Backup Policies

Backup policies are a crucial component in an organization or individual’s overall disaster recovery planning and strategic implementation. As a result backup policies, processes, procedures and strategies have a direct bearing upon the speed and completeness by which a business recovers from a major catastrophe and thereby ultimately determine the organization’s capability to survive the event and then move forward to rapidly return to pre-catastrophe status or above.

Let us now examine those factors and concepts that make up effective and efficient backup policies, the types of backup regimes available and their role within an overall disaster and recovery plan.

Rebound - The process of recovery and returning to a “business as usual” state is known as “rebound” and it is the decisive factor in managing and validating data integrity, confidentiality and accessibility. Information security breaches would undoubtedly negatively smear an otherwise successful restore operation. Thus confidentiality should be paramount when developing a backup policy.

Another factor that needs to be taken into consideration is that a backup policy; no matter how thorough, does not in itself a disaster recovery plan make. It is but one element of the more expansive disaster recovery plan albeit a critical one. Think of it as a team player.

Compartmentalization - Although disaster recovery plans can be very intricate, lengthy and involved it is compartmentalization that allows us to ease the burden of their design, development, implementation, maintenance and updating. All elements should work together transparently as a unit and yet still possess the modularity that allows for their independent parallel development.

Restoration - One critical component of the overall disaster recovery planning process is the ability to restore all data to its pre-catastrophe days. It is here that your backup policies and backup processes weigh heavily  

Vigilance – Regular checks and measures must be made in order to test, repair and ensure that the policy is indeed being followed.

The following sections are intended to serve as a quick guide for a small business to complete a backup policy to ensure that their data is secure and available. Here are some of the components that will need to be included in backup policies suitable for the small to medium business:

Overview – Outlines exactly what is to be backed up and how. Details will include specific computers, servers and their roles (file server, mail server, web server, FTP server, authentication server etc.) The roles to be played by users will also be detailed here.

Purpose – States the intended purpose(s) for having a backup policy in the first place. For example: to ensure that data is recoverable in the event of an emergency such as terrorist activities, severe weather, server failure and theft.

Capacity – Details of exactly what systems and components are to be included in your backup regimes (e.g. laptops, rented machines, home, shop, or just company assets). Location details will be included in this section of your backup policy. What data and data sources will be included as well as where are the backups going to be stored. Who has access to the backups?

Definitions – Highly trained computer aware technical experts are not the only ones that will need to be using this backup policy. So it is important that technical terminology is clearly stated and define in order to eliminate misunderstandings and misconceptions. Explain how the entire process works. Terms that might be included here include: Backup, Archiving, Incremental backup, Full backup, Differential backup and Restore etc. Provide details regarding the backup media to be used including its advantages and disadvantages.

Frequency – List the type of backup and when will it occur. For example: full backups will be conducted every Saturday at 10 PM while incremental backups will take place every other day at 4 PM. Users will need to be made of the time by which any data they require to be backed up is copied to the appropriate machine ready for the backup.

Media Rotation – Define the types of media to be used and if any media is to be overwritten. The specifics of media rotation and overwriting will be detailed in the media rotation section of a backup policy.

Testing – Details of when testing to ensure that all goes according to plan are to take place. This must include both processes; the backups and their restores. Restoration policies can be developed separately or as a component of the backup policy.

Responsibility – Who is responsible for the confidentiality, integrity and accessibility of the backup regime? Who is to perform the backup procedures? All personal involved in the backup processes will need to have a clearly defined role. Use sign-off sheets and checklist to ensure that nothing is inadvertently overlooked.

Data – Here you will define precisely what data is to be backed up. This will include, workstations, servers, networking devices etc. Define whether or not that system state is to be backed up along with the data. What are the security implications? Will drive/partition imaging software be involved? Will full data encryption be required? List the roles of all computers, their location and roles.

Regulatory Requirements - Many new legislative acts require businesses to keep their backups for a set number of years. You will want to ensure all pertinent information pertaining to theses backups is stated in this policy. Where the tapes are stored? Personally identifiable information and its backup, storage and management will need to be detailed and all relevant legislation complied with.

Storage – Detail the data and backup storage locations, parameters and authorized accessibility. Detail also the procedures for retrieval of backed up data and backup media in storage. Ensure that all backups and data are stored in at least two separate locations. Ideally at least one location should be off-site.