What are the standard refresh cycles for IT equipment? (Ask A CITP)
Hardware Refresh Considerations
As a physical asset, IT equipment (hardware) replacement must usually be planned for in advance so that you’re not scrambling to replace it after it fails. This proactive replacement is often referred to as performing a “hardware refresh”. Hardware refresh decisions have three main considerations: (1) Risk of Failure, (2) Ease of Replacement, and (3) Criticality of the Supported Business Processes.
Risk of Failure
Hardware refreshes are often driven by the Risk of Failure of a particular hardware asset. Different types of hardware have varying Risk of Failure as they age. The table below shows some of the common types of hardware and their general Risk of Failure based on the number of years the hardware has been in service.
Table 1 - Hardware Refresh Considerations
Ease of Replacement
There is a second consideration that should be evaluated in conjunction with Risk of Failure, and that is the Ease of Replacement in the event that a hardware failure does occur. One part of Ease of Replacement is how quickly you can get your hands on replacement hardware—however often the more critical part is how quickly you can get the hardware into operation so that the business process can be resumed.
The last row of the Hardware Refresh Considerations table shows the general Ease of Replacement for that type of hardware. It is summarized again here with a brief explanation for the assessed Ease of Replacement.
Desktop or Laptop – Moderate: Once the computer is received it must be configured, operating system updated, system software (like antivirus) installed, and user application software installed. Additionally the user’s profile and data must be loaded from their old computer onto the replacement.
Virtual Terminal – Very Low: Virtual terminals are used in conjunction with virtual desktops or hosted desktop services. In this case, the user’s “actual computer” is resident on a server in a data center and the terminal is merely there for user input (e.g. keyboard and mouse) and output (e,g. monitors and printers). Because the user’s software and data is actually sitting on a server, replacing a virtual terminal is simply a matter of switching out the terminal box.
Server – High to Very High: Once a server is received it must be configured, operating system loaded and uploaded, system and platform (e.g. database server) software installed, business application software installed, business application data restored, and all users reconnected to it. Systems maintenance jobs and backup processes must also be configured to work with the new server; and security monitoring software must be also be configured to monitor the new server.
Firewall – Low to Moderate: Depending on the type of firewall and complexity of the network environment this could be as simple as restoring the backup of a configuration file and reconnecting all the physical wires to the firewall, or it could be as complex as reconfiguring the firewall from scratch (which usually isn’t too bad).
Criticality of the Supported Business Processes
The third major consideration when determining when to replace hardware, is the Criticality of the Supported Business Processes. This involves looking at how important the business process that the hardware supports is, and how long you can operate if a hardware failure were to occur. If a business processes is mission critical, you probably want ensure that there is a low risk of failure. This could be achieved by ensuring that the hardware is refreshed proactively (i.e. keep Risk of Failure low) or by ensuring that there is higher Ease of Replacement.
For example, for a server that supported a mission critical process, you could proactively replace it every 3 years to keep the Risk of Failure low. Or you could replace it every 4-5 years, but have a "warm spare" (equipment is already on-premise and software kept up to date) so that if the primary equipment fails, you just need to restore the data from the last backup and place it into production--increasing the Ease of Replacement.
Keep in mind that the above example is a simplistic one to give you an idea of how you can address both of the key aspects. For true mission critical hardware or highly complex environments, there are other techniques like high-availability (HA), load balancing, and other technical solutions--that also have higher costs--that enable you to ensure that the loss of one server will have a minimal (if any) impact on the supported business processes.
When determining the refresh cycle for hardware assets, both the Risk of Failure and Ease of Replacement must be considered in the context of the Criticality of the Supported Business Process How often an organizations refreshes its hardware then depends on its level of risk tolerance for the business processes that are supported by the hardware.