of the network is still safe, and vice versa?

.
Speaking of sensitive communication and email...
How about a secure way to communicate? Do we need encryption (PGP/GPG) for our email communication or is it not necessary? Well, how do we know, anyway? Is it needed for Base internal communication or is it not worth the inconvenience. What is the situation, the type of communication that would require that level of security. Would it actually be important to provide email encryption for Base leadership teams? What about national, regional, international leadership? Is it important for specific ministries to communicate securely?
Not too many people know about it, they would need to be trained to use it, might need help to set it up, people need to know that if the password is lost that there is no way to get to those emails ever again and that a sticky note on the screen is not a helpful tool to remember the password.

How about outreach? We do go to sensitive places, right? How do we communicate? Writing with safe words but having YWAM in the email address isn't exactly cutting it. Do we trust another email provider in that case, e.g. like Yahoo or Google, or go rather with a "secure" provider like Hushmail? But there is again the question who we trust to host our communication?
Should we simply set up a meaningless domain and use encrypted email for outreach purposes?

.
Or... is it all overrated? We do nothing bad, we have nothing to hide. Just be a bit careful with the words to not raise wrong assumptions and be done with it?

What level of up-time do we try to achieve with our system? For a small Base it might be not worth go go beyond a few real desktops, some might bring their own desktop or laptop, and therefore the needs for computers are covered. What size network marks the point to actually replace the computers with a Terminal Server? However, we need to consider the fact that some folks might always need a real computer, e.g. to edit a video.
Where is the line to then add a 2nd Terminal Server, rather then getting a more powerful server? Does the level of up-time we try to achieve require multiple systems, anyway? Is load balancing enough or is it even necessary to have a hot stand-by for fail-over?

Virtual Machine anyone? Great, get a decent server, run your local DNS, a internal web server, a database server, the data share, the Terminal server, in a handful virtual machines. Most likely that will safe some bucks on hardware cost and power consumption will be better compared to multiple single purpose machines. But if that one machine is down due to hardware failure, all those virtual machines and services are inaccessible.
So, load balancing seems like not such a bad idea, in any case. But where do we draw the line between Virtual Machine and Real Machine?

Operating System...
Linux vs. Mac vs. Windows (in alphabetical order) is probably one of the most heated discussed topics. The unhappy truth for all of us who are 100% convinced of one platform is that all of them have their advantages and dis-advantages.
It might be good for everyone to identify a few good things on all platforms. The things people don’t like are identified so easily, so it's good to start with the upside.

I guess it is important to know the strengths of an OS to identify the right system for the situation. Potentially a mixed environment needs to be considered. At this point it is really important to know the requirements for the network, what software is needed, etc.
In other words, before deciding on "the" Base system to use it is important to investigate if the needed software is available or if there is even a better alternative solution available.

Hardware...
Every system and software needs some hardware to run on.
Depending on the size of the network this might have very different implications. A small Base might get away with DNS, DHCP, and a firewall provided by the modem and an external HDD for backup for the handful of computers. While others might need to handle well over 200 devices with very different needs for the hardware.

No matter which system is used, what is the tipping point to using a Terminal Server rather then individual computers? Pretty much everyone needs software along the lines of browser, email, word processor, spreadsheet, etc. for daily tasks. What kinda hardware is needed for e.g. 50 users with a Terminal Server, how much RAM, what size CPU, is it worth investing in SSD drives for the OS? What is the tipping point to better having 2 servers rather then upgrading for all to use one single server.
In case of 2 servers we need a load balancing server, can that run as a virtual machine on the actual Terminal Server or is it better to run on extra hardware. Also, to not have the load balancing server as single point of failure it needs 2 of them with some sort of fail-over capability.

What kind of set-up is needed to serve data to 10, 50, 100, 200+ users? SAN or NAS. Again, what is the tipping point to deploy load balancing?

How about backup, DNS, DHCP, Print server, internal web server, email server, firewall, proxy... What can be combined on one system, what can be put on one physical computer using virtual machines, what is better to be deployed separate?

Speaking of hardware...
What speaks for and against stand-alone systems and 19" systems, respectively? Is it worth going through the trouble of buying the pieces and building our own systems? Is that even possible with 19" gear?
Or even a step further and building the cases ourselves? Who says they have to be metal. Potentially taking a lesson from the "Helmer Render Cluster" http://helmer.sfe.se/
How easy is it to build something like a storage cluster with 10 or 15 hot-swappable HDDs?

Of course, those self built systems come with no warranty. If we go with a supplier like Dell support can be bought for up to 5 years, if I'm not mistaken. Someone will come and replace the broken parts. However, that comes at a price...

DNS, DHCP, User Authentication, Print Server, File Server, etc. There is a lot to make a network run smooth. Machines have to be maintained, systems and user accounts to be managed.
What software is best to be used for managing all that. What pitfalls are out there for setting up a system. At what point do we need traffic shaping to ensure that everyone gets acceptable internet speeds.

There are only limited IP addresses in a network available. Depending on the local situation we might run out of available IP addresses for all connected devices. What is best practice for setting up sub-networks?

At what point does it make sense to have a firewall, other then what the average modem comes with? Is it better do buy a hardware firewall or better to set up a computer to serve as firewall?
Is it better to just simply have one firewall for internet traffic or is it better to have several, e.g. for the email server, the wireless, and the general network, having all these on different subnets?

How about a proxy? We probably need a set-up that wont interfere so much with users computers. Those who come with their own laptops, also guests, don't want to change settings constantly. Also, we can't assume that everyone is knowledgeable enough to do that themselves.
We probably can't demand that people use a extra user account within the Base network to have permanent settings for the proxy. Still, that wouldn't even help for guests, and potentially not possible for some mobile devices.
So, in this case would a Transparent Proxy be the best option? No client side configuration is needed but frequently used web sites can still be cached so we can save bandwidth and speed up browsing.

What's the situation with local law and YWAM. Is the Base a registered training organisation, a registered charity, or simply under the radar? What governmental requirements regarding data handling, IT in general, network security, etc. comes with that?
Again, different situations in the same country are probably requiring different solutions. Whether a Base runs schools or not, having a shop of some sort, etc.

Where can such information be found?