International Journal of Recent Technology and Engineering (IJRTE)

ISSN: 2277-3878 (Online), Volume-8 Issue-6, March 2020

Risk Management & Mitigation Plan for Data

Center Environment
Jarot S. Suroso, Alkaton Sutikno, Friska Giovanny Br. Ginting, Natasha Angelica
 organization no matter what obstacles are there.
Abstract: To ensure company stability in running a business, The information must be available either during regular
the management team of the company must be aware of risks that business operation and when some problem occurred. The
could arise under various condition. These risks should be problems itself may strike the organization in the form of a
identified and mitigated as early as possible, before its effect the
hacker, human error, technical problem or even natural
company. No matter what resource its affected, either core or
support resource risks must be mitigated to avoid loss and damage disasters. No matter what the problem the organization
to the company. Data Centre is one of the core resources of a encountered, information must be accessible at all time. This
company; it keeps the company information and used daily in the affect expectation for Data Centers to function normally to
company. If by any causes, the data center could not be accessed support the organization business.
or function; normally, it would cause a great loss to the company. The data centre was developed related to data security as
This paper discussed the used of Facilitated Risk Analysis and
one of the assets of the organization in addressing data
Assessment Process (FRAAP) technique to list and mitigate risk
to the company data center. There are four steps of FRAAP management for operational purposes as secondary storage
technique used in this paper: creating risk description list, media and data distribution. Safety management is part of the
creating a risk sensitivity profile, creating risk exposure rating, framework of the data centre that should be assessed by the
and creating mitigating control list. The used of FRAAP manager to determine whether compliance with the standards
technique, resulted in identification of two type of risk which are so as to minimize the likelihood of the risk of adverse effects
confidentiality and availability. The mitigation plan in this paper,
on the organization.
cover the steps planned to mitigated risk resulted from
information leak (Confidentiality); ex. hacking, virus, Etc. and This paper discussed the risk assessment and risk
natural disaster (Availability); ex. Flood, earthquake, fire, Etc. mitigation plan to ensure that the data centre will function
These planned mitigation steps are divided into three lists, which normally in any condition possible so that the organization
are: Risks response, Emergency Response Steps, Recovery steps, business could run without any problem. This plan ensures
and restoration steps of the company data center. that the IT of the data centre is resilient against threats. It led
to the expanded field of Business Continuity Management
Keywords: Risk Assessment, Risk Mitigation, Data Center,
FRAAP, Company Risk which designed to provide telecommunication, people, and
services to include in all critical area of the Data Center.
I. INTRODUCTION
II. LITERATURE REVIEW
In the evolving services provided in this era, the
requirement from both business and customer has created A. Risk and Risk Management
new demands. The demands are to make information Risk is a term used to described uncertain events which
available at all times or at least accessible. This demand for might affect the objective of a project either negatively or
information availability will be a mandatory element in the positively [1]. The definition of the term which itself may
vary, it depends on the perspective of each individual [2]. In
information technology, the risk is identified by potential
Manuscript received on February 10, 2020. number for every module. Risks should be identified in
Revised Manuscript received on February 20, 2020. advance since risk could result in a possibility of loss [3].
Manuscript published on March 30, 2020.
* Correspondence Author
Jarot S. Suroso*, Information Systems Management Department,
BINUS Graduate Program – Master of Information Systems Management,
Bina Nusantara University, Jakarta, Indonesia. Email: [email protected]
Alkaton Sutikno, Information System Management Department,
BINUS Graduate Program - Master of Information Systems Management,
Bina Nusantara University, Jakarta, Indonesia 11480. Email:
[email protected]
Friska Giovanny Br. Ginting, Information System Management
Department, BINUS Graduate Program - Master of Information Systems
Management, Bina Nusantara University, Jakarta, Indonesia 11480. Email:
[email protected]
Natasha Angelica, Information System Management Department,
BINUS Graduate Program - Master of Information Systems Management,
Bina Nusantara University, Jakarta, Indonesia 11480. Email:
[email protected]

© The Authors. Published by Blue Eyes Intelligence Engineering and Fig. 1 .Risks Classification [1].
Sciences Publication (BEIESP). This is an open access article under the CC
BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)

Retrieval Number: F7656038620/2020©BEIESP Published By:

DOI:10.35940/ijrte.F7656.038620 Blue Eyes Intelligence Engineering
Journal Website: www.ijrte.org 1260 & Sciences Publication
 Risk Management & Mitigation Plan for Data Center Environment

