The Risk Assessment of Server Room
facilities is not limited to the server room and its equipment but
must also include other events that may affect the ability to provide
the IT services from the facility and may affect the ability to
respond to an incident. This article considers some of these other
issues and the controls needed to protect against them.
Disaster situations put pressure on normal working practices. It is
important that those working practices help, rather than hinder, the
disaster response activities.
IT service provision affects all part of the business. Without strong
management arrangements co-ordinating the activities, there can arise
Activities of one group adversely
affect the activities of another group. For example, capacity
problems on a network.
Duplication of hardware and
environment requirements. For example, building 2 server rooms.
Duplication of effort in defining
Duplication of effort in
researching software requirements.
Staff inefficiency due to a
process having to be operated more than once. For example, control
of data back-up process.
Pace of Change
The environment within which IT operates is subject to continual and
significant change. The IT department must have a defined and
published technology plan, to minimise the risk of misunderstanding
and duplication of effort.
New business requirements, such as
New hardware releases from Intel
and equipment developers.
New software releases from
Microsoft, DBMS and application developers.
New communications technology such
as ADSL, and WAP.
New industry standards, such as
An event that can affect the business location may also affect the
ability to deliver IT services from the Server Room.
Location Denial of Access
Denial of access incidents are when a business is not allowed to gain
entry to its premises. The premises themselves are not damaged in any
way, but staff are not allowed to gain entry to undertake their work,
and vehicles are not allowed to make deliveries to and from the
Denial of access incidents may last for only a few hours, causing
minor disruption to business activities, or may last for days,
threatening the survival of a business. The denial of access is not
connected with the business, but results from an external event.
Events that may cause a location denial of access include:
Serious event at a building close
to the business premises. For example, a fire at a neighbouring
factory, resulting in the evacuation of your business premises.
Serious event in the vicinity of
the business premises. For example, a civil disturbance or riot at
a neighbouring office, resulting in the closing of access roads to
your business premises.
Serious accident on the transport
infrastructure affecting the local access. For example, a train
crash, resulting in the restriction of access to your business
Natural threats are events such as earthquakes, and incidents such as
adverse weather conditions. In extreme cases they can cause serious
damage to a locality, and significantly affect the business.
Such events can take days, weeks or even months to recover from. The
affect of such an event may include:
Denial of access to the site.
Loss of staff temporarily and
permanently. This loss of expertise may reduce the standard of
service provision further, and increase the time to recover.
Loss of building and equipment.
Interrupted essential services
such as gas and electricity.
Interrupted communications both
voice and data
Human Threats cover events such as riots, civil disturbances,
vandalism, terrorism and sabotage. They may be targeted on an area, or
on a particular business. They may not always result in damage to
property, but can cause significant disruption by the intimidation of
staff, and delays to supplies and deliveries.
Human threats also cover less dramatic events, such as problems with
car parking or access to the site. Although property damage is minimal
these events can cause significant disruption to operations as they
impede staff movements, and supplies movements.
Site Location Hazards
Site Location hazards concern the immediate vicinity around the site.
It includes the transport infrastructure and neighbouring premises.
Transport incidents that can affect the business include:
A serious incident at a nearby
business may affect your business. The nature of the business, and the
hazardous substances used will influence the likely impact of the
The impact of site location incidents will be to restrict access to
your own location.
Site / Building Threats
The threat to the IT service is significantly influenced by the threat
to the building and site where the Server Room is located.
Physical security for the protection of the site is the first line of
defence for the Server Room facility. The risk assessment considers:
Use of security staff.
External lighting and fencing.
Use of external video cameras and
internal video cameras.
The monitoring of intruder alarms.
Environmental system alarms (e.g.
Additional alarms for
critical/high value computer equipment.
The use of a Receptionist adds
another layer of security.
The access to the building/site
throughout a 24-hour period. The key holder role, and access to
all "locked" areas.
Visitor management. Car parking
spaces, issue of visitor passes.
Management of emergency contact
The use of staff security cards.
Restricting staff and visitor car
parking improves site security.
Barriers to the car park. Issue
and return of car park passes. Use of parking passes at sites with
unrestricted access to the car park
Location of visitor parking. If
parking is allowed next to the building it must be of known
Control of deliveries into and out
of a site.
Use of speed restriction bumps to
slow down 'get-away' vehicles.
Site-wide evacuation procedures must include the IT facilities.
Evacuation procedures must be
displayed on notice boards/prominent areas in the building. The
procedures should be brought to the attention of staff on a
regular basis and updated as necessary.
Evacuation procedures must be
tested regularly, and staff made aware of their roles and
responsibilities following an evacuation of the building.
Fire Marshals must exist to
co-ordinate the evacuation of the building. Co-ordinators at each
staff assembly area should wear luminous jackets and have a means
of communicating with a central control point.
The staff assembly area should be
at least 500 metres away from the building, to provide the
greatest protection for the staff.
Details of the building emergency
procedures should be given to each visitor on arrival.
A list must be kept by the
receptionist/security/key holders/emergency teams, showing details
of telephone numbers for those key personnel and organisations to
be contacted in an emergency, e.g. emergency call-out staff,
plumber, salvage company, etc.
A number of staff must be trained
in first aid and an injury book must be held to record the name of
the injured party and the treatment given.
Site hazards can put the site at greater risk, and hence the IT
facilities at greater risk.
Fuel stores, flammable oils
stores, gas cylinders, paint and other combustible materials must
be stored and moved according to appropriate legislation.
Any other hazardous substance must
be stored and moved appropriately.
All portable electrical appliances
must be tested annually in accordance with the legal requirements
on portable appliance testing. Faulty electrical appliances are a
common cause of fires.
The Server Room Risk Assessment must consider much more than just the
actual server room and its equipment. The ability to provide service
can be affected by many events and issues that are not directly
connected with IT. The correct response to these events is just as
important to the continuity of service and the business of a company.