This content is part of the Essential Guide: Essential guide to business continuity and disaster recovery plans

Prepare for a data center resilience assessment

Your data center must be resilient to threats like hurricanes and tornadoes. Paul Kirvan offers tips to conduct a data center resilience assessment.

If your organization has one or more data centers, you must ensure they are resilient to situations that may threaten...

their continued operation.

Data centers today are often housed in anything from reconstituted warehouses to floors in office buildings to hardened buildings designed to withstand earthquakes, hurricanes, tornadoes and other events.

While each of these site options can support a data center, you must determine if a specific type of building can effectively address the potential threats to your data center. In this article, we’ll provide tips to help you ensure that your data centers are resilient and recoverable.

At the beginning of a data center resilience assessment, perform the following baseline activities:

1. Determine if your data center is physically located in a low- to moderate-risk area, e.g., one that has a low probability of natural disasters, such as earthquakes and severe weather; access to two or more power grids for redundant power; located on high ground to minimize the threat of flooding; not close to major highways, railways or rivers.

2. If your data center site is not located in an area that has one or more of the above criteria, it may be at a greater risk, so conduct a risk assessment that:

* Identifies in what ways the data center may not be resilient and survivable

* Identifies and analyzes threats to continued data center operations, such as natural disasters, human actions such as theft and vandalism, physical security breaches, and environmental threats, such as chemical spills

* Identifies the presence of management, operational and technical controls that address these issues

The following tables examine these issues more closely, and provide tips for addressing each area of concern. 

Table 1 – Management, Operational and Technical Controls

Control Issues to Address Tips for Addressing the Issue
Risk and threat assessments

Have risk and threat assessments been recently conducted?


  • Schedule and conduct an annual risk and threat assessment that examines both internal and external threats
  • Update data center emergency plans based on risk assessment results
Insurance Has insurance been obtained to address potential data center disruptions?
  • Review insurance coverage for the data center
  • Update coverage as needed
Service level agreements
  • Have service level agreements been established with data center vendors?
  • When were SLAs last reviewed and updated?
  • Ensure that SLAs are in place
  • Ensure SLAs address systems and services that may be affected in a disaster
Site security
  • Does a site security plan exist?
  • Are site security systems appropriate for the data center?
  • Prepare a site security plan and test it at least annually
  • Ensure that security systems, e.g., closed circuit cameras, access control systems are regularly tested
  • Are all data center operational procedures documented?
  • Are emergency procedures documented?
  • Ensure that data center operational procedures are documented and reviewed annually
  • Ensure that data center emergency procedures are documented and reviewed annually
Backup hardware and software
  • Are critical hardware devices, e.g., servers, backed up?
  • Are data storage systems, including SANs, backed up?
  • Are there backup copies of critical applications that can be used for recovery?
  • Are backup networking devices, e.g., routers, switches, firewalls available
  • Ensure there are backup systems and components where possible
  • Store them in secure locations with HVAC in place
  • Keep an up-to-date inventory of all backup assets
Emergency procedures
  • Are there incident response procedures
  • Are there evacuation procedures?
  • Are there procedures for unauthorized access?
  • Are there procedures for terrorism or similar events?
  • Are there procedures for theft or vandalism?
  • Are there procedures for an active shooter?
  • Are there technology disaster recovery plans?
  • Ensure there are procedures in place to respond to incidents that could threaten the data center
  • Ensure that all procedures are documented
  • Ensure that all emergency procedures are regularly tested
Alternate data center options
  • What happens if access to the data center is prohibited?
  • What happens if the data center is no longer functional?
  • Develop a recovery plan for the data center
  • Identify other company sites that could be configured to back up the data center
  • If no alternate data center option is available, consider a third-party or cloud-based data center operations option

