38 Users Online

Home | News | Jobs | Business | Forums | Lifestyle | What's On | Classifieds | Contacts

Peterborough Community Website - Home

Peterborough UK
12:10 on Thursday
22 July 2004

Business

Have a good lunch and thanks for surfing by!

Property Letting and Management Services

More traffic to your website... advertise here

Advertise your business here!

Server Room Risk Assessment


The Risk Assessment of Server Room facilities is not limited to the server room and its equipment but must also include other events that may affect the ability to provide the IT services from the facility and may affect the ability to respond to an incident. This article considers some of these other issues and the controls needed to protect against them.

Organisation Threats
Disaster situations put pressure on normal working practices. It is important that those working practices help, rather than hinder, the disaster response activities.

IT Management
IT service provision affects all part of the business. Without strong management arrangements co-ordinating the activities, there can arise difficulties.

  • Activities of one group adversely affect the activities of another group. For example, capacity problems on a network.

  • Duplication of hardware and environment requirements. For example, building 2 server rooms.

  • Duplication of effort in defining operating standards.

  • Duplication of effort in researching software requirements.

  • Staff inefficiency due to a process having to be operated more than once. For example, control of data back-up process.

Pace of Change
The environment within which IT operates is subject to continual and significant change. The IT department must have a defined and published technology plan, to minimise the risk of misunderstanding and duplication of effort.

  • New business requirements, such as the Internet.

  • New hardware releases from Intel and equipment developers.

  • New software releases from Microsoft, DBMS and application developers.

  • New communications technology such as ADSL, and WAP.

  • New industry standards, such as ISO17799.

Business Threats
An event that can affect the business location may also affect the ability to deliver IT services from the Server Room.

Location Denial of Access
Denial of access incidents are when a business is not allowed to gain entry to its premises. The premises themselves are not damaged in any way, but staff are not allowed to gain entry to undertake their work, and vehicles are not allowed to make deliveries to and from the premises.
Denial of access incidents may last for only a few hours, causing minor disruption to business activities, or may last for days, threatening the survival of a business. The denial of access is not connected with the business, but results from an external event.
Events that may cause a location denial of access include:

  • Serious event at a building close to the business premises. For example, a fire at a neighbouring factory, resulting in the evacuation of your business premises.

  • Serious event in the vicinity of the business premises. For example, a civil disturbance or riot at a neighbouring office, resulting in the closing of access roads to your business premises.

  • Serious accident on the transport infrastructure affecting the local access. For example, a train crash, resulting in the restriction of access to your business premises.

Natural Threats
Natural threats are events such as earthquakes, and incidents such as adverse weather conditions. In extreme cases they can cause serious damage to a locality, and significantly affect the business.
Such events can take days, weeks or even months to recover from. The affect of such an event may include:

  • Denial of access to the site.

  • Loss of staff temporarily and permanently. This loss of expertise may reduce the standard of service provision further, and increase the time to recover.

  • Loss of building and equipment.

  • Interrupted essential services such as gas and electricity.

  • Interrupted communications both voice and data

  • Interrupted supplies.

  • Interrupted deliveries.

Human Threats
Human Threats cover events such as riots, civil disturbances, vandalism, terrorism and sabotage. They may be targeted on an area, or on a particular business. They may not always result in damage to property, but can cause significant disruption by the intimidation of staff, and delays to supplies and deliveries.
Human threats also cover less dramatic events, such as problems with car parking or access to the site. Although property damage is minimal these events can cause significant disruption to operations as they impede staff movements, and supplies movements.

Site Location Hazards
Site Location hazards concern the immediate vicinity around the site. It includes the transport infrastructure and neighbouring premises.
Transport incidents that can affect the business include:

  • Major train derailment.

  • Airport incident.

  • Major road traffic accident.

A serious incident at a nearby business may affect your business. The nature of the business, and the hazardous substances used will influence the likely impact of the incident.
The impact of site location incidents will be to restrict access to your own location.

Site / Building Threats
The threat to the IT service is significantly influenced by the threat to the building and site where the Server Room is located.

Security
Physical security for the protection of the site is the first line of defence for the Server Room facility. The risk assessment considers:

  • Use of security staff.

  • External lighting and fencing.

  • Use of external video cameras and internal video cameras.

  • The monitoring of intruder alarms.

  • Environmental system alarms (e.g. power).

  • Additional alarms for critical/high value computer equipment.

  • The use of a Receptionist adds another layer of security.

  • The access to the building/site throughout a 24-hour period. The key holder role, and access to all "locked" areas.

  • Visitor management. Car parking spaces, issue of visitor passes.

  • Management of emergency contact lists.

  • The use of staff security cards.

  • Restricting staff and visitor car parking improves site security.

  • Barriers to the car park. Issue and return of car park passes. Use of parking passes at sites with unrestricted access to the car park

  • Location of visitor parking. If parking is allowed next to the building it must be of known vehicles only.

  • Control of deliveries into and out of a site.

  • Use of speed restriction bumps to slow down 'get-away' vehicles.

Emergency Procedures
Site-wide evacuation procedures must include the IT facilities.

  • Evacuation procedures must be displayed on notice boards/prominent areas in the building. The procedures should be brought to the attention of staff on a regular basis and updated as necessary.

  • Evacuation procedures must be tested regularly, and staff made aware of their roles and responsibilities following an evacuation of the building.

  • Fire Marshals must exist to co-ordinate the evacuation of the building. Co-ordinators at each staff assembly area should wear luminous jackets and have a means of communicating with a central control point.

  • The staff assembly area should be at least 500 metres away from the building, to provide the greatest protection for the staff.

  • Details of the building emergency procedures should be given to each visitor on arrival.

  • A list must be kept by the receptionist/security/key holders/emergency teams, showing details of telephone numbers for those key personnel and organisations to be contacted in an emergency, e.g. emergency call-out staff, plumber, salvage company, etc.

  • A number of staff must be trained in first aid and an injury book must be held to record the name of the injured party and the treatment given.

Hazards
Site hazards can put the site at greater risk, and hence the IT facilities at greater risk.

  • Fuel stores, flammable oils stores, gas cylinders, paint and other combustible materials must be stored and moved according to appropriate legislation.

  • Any other hazardous substance must be stored and moved appropriately.

  • All portable electrical appliances must be tested annually in accordance with the legal requirements on portable appliance testing. Faulty electrical appliances are a common cause of fires.

Conclusion
The Server Room Risk Assessment must consider much more than just the actual server room and its equipment. The ability to provide service can be affected by many events and issues that are not directly connected with IT. The correct response to these events is just as important to the continuity of service and the business of a company.

Comment

 

   

PNet Directory
Search for local links

 

(Titles Only)

Article by: Dave BowraAbout the author: Dave Bowra MBCI M.INSTIS is the principal of business evailability, a disaster recovery and business continuity consultancy based in Peterborough. He is a member of the Business Continuity Institute and a member of the Institute of Information Security.
Business Evailability

Your comments
Business Forum ... click here

Business Forums

 Hosting on Peterborough Community Server

Free local online publicity

 Last Viewed Page

 

Chamber of Commerce