Best Practices: DC Risk Assessment

Posted April 24, 2019

by cliff

One of the benefits of having gone through the process of ISO22301 certification is that it forced us to a formal Activity Based Risk Assessment for our HQ and Primary Data Centre (PDC). In the case of our DC, the activity in question is the hosting of our IT infrastructure for external services to customers and internal services to staff. Now, if you’ve ever done a formal risk assessment, you’ll know that one of the first things you do is to identify possible hazards (or threats).  The list we came up with is below.  This list may not be exhaustive, but I think it covers the major risks within a Singapore context at least.

  • Fire (and explosion) affecting the DC
  • Flood in areas surrounding the DC building
  • Prolonged power failure to building – due to power utility provider problem or in-house MCB problem
  • Air-con system failure
  • Terrorist attack on building or other nearby buildings
  • People related risks (external) – break in, theft, sabotage
  • People related risks (internal) – fraud, disgruntled employee
  • IT system failure
  • Telecommunications failure
  • Fire suppression system discharge
  • Failure of Data Center operator – bankruptcy, etc
  • Software vendor support unavailable
  • Hardware vendor support unavailable

After you identify the hazards, the next step is to describe the possible effect such a hazard might have on your environment and ability to carry on the activity of providing IT services to external and internal parties.