How do I evaluate a third-party data center risk assessment?

Are you working with a security consultant on a risk assessment plan for your data center? Here are some basics to consider.

The rule of thumb when reviewing risk assessment recommendations is to compare what is being recommended with the likelihood of the event occurring. This is called risk frequency. A consultant performing a risk assessment is retained to identify all potential risks and then measure the likelihood of the risk occurring, how much damage will be incurred, what that damage will do to your company, and how much will the damage cost you both at onset and after repairs are made. This is called risk cost. This is what you pay the consultant to identify.

The trick is to balance the likelihood of an event happening with the cost of the recommended solution. If the frequency of occurrence is low or non-existent, then you may elect to eliminate the recommendation. If the likelihood that the identified risk will occur is high, then you need to either spend the budget dollars on the recommended solution or avoid the cost in lieu of accepting the risk by increasing your insurance coverage/premium for the identified risk. If the consultant you have hired is not providing you with this type of risk versus likelihood comparison and is expecting you to decide merely on his/her expertise, then I would say it is time to reconsider your business relationship with your consultant.

ABOUT THE AUTHOR: Thor A. Mollung, CHSII, Managing Director, Security Consultant, has over 20 years of experience in the industrial security industry with companies such as Fidelity Investments, Mellon Bank and State Street Corporation. Mollung is a member in good standing of the American Society for Industrial Security (ASIS-International), the National Fire Protection Association International (NFPAI), and the American College of Forensic Examiners Institute.

This was last published in February 2007

Dig Deeper on Data center design and facilities

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

In my profession the most frequent definition of risk is
risk = probability * damage
Thus the likelihood part of the risk is by definition included in the assessment. You may be tempted to find a statistical "once a year" damage of $ 10000 worse than a damage of $ 500000 with a probability of once every 50 years, but the risks are the same in both cases.
Cancel

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseLinux

SearchServerVirtualization

SearchCloudComputing

Close