30) Does your organisation monitor the capacity of its systems processing client information to make sure they are able to cope with load?
Answer yes if your organisation has controls in place to monitor the capacity of its IT production systems to make sure that they can cope with the load. Please describe the controls in the notes section.
What is the control?
If systems experience too much load, they may not be able to keep up with demand which can cause them to fail. This results in service outages and can impact virtually any system from your public-facing website to internal processing or business support platforms.
Performance and capacity monitoring allows you to see how platforms are performing and plan capacity accordingly.
Why should I have it?
Performance and capacity monitoring gives usage and performance information that can be invaluable for planning how to allocate resources and scale systems. For example, there may be specific peaks where usage is high and exceeding capacity, resulting in service slowdowns and interruptions.
Performance monitoring would show you if these were regular or not, and whether it would be useful to increase capacity during certain hours of the day or on weekends, or during certain events (for example, increased online shopping in the run-up to the holidays).
Performance monitoring platforms can even trigger increases in capacity themselves when it comes to dynamically provisioning more resources (CPU, memory, storage, etc.), or starting additional instances to take on the load.
The baselines they generate also help establish when unusual and potentially malicious activity such as denial of service attacks are under way.
If you are a service provider to other companies, this kind of monitoring indicates that you are aware and therefore able to adapt to variations in demand, increasing the likelihood of you meeting your stated availability and performance SLAs.
How to implement the control
While a central platform is the brain any performance and capacity management effort, it can only work with the data it receives.
As such, what performance indicators are important in a system or application should be identified early as part of part of a project.
In the case of software development this means making sure the application provides the right outputs and feedback to be able to monitor its performance.
Once these are determined, nominal performance values should be established and alerting (and, optionally, automated provisioning) thresholds set as appropriate.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