In order to identify risks in advance, risk management is organization [14].

done by the related parties (IT, Manager, Expert, staff/ users, The objective of BCM is to allow a business to process
etc.). If done effectively, risk management protects the normally and managed under adverse condition according to
organization assets, reduce loss, and manage cost-effectively the risk management considerations and crisis management
based on the mission or objective of the organization [4]. plans [15]. There are three core elements of BCM [16]:
Risk management is a process done continuously; however, 1. Crisis management and communications
to get the best results, it should be implemented at the earliest 2. Business resumption planning
stage possible in any project [1]. Remember that the points of 3. IT disaster recovery addresses
risk management have to be aligned with the organization In BCM planning, there are seven planning phases in
goals and strategy [5]. which one of them is concerning risks analysis. In this phase,
risks, vulnerabilities, and probabilities are analyzed in detail.
B. Risk Mitigation
This phase is one of the key elements of an organization
Risk mitigation is one of the most important activities that BCM [17].
need to be done in Information Technology [6]. A risk
mitigation propose is to eliminate, reduce and manage risks E. Data Center
to acceptable levels [7]. Decision taken in risk mitigation A data center is known as the server farm or the computer
involves recognizing, generating alternative solutions, room, the data center is where the majority of servers and
choosing among the solutions, and implementing them [8]. storage of an enterprise located, operated and managed. A
To get the most of it and effectively done, a risk mitigation Data Centre has four primary components [18]:
process must be done continuously (Monitoring, assessing, 1. White space: Usable raised floor environment or in
and adjusting) based on the existing risks profile [9]. the case for a data center that does not use a raised
Remember that mitigating risk does not mean that the risks floor in its environment, white space shows a usable
are entirely gone, but it does reduce the probability of the environment in the data center. White space is usually
risks happening. The biggest challenge in processing with measured in square feet units.
risks mitigation is to identify the root cause. Risks mitigation 2. Support infrastructure: support infrastructure is any
for every risk that might happen and the response planned additional space and any equipment needed in order
must be recorded in the risk register. These mitigation plans to support the data center operations. This support
could change or develop some options in the process [10]. infrastructure might include power transformers,
There are five risk mitigation handling options [7]: uninterruptible power source (UPS), computer room
1. Assume/Accept air conditioners (CRACs), remote transmission units
2. Avoid (RTUs), etc. In some data center with a specific
3. Control condition, support infrastructure could require and
4. Transfer use space that is 4 or 6 time more than white space.
5. Watch/Monitor 3. IT Equipment: for Datacenter, it means any
equipment needed in order to manage the data center.
C. Information System Security
Some of the equipment are rack, storage, servers,
Information system security is an essential point in cabling, etc.
organizations these days. Any risks that associated or 4. Operations: in this case, operations mean the
impacting the information systems of an organization could operations staff who responsibility is to ensure that
result in dire consequences for an organization [11]. IS the systems are maintained, operated, upgraded and
Security does not focus solely on the technical aspects as a repaired properly and when necessary. In most
computer or technology is operated by humans [12]. Companies, the operations staff responsible for the
Information Security does not mean that your organization support system and technical operation staff are
information is private. Having good security is what give different and split into different divisions.
your organization information privacy [2]. The objective of
IS Security could not be met just by technical and procedural III. RESULT AND DISCUSSION
protection. In order to achieve the IS Security objective, it is
important to educate every person in the organization about In this paper, the technique used for analyzing and
defending the organization against IS Security attack [11]. It assessing risks regarding the data center is done using
is essential to keep working on the organization security, as FRAAP. Facilitated Risk Analysis and Assessment Process
there is a need for the organization to overcome the future (FRAAP) is a structured risk assessment process which
challenge in IT and Security. approach is used to manage a risks project in a short
timeframe [19]. The organization internal experts do the
D. Business Continuity Management FRAAP technique. It takes advantage in the sense that no one
Business Continuity Management (BCM), refers to the knows your systems, application, or business better than the
ability and capability of the organization managements to people who develop and manage them[20].
identify any threats to the organization. Other than The FRAAP technique is implemented for assessing the
identifying, providing effective response to safeguard the risks and how to mitigate them in order to ensure that the data
organization interest, brand and value are included in BCM center to function normally in any condition. The FRAAP
[13]. At first, BCM was started with Disaster Recovery process has four steps [19] :
Planning (DRP). Along the years, it develops into Business
Continuity Planning (BCP) which cover the whole
Retrieval Number: F7656038620/2020©BEIESP
DOI:10.35940/ijrte.F7656.038620 Published By:
Journal Website: www.ijrte.org Blue Eyes Intelligence Engineering
1261 & Sciences Publication
 International Journal of Recent Technology and Engineering (IJRTE)
ISSN: 2277-3878 (Online), Volume-8 Issue-6, March 2020

