server risk assessment

as part of any disaster recovery excercise have you done any scoring/ranking of which fall into your p1 servers, i.e. high priority, which fall into p2, p3 etc. I wondered whether there is any guidance out there on what to base your ranking of each server, i.e what formula to use - and whether you go down to that level, i.e. server level.
LVL 3
pma111Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Steven HarrisConnect With a Mentor PresidentCommented:
Impact is exactly what you are thinking.  Let me clarify:

What effect does this have on my business -- Can I live without it in it's entirety?  Can it be down for 5 minutes without causing major problems?  Can it be down for 5 hours without causing major problems?  Can it be down for 5 days without causing major problems?  Is there any type of redundancy or disaster recovery operation in place?
0
 
Steven HarrisPresidentCommented:
I wondered whether there is any guidance out there on what to base your ranking of each server, i.e what formula to use
If you are just looking to rank your servers into categories by risk, I would suggest using Risk = Likelihood x Impact.

and whether you go down to that level, i.e. server level.
Why stop at the server level?  You should be determining the risk for every piece of equipment, i.e. switches, firewalls, PSUs, etc.
0
 
pma111Author Commented:
I dont fully understand how:

> Risk = Likelihood x Impact.

Can be applied though, as surely some servers if they died/went down have more of an impact on your business than others, thats the kind of analysis I was interested in. Or by impact are you considering the impact that specific server would have on the business.

What kind of factors do you consider in "impact".
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
pma111Author Commented:
is this an excercise you have done for all your servers previously?
0
 
Steven HarrisPresidentCommented:
I perform this type of assessment every year.  Some companies perform this every quarter...

I guess the best question I can ask is:

What is your ultimate goal?
0
 
pma111Author Commented:
Ultimate goal is to list priority servers for audit purposes, i.e. which elements of the infrastructure require audit focus and why/justifying that appraoch.
0
 
Fadi SODAH (aka madunix)Connect With a Mentor Chief Information Security Officer, CISA, CISSP, CFR, ICATE, MCSE, CCNA, CCNP, CCIP, SCSC and SCECommented:
For risk assessment purpose as you know it's been measured by terms of likelihood & impact of the risk under assessment, so you should write down all your operations to make Audit Universe. Then prioritize the most and less risky ones (Impact and likelihood). You should find concrete criteria to prioritize them, after that you have the Risk Based audit plan for your risk assessment:
http://www.theiia.org/blogs/marks/index.cfm?postid=432#!
http://www.iia.org.uk/resources/risk-management/risk-based-internal-auditing/#!
http://www.ecu.edu/cs-admin/audit/upload/Audit-Planning-Process.pdf#!
http://www.aadnc-aandc.gc.ca/eng/1370446266138/1370446344470#!
http://pmhub.net/wp/wp-content/files/Jim_Owens_PMP_Exam_Tips_on_Risk_Management_4ed_V1.pdf
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.