Having a plan in place to backup pertinent information to keeping a business running in the event information becomes unavailable for use is an important concept of business continuity. This blog will provide a definition and importance of corporate data backups, outline solutions options, and define best practices used for defining a corporate data backup process.
What are Corporate Data Backups and Why are they Important?
Simply put, a data backup is a secondary version of company and client information. Data backups can be full, differential, or incremental. A full data backup is a full backup of files and is usually completed weekly. A differential backup is the process of backing up only those files that have changed since the last full backup. An incremental backup is similar to a differential backup as it performs a backup of the files that have changed but the difference is it is done as part of a more frequent backup schedule cadence, such as daily or hourly depending on how rapidly files change. Finally, some corporations may require a replication of the system and data. This means that if there is a failure the downtime required to get operations back up to full capacity is essentially eliminated.
Generally, corporations can choose to use a variety of backups types to create a schedule that makes sense for them and aligns with the resources that are available to dedicate. Having a backup of information is a key component of a business continuity plan (BCP). ISACA defines a BCP as “a plan used by an enterprise to respond to disruption of critical business processes.”
The BCP should be detailed and tailored in the event a critical failure occurs. If data is lost, the plan should detail who to contact and where the backup information exists. While this is important for all corporations, it can be extremely important for those companies who rely heavily on IT operations and the data needed to facilitate those operations. For corporations that fall into this category, a 24/7 solution will help mitigate the risk that a critical failure will derail business operations. Luckily, not all companies will fall into this category and will not require a 24/7 solution. It is also important to consider the different events that may cause a disruption of service. Some examples include data corruption, unauthorized access, malware, or natural disasters such as fire, flood, tornado, etc.
What are Corporate Data Backup Solutions?
While there are a number of different data backup solution services available, the two general types of backup solutions include onsite or offsite. An onsite backup refers to the backing up of information locally utilizing hard drives, CDs, etc and does not require the internet. An offsite backup refers to the backing up of information at a server located in a location other than the corporation and requires the use of the internet. Corporations may choose to do both forms of backup as they both have pros and cons.
The most appealing advantage of performing onsite backups is the ability to access the data that is stored on site even if the internet is down. Additionally, this option is generally inexpensive. The biggest con using this type of backup solution is that the backups can become destroyed in the event that a natural disaster destroys the property where the backups are maintained.
Offsite backup solutions have their own advantages and disadvantages. The disadvantages being that their access relies heavily on the availability of the internet and cost. These are generally outweighed by the advantages. Because offsite backups rely on the internet, they are available anywhere as long as the internet is available. Additionally, they can be replicated to a number of different locations. This is particularly useful in the case that an event occurs at the main location where the data originates.
Simple Rules for a Successful Data Backup Process
Following a hand full of simple rules will help in crafting the best backup process for your company.
Rule 1: Define the data that needs to be backed up
Not all company information may require a backup copy. That is why is it key to open up a dialog around what information is considered crucial. This will help define necessary resources required to maintain operations in the event of a critical failure or if there are certain regulations which require certain information to be backed up to specific requirements, such as financial, tax, HIPAA, FedRAMP, or HITRUST. At times, it may be decided that it makes the most sense from a resource and risk perspective to backup all data.
Rule 2: Determine which backup type makes the most sense
As discussed earlier in this blog, there are different types of backups that can be used to fit the need and risks each corporation faces. If a company does not depend on data that is up to date, it would make sense to set a cadence that performs a weekly full backup with daily incremental backups.
Rule 2: Perform backups often
The frequency of backing data up should match the need of the organization. That being said, performing backups every month would in most cases not be often enough. Additionally, the services available to perform backups on a regular cadence are relatively inexpensive due to the competition of service offerings.
Rule 3: Define backup safeguards
Backups should consider necessary safeguards just like the rest of the information within a system. Some security safeguards include access management, encryption, secure storage, and logging. Access to backups should be limited to those with a legitimate business need since it can include sensitive company or client information. Additionally, when necessary, encryption of sensitive information should be enabled so that if hacked, it could not be read. Other security measures considered should be the key management used to authenticate to gain access the backups and finally logging. This can help identify vulnerabilities and whether or not there have been any exploitations.
Rule 4: Test backups to ensure they can be restored
This is one of the most important rules. A company can go through all of these steps without ever realizing that their backups are not working properly, are inaccurate or incomplete. It’s important to set up a frequency to test backups. This does not necessarily require a full backup but can focus on different components. This will save time and resources while accomplishing the intention of the rule.
Rule 5: Define the length of time backups are needed
The type of information being stored can set specific retention requirements. The criteria should be identified and used to ensure that backups are maintained for the proper amount of time. If there is no outside requirement, a company policy should be discussed, agreed upon, documented, and implemented.
Rule 6: Document rules 1 through 5
Documenting all the information identified going through the rules will help in identifying the core requirements of your business continuity plan. These will help create specific requirements that can be shared among necessary information and help in the event of a critical failure.
Data has increasingly become an important facet to the success of companies and with that increase has become the need for a formalized corporate data backup plan. This includes understanding the foundations of a backup plan and rules to follow in providing guidance and an outline that can be used in this documentation process.
Additionally, having a formalized backup process with elements that can proven are in many times essential to the passing examinations such as SOC 1, SOC 2, HIPAA, HITRUST, and FedRAMP. Depending on the protocol being used, it may include different requirements and should be referenced during the planning process of your backup plan.
For more related information on backups check out the following Linford & Co blogs:
- HIPAA Record Retention Requirements: How Long Should We Retain ePHI Data?
- Five Types of Testing Methods Used During Audit Procedures
- Insider Threats: The #1 Cyber Security Risk to an Organization
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.