..............

A good backup policy starts with a clear objective such as, – The Company’s Data Backup is the responsibility of the relevant user, department manager or asset owner, who must define which data/information are to be backed up, the Recovery Point Objective (RTO) and the Retention Time (RT). The RPOs and RTs must be updated on regular basis. All backed-up data/information should be stored both locally and off-site on backup media such as, tapes and must be encrypted using adequate encryption methods.

The best way to turn any policy into practice is by defining every single step required to achieve the statement goals. The main entities mentioned in the above statement are data requirements (RTO and RT elements), data owners and users, off-site storage and security. Such statement does not define specific technical details such as, data integrity checks and jobs schedules, however, it is important to include these steps without details in your procedure. Another procedure or document would be needed to show such details. Remember, that policy statements are initiated by a member of senior management and need to be implemented by lower levels in the hierarchy of the organization. Furthermore, such procedure in the form of a flow-chart should be understandable by senior management, otherwise they would be reluctant to approve.

Read more »

Some years ago the trend of data backups was – play it safe and back up all data – Resource and energy management was not an issue or better was one feature with the lowest priority, especially with large corporations. As we advanced into the era of energy saving awareness and pay-per-use concepts, backup methodologies and services evolved in line with such concepts. However, the issue of economy remains – are we backing up the right data?

 Traditionally, corporations’ senior management main concerns were that the business data must be safely backed up, verified and some off-site policy was in place, given that the costs were affordable! IT staff main concerns were that ALL data is backed up and backup jobs ended with a success status. Some advanced features such as, retention and recovery points were added to the backup policies. The result of such concept without investigating the data being backed up required that enough storage media is available to handle the entire data size no matter how long the backup process would take.

 Is this concept valid to-day? Do we actually need all the data? Does our data change on a daily basis? Is the backup administrator knowledgeable about the importance of the data being backed up? Is it feasible to use storage space for data that will never be retrieved back?

 The way forward with data backups is the involvement of all stakeholders of the respective data. Data belongs to its rightful owner. A regular exercise should be in place where an IT staff or manager invites every Data Owner (the actual user/employee owning a particular data) to review what should be backed up, for how long the backed up data is required and the acceptable loss of data time-frames in cases of system failures. For example, take an employee that downloads various articles, research material and other documents on a daily basis to create a report or a business case, etc. Apart, from the legal issues a sound conversation with this employee would conclude that whatever report he/she is creating will be the only file needed to be backed up.

 Data owners are responsible for their own data while backup administrators are responsible for the service they are rendering to them. A good backup policy is one that makes the employees aware that they own the data and they should verify that their data is safely and securely stored. Such a policy would clearly explain that users should inform the IT/backup administrators with their backup requirements. On the other hand, a sound policy would include that the IT/backup administrators check with Data owners on regular basis depending on the business type to verify that those requirements are still valid.

 Another valid point would be to publish a document within the company such as, on a secure intranet with brief details about the data being backed up, retention times and other options that do not disclose any sensitive data.

 Briefly, Data owners are the only people to decide which data within their environment is to be backed up, for how long it should be kept and the acceptable loss of data time-frames. Also, they should initiate and terminate a backup request by informing the backup administrator while the backup administrator should review the Data owner requirements on regular basis.