Internal Environmental Factors

A computer room is a viable security option, though there are some subtleties to designing one specifically for a client/server environment. If the equipment is to be rack mounted, racking can be suspended from the ceiling, which yields clearance from the floor and avoids possible water damage. Notably, the cooling aspects of a raised floor design, plus its ability to hide a morass of cabling, are no longer needed in a distributed environment.

Conditioned power requirements have inadvertently modified computer room designs as well. If an existing computer room has a shunt trip by the exit but small standalone battery backup units are placed on servers, planners must review the computer room emergency shutdown procedures. The function of the shunt trip was originally to kill all power in the room so that, if operational personnel had to leave in a hurry, they would be able to come back later and reset systems in a controlled sequence. Now, when there are individual battery backup units that sustain the equipment in the room, the equipment will continue to run after the shunt is thrown. Rewiring the room for all wall circuits to run off the master UPS, in proper sequence with the shunt trip, should resolve this conflict.

Room placement within the greater facility is also a consideration. When designing a room from scratch, planners should identify an area with structural integrity, avoid windows, and eliminate overhead plumbing.

Alternate fire suppression systems are still a viable protection strategy for expensive electronics and the operational on-site tape backups within a room. If these systems are beyond the company’s budget, planners might consider multiple computer rooms (companies with a multiple-building campus environment or multiple locations can readily adapt these as a recovery strategy) with sprinklers and some tarpaulins handy to protect the equipment from incidental water damage (e.g., a broken sprinkler pipe). A data safe may also be a worthwhile investment for the backup media maintained on-site. However, if the company uses a safe, its personnel must be trained to keep it closed. In eight out of ten site visits where a data safe is used, the door is kept ajar (purely as a convenience). The safe only protects the company’s media when it is sealed. If the standard practice is to keep it closed, personnel will not have to remember to shut it as they evacuate the computer room under the stress of an emergency.

If the company occupies several floors within a building and maintains communication equipment (e.g., servers, hubs, or modems) within closets, the closets should be treated as miniature computer rooms. The doors to the closets should be locked, and the closets should be equipped with power conditioning and adequate ventilation.

Physical Security

The other priority addressed by a properly secured computer room is control: control of access to the equipment, cabling, and backup media. Servers out in the open are prime targets for mishaps ranging from innocent tampering to outright theft. A thief who steals a server gets away not only with an expensive piece of equipment but with a wealth of information that may prove to be much more valuable and marketable than the equipment itself.

The college satellite campus, discussed earlier, had no backup of the information contained within its network. The recovery planner explained to the campus administration, which kept its servers out in the open in its administration office area (a temporary trailer), that a simple theft of the $2,000 equipment would challenge its ability to continue operations. All student records, transcripts, course catalogs, instructor directories, and financial aid records were maintained on the servers. With no backup to rely on and its primary source of information evaporated, the campus administration would be faced with literally thousands of hours of effort to reconstruct its information base.

Property Management

Knowing what and where the organization’s computer assets (i.e., hardware, software, and information) are at any moment is critical to recovery efforts. The information technology department must be aware of not only the assets within the computer room but of every workstation used throughout the organization: whether it is connected to a network (including portables), what its specific configuration is, what software resides on it, and what job function it supports. This knowledge is achievable if all hardware and software acquisitions and installations are run through the IT department, if the company’s policies and procedures support information technology’s control (i.e., all departments and all personnel willingly adhere to the policies and procedures), and if the department’s property management inventory is properly maintained. Size is also a factor here. If the information technology department manages an organization with a single server and 50 workstations, the task may not be too large; however, if it supports several servers and several hundred workstations, the amount of effort involved is considerable.

Data Integrity

Information, if lost or destroyed, is the one aspect of a company’s systems that cannot be replaced simply by ordering another copy or another component. The company may have insurance, hot-site agreements, or quick-replacement arrangements for hardware and global license agreements for software, but its data integrity process is entirely in the hands of its information technology specialists. The information technology specialist and the disaster recovery planner are the individuals who must ensure that the company’s information will be recoverable.

Based on the initial risk assessment phase, planners can determine just how extensive the data integrity program should be. The program should include appropriate policies and education addressing frequency of backups, storage locations, retention schedules, and the periodic verification that the backups are being done correctly. If the planning process has just begun, data integrity should be the first area on which planners focus their attention. None of the other strategies they implement will count if no means of recovering vital data exist.