ÐÇ¿Õ´«Ã½

With the Data Centre now at the heart of many businesses, IT security directors are failing to take full ownership of this environment, often pointing the finger of blame at facilities managers when it comes to downtime and loss of service. To prevent classic buck-passing when incidents do arise, organisations must stamp out divided responsibility for the computing environment.

IT security directors must be accountable for the Data Centre as well as the hardware, software and infrastructure so that they can start to do the job for which they are paid.

While it may be exciting and challenging to be at the leading edge, rolling out the latest technology, IT security directors have to be judged on the resilience and availability of all the computer services they provide. Currently, too many of them are failing to implement basic policies, processes and procedures that will minimise the total IT risk within the company Data Centre. The end result is that many organisations are sitting on a disaster waiting to happen.

The modern Data Centre

Today’s Data Centre is a high density environment housing multiple servers, storage devices, firewalls and network control equipment all absorbing power, generating heat and expecting to be kept at an ambient temperature for safety reasons.

The effect of an engineer simply walking into the Control Room changes the dynamics of the space. Couple that with poor ventilation, temporary wiring, dust contamination and humidity not to mention static and electromagnetic influences – and the results could be catastrophic for any company which relies heavily on electronic information.

First rule of risk management

The first rule of risk management is to avoid dividing responsibility. For IT security directors with the job of managing and providing technology, their remit has to extend to every element that has an impact on IT delivery and that includes the environment in which technology and infrastructure equipment is located for use.

Due to valid historical reasons, too many organisations leave responsibility for the IT environment to the facilities management function. Technology environments have become far too important for responsibility to remain in the hands of generalists, however good they might be. The modern computer environment is now so specialist that it needs looking after by people who understand exactly how computer racks and server arrays need to be cooled, what humidity ranges are appropriate and what the effect of adding another piece of equipment will have on the overall environmental balance of the area.

Unfortunately, many Computer Rooms and Data Centres have grown up in piecemeal fashion, with more attention paid to installing and keeping the systems running rather than any holistic view based on creating a strategic plan that covers the whole environment. The upshot is that the need to adopt Best Practice in environmental control is only recognised and understood in the aftermath of some type of crisis or emergency. By then, it’s too late.

IT security directors must be accountable for the Data Centre as well as the hardware, software and infrastructure so that they can start to do the job for which they are paid

Technology and business continuity

The first priority of every IT security director must be to ensure that the IT environment is able to provide technology and business continuity. For example, it doesn’t matter how well designed your IT infrastructure, systems and software are if the equipment is slowly being overheated due to poor ventilation, or the use of inappropriate length patching of cables in the communications cabinet is causing the blockage of air vents.

Poor airflow or, more commonly, a total lack of any airflow is one of the major causes of equipment failure. Another common problem is that the responsibility for designing a Computer Room rests with people who have limited knowledge of the real requirements of the vitally important electronic equipment that it is going to hold. For example, a duly commissioned design company will probably build a state-of-the-art Data Centre, but one that takes no account of the humidity levels, cable restrictions, multiple power supply and Uninterruptible Power Supply (UPS) requirements of the specialist computing equipment to be installed.

Risk management is not just about making sure the design of the Computer Room is right – it’s also about ensuring it stays in good shape and still provides the ideal environment when equipment is augmented, upgraded or replaced. One of the biggest risks to the IT environment is unstructured maintenance. Often the focus is on maintaining the UPS and air conditioning units with regular service checks, but what’s often forgotten are the more mundane activities such as regular cleaning of the equipment to minimise dust, dirt and static to ensure that correct airflow is maintained.

Vermin control is also important, as are regular checks on heat gain, power supplies and even just the simple physical scrutiny to ensure that equipment and cabinets have not been accidentally moved, cables trapped or as previously stated air vents blocked.

Specialist knowledge is necessary

Once the risks have been identified and assessed, everyday tasks can then be routinely delegated to support staff. However, to identify these risks requires specialist mechanical, electrical and architectural knowledge that’s often outside the current remit of the IT or Facilities Management Departments. This specialist environmental knowledge needs to be found externally and then brought into the IT Security Department.

Only in very large organisations is this level of expertise likely to be found in-house. For many mid-size companies, the only sensible way to ensure that the correct level of knowledge is available is to use a reputable third party to complement the skills set of the existing IT and Security Divisions.

If IT security directors are to guarantee the integrity and availability of the data and systems with which they are entrusted then it stands to reason ownership of the IT software, hardware and environment must also come under the same remit. Otherwise, the overall service delivery will be compromised, placing the entire business at severe risk.

IT security directors everywhere will be failing in their duty if they attempt to offer any guarantees without first demanding and then accepting control and responsibility for their own IT environment.