298
A Practical Guide to Security Assessments
Risk:
Without a backup and recovery policy, the following risks exist:
• Inconsistent backup and recovery processes
• Noncompliance due to lack of knowledge
• Inability to enforce good backup and recovery practices because no
official policy exists
Client Response:
2. Is the backup and recovery policy linked to the data retention and data
classification policies? Are there different backup procedures depending
on the type of information?
Guidance:
The backup and recovery policy should depend on the type of
data and the associated significance of data, which is directly tied into its
classification and retention. In linking these policies, consider the following:
• In large companies generating a significant quantity of data, there may
be some cost savings if all data does not have to be backed up. Having
different backup schedules should be balanced by any additional
administration required.
• In some cases, there may be regulations that drive backing up data for
a certain amount of time, which should tie into the data retention and
data classification policies.
For smaller, less complex companies, it might make more sense to take
a consistent approach for all backups, as the additional administration
associated with multiple backup schedules might not be worth it.
Risk:
If policies for backup and recovery and data retention and classifi-
cation are not in sync, there is a risk that either too much or too little infor-
mation is backed up. In addition, there is a risk of noncompliance with
regulations if certain data is not backed up for a certain time period.
Client Response:
3. Are there documented procedures for backing up and recovering data?
Guidance:
Although the policy is “what” should be done, the procedure is
“how” the policy translates into specific steps that need to be performed to
achieve compliance with the policy requirements. Procedures tend to be
more dynamic than policies are, as they can change due to changes in tech-
nology, personnel, and the organization structure. Some of the key steps
that the backup and recovery procedure should address include:
AU1706_book.fm Page 298 Wednesday, July 28, 2004 11:06 AM