|
Many organizations have a good handle on external risk. They've implemented disaster recovery (DR), business continuance and security measures to protect their data and applications. On the internal security front, companies have instituted systems that limit physical and digital access to critical systems to reduce the likelihood of a disgruntled or unauthorized employee purposely or accidentally damaging/absconding with crucial data. But while focusing on these obvious perils, firms may overlook the seemingly mundane--but potentially more damaging--dangers that can arise due to lax administration and procedures.
Inadequacies in storage governance and weaknesses in data management are often subtle and may pose far less-visible risks to a company's data. To mitigate these threats, you must be aware of the impact and probability of these risks so you can take pre-emptive action to reduce or eliminate them.
Internal risks stem from two broad exposure areas:
- Governance exposures: weaknesses in management practices (policy, procedure and control infrastructure)
- Data exposures: weaknesses and inadequacies in data protection
By consciously evaluating and addressing these areas, you can substantially reduce threats to your data, lower costs and improve business-unit relations.
Alignment: When IT and business units have common goals, a partnership of enablement (and even appreciation) supplants the old view of IT as a necessary evil or even an impediment. Lack of alignment can result in inadequate or poorly communicated policies that can cause data to be inappropriately handled and exposed to undue risk. You can test for alignment using soft or hard measures. Soft measures include an assessment of your relationship with the CIO, as well as an assessment by managers and key business analysts with their counterparts in the business community. Some issues to consider include how often to meet, whether to converse on an ad-hoc basis or only at scheduled meetings, and so forth.
More empirical measures include defining policies for interaction between IT and business units. For example, company policy might require IT to provide services in tiered offerings with the business units responsible solely for choosing (and paying for) those services. In such a case, you may consider tracking the following:
- The percentage of the IT budget related directly to business unit-initiated projects
- The percentage of the IT budget spent on maintenance vs. development
- Time delivery of commitments, service levels, problems and projects
- Business unit satisfaction
- A defined process to regularly ensure continuous alignment
Cost management: Data management costs may be another indicator, as cost overruns reflect badly on how efficiently storage is organized and managed. Gartner Inc. and other analyst firms say that 70% of a storage organization's costs are for administration, not hardware. Besides knowing where your budget dollars go, you should consider:
- How costs are tracked
- If a formal cost model identifies realistic costs to provide specific services to business units
- The ability to correlate operational metrics to costs
- Whether staffing levels are built on an empirical basis of a known transaction handling capability (e.g., number of alerts or number of tape movements)
Asset inventory: It's difficult to manage something you don't know about. If storage assets at the component, connection and dependency level aren't documented, inadequate change management can open the door to risk. The interdependencies of all hardware and software components in the environment must also be documented, or unwelcome consequences can occur. For example, connecting another server to an available port can impact interswitch links and increase latency to the point where a key database application is disabled, perhaps losing data until the problem is fixed.
|
 |
|