1. Creating Risk Description List Table 3. Risk Exposure Rating

Describing the risks and resource according to the # Risk Vuln. Threat Threat Activity

Like
Sev
Sens
Overall
C-I-A-A risk type (confidentiality, integrity, Desc Catego
availability, and Accountability). ry
Table 1. Risk Description List
1 Electrical Externa Failure to power

Low
High
High
High
# Risk Type Risk Description List Resource Failure l Mass up any important
1 Confidentiality The information Employee Attack equipment of the
regarding company data center cause
datacenter access got organization
leaked business to stop
2 Availability Data Centre unable to be Datacenter and cause some
accessed due to Computer, data loss
electrical failure or a Server, 2 Earthquake Natural An occurrence of

Moderate
High
High
High
natural disaster (Flood, UPS, and , Flood, Disaste natural disaster is
Earthquake, etc.) other IT Fire, Etc. r always
Equipment unexpected. The
2. Creating a Risk Sensitivity Profile effect of a natural
Describing the severity of the impacted resources and disaster could
deciding each C-I-A-A sensitivity level for each cause physical
resource. damage and loss of
Table 2. Risk Sensitivity Profile data
# Resource Sensitivity Desc
Confid

Intg
Avail
Acct
Overall

3 Unauthoriz Internal A company

Moderate
High
High
High
Impacted ed Access Abuse internal personnel
stole, change, or
1 Employee The leak of data spread an
High

High
High
High
High

center information important/confiden

access to any tial information
unauthorized 4 Unauthoriz Externa Virus attack,

Low
High
High
Moderate
personnel could ed Access l hacking, or any
cause various threat Targete attempt done by
to happen d external personnel
2 Datacenter A sudden electrical Abuse which target the
Low

Moderate
High
High
High

Computer, failure or company data

Server, occurrence of center
UPS, and natural disaster 4. Creating Mitigating Control List Describe the mitigation
other IT could result in loss control for each risk found and listed. Each control is
Equipment of information that categorized into one of these types: preventative,
might have a detective, or responsive.
significant impact Table 4. Mitigating Control List
on the company # Brief risk desc Control Control Description
business Type
3. Creating Risk Exposure Rating
1 Failure to Preventive Installing an energy
Breaking each risk previously listed into
power up monitor to spot a buildup
vulnerability, threat and threat category of each
datacenter static electricity
resource vulnerability. The threat category used is
equipment
Natural disaster, Infrastructure failures, Internal
abuse, Accidents, External targeted attacks and 2 Failure to Responsive Turning on the electrical
External mass attacks. power up generator to supply the
datacenter needed electrical current to
equipment data center equipment in
minimum time
3 Earthquake, Preventive Installing Temperature
Flood, Fire, control, humidity control
Etc. and do scheduled back up
data to a cloud
environment

Retrieval Number: F7656038620/2020©BEIESP Published By:

DOI:10.35940/ijrte.F7656.038620 Blue Eyes Intelligence Engineering
Journal Website: www.ijrte.org 1262 & Sciences Publication
 Risk Management & Mitigation Plan for Data Center Environment

