If you genuinely believe that your Data is one of the most important assets of your company, and if losing it would be a real disaster, then you ought to verify that it is properly handled. If the confidentiality of your data is also paramount, you need to ensure that other people in your organisation think like you and behave accordingly.
Quick test – ask yourself the following questions:
- Do I have a Backup mechanism in place
- Can I clearly describe it and know how it works, do I have records of backup performed
- Is it automated for all critical data or does it rely on someone acting each time to launch the backup
- Is the backup in an encrypted form on the Tape/HD/NAS box etc…
- Is the backup taken off site daily and stored in a proper safe
- Have we tested the backup system recently by asking our IT mgr to restore a folder of documents
- How much history of data do I have on my backup
- What is the difference between a Backup and an Archive
- If I back up on external Tape or external Hard Drive, do I know how many my company has purchased in the past 3 years, and where they all are.
and I suggest you think about the importance of each question by reading the comments I will make below
- Do I have a Backup mechanism in place: I assume you do, or you believe your IT staff is handling it. I suggest you read some of the horror stories I have discovered in my previous audits as a guiding hand…
- Can I clearly describe it: Think about it, if your data is THAT vital, you ought to understand how it is stored and how it is kept safe. The simple mechanism of it must be clear to you, who performs it, when, how, where does the data go, how is it recorded, who is checking that it is correctly done…, is it safe from competitors.
- Is it automated for all critical data: Rely on process, don’t rely on people… when you have to start a backup, there is always something more important to do like running for a plane or a meeting and the backup is postponed… until it is needed!
- Is the backup in an encrypted form: These days a RAM key hold 10+GB, a small phone can hold 32GB, a mini HD can hold 500GB, all fits in a pants pocket… if it leaves your eyes, and is not encrypted, you should consider you are sharing your data with whoever is at the other end…
- Is the backup taken off site daily: Recently, close to us, the Fiko building caught fire on a weekend. Within minutes 15floors were completely ravaged by the flames, and what was still ok got definitely destroyed when the firebrigade hosed down everything… I wonder how many companies had their entire IT systems, customer files, accounts etc… in Paper format, digital format on computers, servers and on their tapes in the cupboard near the server… The next day, they could not tell who they customers were, how much had been invoiced, paid, missing, transaction pending etc…
- Have we tested the backup system recently: How do you feel when you try to recover a file from a backup that everyone was sure was ok, only to discover that the medium has failed or drive or else…
- How much history of data: A virus infection one day corrupts some data, or some files go missing, you have a backup so it is not that bad… unless you don’t realise it yet and then you back up infected data or empty folders… If you can not go back in time, your data is definitely lost despite an apparent clear backup system.
- What is the difference: Files that you will not modify any longer have nothing to do on your backup tapes, they should be copied and archived safely, if possible in 2 different locations. Backup is for live data that changes each day and you need to keep a snapshot or a state each day, with a minimum history. An example of a Proper backup procedure is called Grand Father-Father-Son.
- Do I know how many tapes or drives my company has purchased: Your data is confidential and you expect everyone to treat it confidentially. Then you ask your purchasing department how many backup tapes or drives you have purchased in the past 3 years, because most people treat this item as a consumable item. Then you ask your IT guys how many they have in hand or registered. It is when you realise that maybe 10 tapes or more are unaccounted for that you know that somewhere, there are tapes with all you company data, and nobody knows where they are…