Information is an asset that, just like other important business assets, should be adequately safeguarded, in order to maintain competitive advantage. Information is not only the software files, like spreadsheets and reports. Its also the knowledge that we carry in our heads. Its the Intellectual property of an organization.
Imagine, losing your data, during a system upgrade, or due to hardware problems. Unlike your hardware, information not insurable. Loss of information or its compromise can be devastating to a company, and an unimaginable gain for its competitors.
An important aspect of Information security is Information Backup. Information Backup, unlike data backup, is not limited to technical backing up of a few computers. It is an organizational strategy of maintaining the integrity and availability of information and the Information processing facility. It includes well-oiled and rehearsed strategies on recovering data.
Organizations that implement Information Backup properly, will experience minimum downtime and smooth recovery in the event of a failure.
Implementing Information Backup
What should be backed up
The organization should decide what” should be backed up, and up to what level. A priority list of important information should be classified and levels assigned, based on the importance of the information. Something like this …
- Code repository (Level 5 protection)
- Financial data (Level 5 protection)
- Employee email (Level 4 protection)
- Sales reports (Level 3 protection)
Define Levels of Back-up information
Define what Backup procedures need to be maintained for each of these levels. Something like this
- Level 5 – Fail-over backup, off-location backup for disaster recovery, Weekly and daily backups, Weekly Mock recovery.
- Level 4 – Weekly and daily backups, Weekly mock recovery.
- Level 3 – Weekly backups. Monthly mock recovery.
Mock recoveries are conducted to make sure that the restoration process works well, in the event of an actual failure.
The extent and frequency of backups should reflect the business requirements of the organization. Put up a question like this. If this information were to get lost, can we restore a week old copy. Will the information change a lot during a week or month.
Also consider the Criticality of the information to the continued operation of the organization. Maybe the information doesn’t change a lot during the week, but it has to be restored with Zero Downtime, in the event of a failure. In such conditions, a Fail-over solution would be ideal.
In case of critical systems, the backup should cover all systems information, applications and data necessary to recover the complete system in the event of a disaster.
Log the Backups and Restoration.
Accurate and complete records should be maintained of the backup process and the backup copies. This helps to track who did the last backup and when. Logs should also be maintained for the Mock Restorations, in order to track that the restorations were successful or not. Mock restorations help discover flaws in the backup process. For example, if all the files were not backed up, or the script was bad.
Backups should be stored in a remote location
Backups should be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site. What remains to be decided, is the mode of such storage. Whether it has to be a fail-over server, or whether the information can simply be stored in tape drives.
Consider the security requirements of the information involved. Is it safe to replicate the information in another off-location site? Maybe, your agreement with your clients, doesn’t allow you to transfer the information to another location.
Secure your Backups
Backup information should be given appropriate level of physical and environmental protection. What this means is whatever controls that you apply to media at the main site, should be extended to cover the Back-up site.
In certain cases, where confidentiality is of importance, the backups should be protected by means of encryption.
Test your Backups
OK, you did everything great so far, backing up your information. Now assume, that the backups didn’t restore well, during an emergency. The entire effort of backing up information goes down the drain. Make sure that the Backup media is regularly tested to ensure that they can be relied upon for emergency use when necessary.
Use Mock restoration procedures, so that you are sure that you are sure that the Backups are effective. Also ensure that Backups can restore in the time alloted for Recovery. For example, if the Operational procedure for recovery is 2 hours, make sure that the Backup can be effectively restored in 2 hours. Of course, it goes without saying that the Mock restoration procedures should” be logged.
How long should Backups be retained
The backups should be retained for as long as the organization determines that the information is useful. Backup media is cheap, and the hours that are required to clean the data may be more expensive. In most cases, it may be cheaper to retain the backups.
In effect, the organization needs to decide the Retention period, and also any requirement for archive copies to be permanently retained.