4 Unauthorized Preventive Installing an antivirus  Restoration step

Access program, ensuring the
Table 7. Restoration Step
operating system is up to
Abnormal Restoration Step
date, doing scheduled No Big Damage
Condition Activities
scanning to detect any
Move to facilities
issues immediately Earthquake
1 Anything DCO, Backup &
>8,5 SR
Restore
The details of risks response, recovery and restoration
Move to facilities
steps are of the risk’s management and risk mitigation
2 Flood Anything DCO, Backup &
regarding data center are as follow:
Restore
1. Creating Awareness The first results present from the
summary of risk assessment and mitigation plan for PT Local Fire
XYZ data center environment is creating awareness. 3 (Facilities DCO Anything N/A
When exposed to the results, every member of the not affected
organization will develop internal awareness at multiple DCO facility is Move to facilities
levels of management. This awareness will make the 4 exposed to the Anything DCO, Backup &
organization management able to allocate the appropriate impact of fire Restore
resources, process, develop and deploy tools in order to Small N/A
manage risk. One example of creating awareness of the Move to facilities
5 Computer Virus
risk in the data center environment involved the use of: Big DCO, Backup &
 Emergency Response Steps Restore
6 Sabotage/piracy Anything N/A
Table 5. Emergency Response Step 2. Preventing Business Continuity RiskThe second result is
No Abnormal Condition Operational Activity preventing business continuity risk. The next important
1 Earthquake >8,5 SR No response needed thing in Business Continuity is prevention. The focus is
Turn off the power if on reducing risk and/or impact of the mitigation plan so
2 Flood allowed, no response the business can run well as usual. Prevent comprises
required four critical processes:
Local Fire (Facilities DCO
Turn off the power if  Risk Identification:Enumerating the cause of potential
3 allowed, no response issue related to data centre environment.
not affected
required  Risk Assessment:Evaluating the impact of potential
Turn off the power if disruptions.
DOC facility is exposed to
4 allowed, no response  Risk Treatment:Prioritizing the cause of potential
the impact of fire
required disruptions and developing strategies for reducing and/or
Isolation of virus mitigating the impact of the business.
5 Computer Virus
outbreaks  Risk Monitoring:Monitoring any changes that may occur
6 Sabotage/piracy Hacking response and cause changes in the risk levels (Increasing or
 Recovery Step decreasing) daily.
Table 6. Recovery Step 3. Remediating Risk OccurrenceThe third result is
Abnormal Impacted Recovery Step remediating risk occurrence. An organization needs a
No course of action to follow in order to recover from a
Condition Damage Activities
Move the disruption when it occurs, while the organization takes
Earthquake >8,5
1 Anything operational to Head steps in the prevention stage to reduce its exposure risk
SR
Quarter cannot be eliminated.
Move the 4. Fostering Knowledge Management The fourth is
2 Flood Anything operational to Head knowledge management. The purpose of knowledge
Quarter management is to learn from business disruption since
Resume activity
Local Fire they are an indication that the existing plans and
after execution
3 (Facilities DCO Anything
Health & Safety
contingencies in place may not be adequate. The
not affected Business Continuity Plan addresses knowledge
Procedure
DCO facility has Move the management by conducting an annual key performance
4 exposed the Anything operational to Head indicator evaluation for management.
impact of fire Quarter
Personnel standby IV. CONCLUSION
Small
Re-arrangement
5 Computer Virus Move the
No company activities or resource could be wholly
Big operational to Head protected from any disturbances or damages or risk,
Quarter especially if the damage is at the center of the company's
Execution process business, which is known as the data center.
6 Sabotage/piracy Anything recovery hacking
post

Retrieval Number: F7656038620/2020©BEIESP

DOI:10.35940/ijrte.F7656.038620 Published By:
Journal Website: www.ijrte.org Blue Eyes Intelligence Engineering
1263 & Sciences Publication
 International Journal of Recent Technology and Engineering (IJRTE)
ISSN: 2277-3878 (Online), Volume-8 Issue-6, March 2020

These disturbances or damages or risk could originate ns.html#what. [Accessed: 03-Feb-2020].