Table 2 – Natural Threats

Threat Issues to Address Tips for Addressing the Issue
Earthquake Can the data center withstand the impact of earthquake-induced vibrations or earth movement?
  • Determine the earthquake readiness of the building
  • Ensure that employees can safely evacuate if needed
  • Ensure that emergency procedures are developed and tested for earthquakes
Flooding Is the data center protected by a capability to divert or resist floodwaters?
  • Prepare sandbags for flooding
  • Ensure that sump pumps are available
  • Ensure that employees can safely evacuate
  • Ensure that emergency procedures are developed and tested for flooding
Lightning Can the data center withstand the impact of lightning strikes?
  • Regularly check condition of lightning protection systems
  • Ensure the availability of surge protection equipment on critical power feeds
  • Test and verify building grounding
High winds from storms, tornadoes Can the data center resist high winds and flying debris?
  • Determine the high wind readiness of the building
  • Ensure that employees can safely evacuate if needed
  • Ensure that emergency procedures are developed and tested for high winds
Severe cold/heat Can the data center maintain a livable operating environment via its HVAC systems?
  • Ensure that HVAC systems are properly maintained and tested regularly, e.g., monthly

Table 3 – Human and Security Threats

Threat Issues to Address Tips for Addressing the Issue
Civil disorder, terrorism, vandalism, unauthorized access
  1. Is the data center secure from unauthorized access?
  2. Can the staff safely evacuate in such an event?
  • Ensure that building security systems are operational
  • Ensure that employees can safely evacuate if needed
  • Ensure that emergency procedures are developed and tested for building security
  • Ensure that emergency procedures are developed and tested for civil disorder and related events
  • Ensure that security guards are available at building entrances
  • Ensure that security cameras can record events inside and outside the building

Table 4 – Environmental Threats

Threat Issues to Address Tips for Addressing the Issue
Power failure
  1. Loss of commercial power
  2. Power protection systems, e.g., surge suppressors
  3. Backup power systems
  4. Fuel supply for diesel or natural gas generators
  • Work with local power company to assess options for power supplies
  • Connect power protection devices throughout the data center to protect systems
  • Ensure that power failures trigger notification alarms
  • Invest in backup power systems, e.g., generators and UPS devices
  • Regularly test backup power systems
  • Top up fuel tanks regularly; have at least two suppliers available
Communications failure
  • Loss of network access from building to local carrier
  • Loss of Internet access
  • Ensure that local access services are delivered in secure conduit from the street
  • Consider alternate feeds into the data center for redundancy
  • Ensure that Internet access is protected and redundant
  • Regularly test network services to ensure availability
HVAC system failure Loss of A/C, heating, air filtering systems
  • Ensure that HVAC systems are operational and regularly tested
  • Ensure availability of backup power systems for HVAC systems
  • Consider redundant HVAC systems
  • Ensure that HVAC failures trigger notification alarms
Fires Can the data center respond to internal and external fires?
  • Ensure that fire suppression systems are operational and regularly tested
  • Install “kill switches” to halt an accidental system discharge
  • Ensure there are a sufficient number of fire extinguishers
  • Ensure that employees can safely evacuate if needed
  • Ensure that emergency procedures are developed and tested for fires
Water quality issues, e.g., pollution
  • Are there procedures for monitoring water quality?
  • Are there water filtration systems?
  • Is internal plumbing located away from critical systems to prevent water damage?
  • Are alternative water sources and supplies available?
  • Work with building owner to coordinate primary water supply monitoring and emergency procedures
  • Work with building owner to coordinate backup water sources
Hazmat incidents
  • Are there procedures for analyzing hazardous materials incidents?
  • Are emergency procedures in place to deal with hazmat conditions?
  • Coordinate hazmat procedures with local environmental management organizations
  • Establish emergency procedures to deal with hazmat conditions


As you can see, there are many issues to address when building resiliency into a data center. Whether you are building a new data center, moving to a different data center site or upgrading an existing facility, be sure to address these issues as part of the overall building design and/or build-out to protect your data center investments. 

About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant and auditor, and is secretary of the U.S. chapter of the Business Continuity Institute and member of the BCI Global Membership Council. He can be reached at [email protected].

Dig Deeper on Disaster recovery facilities - operations