Among the many dependencies that organizations have, the data center is probably the most significant. It sits at the heart of IT operations, which makes it vital for the business in today’s digital economy.
IT disaster recovery planning, or “IT resilience” planning as it is often termed, is typically application-driven. When a business sets out to build its IT resilience strategy, plans, and infrastructure, it typically performs a business impact analysis. The BIA identifies the most critical applications, and consequently the IT infrastructure that supports it, and builds recovery plans for them.
While going through this process, businesses should ensure they don’t miss an important step – determining what risks exist at the data center site that could expose the organization to a disruption. This exercise would provide a clear understanding of the risks to which the data center site is exposed, and subsequently allows the organization to address these risks as part of its continuity program.
How would you go about it?
Like any other risk assessment exercise, the first step would be to perform a comprehensive threat assessment. It is important to ensure the threat assessment covers the entire gamut of threats for the data center site. Threats would fall under multiple categories, such as:
- Climate, neighborhood, proximity to airports, military facilities
- Structural, electricity, HVAC, gas, and water supply related threats
- Physical security, vehicle/personnel access
- Smoke/fire detection, water detection, and emergency evacuation
- Business threats across categories such as financial, staff/knowledge, legal/regulatory, etc.
In each category, the assessor would have to determine if the various threats are applicable to the data center site. For example, in the neighborhood threat category they could examine the crime rate in the area which would be an index of the types of crime that the site is exposed to. A threat considered in the air traffic category could be if there is an airport within 10 miles of the site, and if yes, does the location falls in the primary flight path for take-off/landing. An example in the HVAC category could determining if air conditioning units automatically shut down if there is a fire in the facility.
Once a threat is deemed applicable, the assessor would then have to determine probability of the threat occurring, impact to the business, and if there is currently a safeguard in place to mitigate the risk. A combination of these factors would provide the risk level for the particular threat. It would also be useful to enumerate key risk factors for an applicable threat, such as ‘credibility’ for cases where the organization could lose credibility if this threat materializes and health/safety for threats that could impact health or safety of employees and other personnel in the facility. This would provide additional understanding of the nature of impact.
Once the risks have been identified, rated, and consequently prioritized, the next step is to clearly define how the organization is going to address the risk – accept, transfer, reduce, and so on. Once the course of action is determined the specifics around what will be done (action plan), who will do it (responsible party) and by when (time-lines) will have to be clearly defined and documented. This will be required for tracking these action plans to closure, and many of these plans could potentially involve defining processes and procedures as part of the organization’s BCM program.
What are the key outcomes and benefits to the business?
Performing such a comprehensive assessment would improve data center resilience and reduce risk to the organization. It would lead to improvement of data center site controls and add strength to the organization’s overall IT resilience strategy, and provide assurance to management of the data center’s ability to support business continuity goals. Additionally, this exercise could help prepare the organization for internal and external regulatory compliance audits.
According to Gartner, as the hub of all data and information, the data center must take particular care in managing and mitigating risks. In light of this, a resilience assessment as outlined here should be an essential part of the BCM program of any organization that has a data center.
Shiva Jayashankar, MS CBCP CISSP, is manager of IT risk advisory services at Hewlett-Packard Enterprise and is based in Chennai, India. He works with public and private sector clients internationally on business continuity, IT service continuity, and IT risk management consulting engagements. If you would like more information and insight into how to best approach this critical activity, please contact Jayashankar at email@example.com.