19. E. Wheeler, Security Risk Management Building an Information
either from nature or people, intended or not intended. Risks
Security Risk Management Program from the Ground Up. Elsevier Inc.,
that arise affect not only a company's technological 2011.
capabilities but also its business operations. If this is not 20. thomas R. Peltier, Information Security Risk Analysis. Auerbach
explicitly handled, it affects not only operational risk but also Publications, 2005.
Information system, competitive intelligence, knowledge management,
reputational risk and a reduction in the end-user
computer network, e-learning, multimedia and research methodology.
quota.Effective risk reduction must be supported by the
following:
1. Active management supervision; Jarot S. Suroso is an Associate Professor of Magister
2. through business impact analysis and risk Management of Information System at Bina Nusantara
University Jakarta, Indonesia. His major research interests
assessment; include management information system, competitive
3. Drawing up an appropriate business continuity plan; intelligence, knowledge management, computer network,
4. Testing BCP; and e-learning, multimedia and research methodology.
Author-1
5. An examination is carried out by the internal auditor. Photo
As described in this document, the results of the risks Alkaton Sutikno Information Majoring student
mitigation plan focused on how to mitigate risk resulted from Information Systems Management of Magister
information leak and natural disaster (flood, earthquake, fire, Management of Information System at Bina Nusantara
University Jakarta, Indonesia.
etc.). This risk mitigation plan is necessary to keep the
company's condition stable and to ensure that the company’s
business work normally without any problem. Friska Giovanny Br. Ginting Majoring student
Information Systems Management of Magister
Management of Information System at Bina Nusantara
REFERENCES University Jakarta, Indonesia.
1. K. Srinivas, “Process of Risk Management,” in Process of Risk
Management, IntechOpen, 2018, pp. 0–16.
2. M. W. Harkins, Managing Risk and Information Security. Apressopen,
2016. Natasha Angelica Majoring student Information
3. B. Anthony and N. C. Pa, “A review on tools of risk mitigation for Systems Management of Magister Management of
information technology management,” J. Theor. Appl. Inf. Technol., Information System at Bina Nusantara University
vol. 81, no. 1, pp. 92–101, 2015. Jakarta, Indonesia.
4. S. Al-Dhahri, M. Al-Sarti, and A. Abdul, “Information Security
Management System,” Int. J. Comput. Appl., vol. 158, no. 7, pp. 29–33,
2017.
5. S. Shokouhyar and F. Panahifar, “An information system risk
assessment model : A case study in online banking system An
information system risk assessment model : a case study in online
banking system Sajjad Shokouhyar *, Farhad Panahifar , Azadeh
Karimisefat and Maryam Nezafatbakhsh,” no. January, 2018.
6. N. ChePa, B. Anthony Jn, R. Nor Haizan, and M. Azrifah Az, “A
Review on Risk Mitigation of IT Governance,” Inf. Technol. J., vol. 14,
no. 1, pp. 1–9, 2015.
7. N. Katende, “Implementing Risk Mitigation, Monitoring, and
Management in IT,” Comput. J., no. July 2017, 2017.
8. N. Che Pa, B. Anthony Jnr, Y. Y. Jusoh, R. N. H. Nor, and T. N. Mohd
Aris, “A risk mitigation decision framework for information technology
organizations,” J. Theor. Appl. Inf. Technol., vol. 95, no. 10, pp.
2102–2113, 2017.
9. No Title. .
10. R. Ahmed, “Risk Mitigation Strategies in Innovative Projects,” in Key
Issues for Management of Innovative Projects Downloaded, no. 2017,
2017, pp. 267–322.
11. Z. Shouran, T. K. Priyambodo, and A. Ashari, “Information system
security: Human aspects,” Int. J. Sci. Technol. Res., vol. 8, no. 3, pp.
111–115, 2019.
12. O. Safianu, “Information System Security Threats and Vulnerabilities :
Evaluating the Human Factor in Data Protection Information System
Security Threats and Vulnerabilities : Evaluating the Human Factor in
Data Protection,” no. September, 2016.
13. E. Krell, Management Accounting Guideline: Business Continuity
Management. 2006.
14. L. L. Kim and A. Amran, “Factors Leading to the Adoption of Business
Continuity Management (BCM) in Malaysia,” Glob. Bus. Manag. Res.,
vol. 10, no. 1, pp. 179–196, 2018.
15. The GSMA, “Effective Business Continuity Management Guidelines for
Mobile Network,” ASHA Lead., vol. 22, no. 8, Aug. 2017.
16. K. Penuel, M. Statler, R. Hagen, and P. Mcilwee, “Business Continuity
Management,” in Encyclopedia of Crisis Management, 2013.
17. G. M. Heng, “Business Continuity Management Planning
Methodology,” Int. J. Disaster Recover. Bus. Contin., vol. 6, no.
November, pp. 9–16, 2015.
18. M. Bullock, “Data Center Definition and Solutions Data Center topics
covering definition, objectives, systems and solutions.,” 2009. [Online].
Available:
https://www.cio.com/article/2425545/data-center-definition-and-solutio

Retrieval Number: F7656038620/2020©BEIESP Published By:

DOI:10.35940/ijrte.F7656.038620 Blue Eyes Intelligence Engineering
Journal Website: www.ijrte.org 1264 & Sciences Publication