Page325

Errors and Omissions

Errors and omissions are typically considered the single most common source of disruptive events. Humans, often employed by the organization, unintentionally cause this type of threat. Data entry mistakes are an example of errors and omissions. These mistakes can be costly to an organization, and might require manual review prior to being put into production, which would be an example of separation of duties.

Note

Though errors and omissions are the most common threat faced by an organization, they also represent the type of threat that can be most easily avoided. If an organization can determine the particular types of errors or omissions that are especially common, or especially damaging, then the organization can typically build in controls that can help mitigate the risk of this threat being realized. The organization would be reducing its vulnerability to a particularly significant error or omission.

Natural Disasters

Natural disasters include earthquakes, hurricanes, floods, and tsunamis. In order to craft an appropriate response and recovery strategy in the BCP and DRP, an understanding of the likelihood of occurrence of a natural disaster is needed. The likelihood of natural threats occurring is largely based upon the geographical location of the organization’s information systems or data centers. Natural disasters generally have a rather low likelihood of occurring. However, when they do happen, the impact can be severe. See Chapter 4, Domain 3: Security Architecture and Engineering, for additional information on these risks as well as specific strategies for mitigating them.

Electrical or Power Problems

While natural disasters are often associated with the most catastrophic events that an organization might ever have to deal with, power problems represent much more commonly occurring threats that can cause significant disruptions within an organization. When power problems do occur, they typically affect the availability of a system or organization. Integrity issues can also crop up on disk drives as a result of sudden power loss; however, modern transaction-based or journaling file systems have greatly reduced these integrity issues.

Power or electrical issues are some of the most commonly occurring disaster events that will impact a datacenter. For additional details on electrical problems as well as methods to mitigate some of these problems, see the “Electricity” section in Chapter 4, Domain 3: Security Architecture and Engineering.

Temperature and Humidity Failures

Temperature and humidity are critical controls that must be managed during a disaster. While it is obvious that information systems must have a regular clean power supply in order to maintain their availability, the modern datacenter must also provide sufficient heating, cooling, ventilation, and air conditioning. Proper cooling and humidity levels are critical.

Older datacenters were designed with different computing systems (such as mainframes) in mind than is found currently. The ubiquity of blade and 1U servers has greatly increased the resources that can be packed into a rack or a datacenter. While this greater density and the ability to have more computing power per square foot is desirable, this greatly increased server density can create significant heat issues. In order to provide for proper and consistent temperature, a datacenter will require an HVAC system that can handle the ever-increasing server density.

An additional concern that arises from the conditioned (heated or cooled) air being used in a datacenter is the humidity levels. Without proper and consistent temperature as well appropriate relative humidity levels, the Mean Time Between Failures (MTBF) for electrical equipment will decrease. If the MTBF decreases, this means that equipment will fail with greater regularity, which can represent more frequent disaster events. Good datacenter design and sufficient HVAC can help to decrease the likelihood of these threats being able to impact an organization.