297
Appendix F
Backup and Recovery
With the use of technology, companies are generating more electronic data than ever
before. Many transactions that were paper based at one time are electronic today.
As a result, companies are dependent upon a tremendous quantity of electronic data.
Being able to back up and recover data is a mission-critical process that can mean
the survival of a company. According to one report, 90 percent of companies that
lose the data on their computers are out of business within two years. Besides
operational concerns, some companies must have good backup and recovery pro-
cesses to achieve compliance with industry-specific regulations (e.g., health care and
financial services).
Like other security practices, backup and recovery requirements should be based
on business requirements. More specifically, backup and recovery should be based on
data classification and data retention requirements defined by data owners. Roles
and responsibilities related to defining backup requirements and performing the
backups are critical in ensuring good backup and recovery practices.
This questionnaire is a starting point for what should be asked during a security
assessment. These questions should be modified based on the company’s specific
business backup and recovery requirements.
1. Is there a formal backup and recovery policy?
Guidance:
As with other areas of information security, the policy is the
foundation for ensuring sound backup and recovery practices. The policy
should be easily accessible and should define high-level requirements and
roles and responsibilities. The policy also helps the enforcement and audit
process. Without a policy, there is no official management position on
backup and recovery requirements or who is responsible for them. Some
of the key components that you should look for in a backup and recovery
policy include:
• Roles and responsibilities
•Off-site storage
•Testing
• Disposal of media
• Fulfillment of legal or regulatory requirements (if applicable)
The above areas are not all inclusive and they will vary with clients.
AU1706_book.fm Page 297 Wednesday, July 28, 2004 11:06 AM
298
A Practical Guide to Security Assessments
Risk:
Without a backup and recovery policy, the following risks exist:
• Inconsistent backup and recovery processes
• Noncompliance due to lack of knowledge
• Inability to enforce good backup and recovery practices because no
official policy exists
Client Response:
2. Is the backup and recovery policy linked to the data retention and data
classification policies? Are there different backup procedures depending
on the type of information?
Guidance:
The backup and recovery policy should depend on the type of
data and the associated significance of data, which is directly tied into its
classification and retention. In linking these policies, consider the following:
• In large companies generating a significant quantity of data, there may
be some cost savings if all data does not have to be backed up. Having
different backup schedules should be balanced by any additional
administration required.
• In some cases, there may be regulations that drive backing up data for
a certain amount of time, which should tie into the data retention and
data classification policies.
For smaller, less complex companies, it might make more sense to take
a consistent approach for all backups, as the additional administration
associated with multiple backup schedules might not be worth it.
Risk:
If policies for backup and recovery and data retention and classifi-
cation are not in sync, there is a risk that either too much or too little infor-
mation is backed up. In addition, there is a risk of noncompliance with
regulations if certain data is not backed up for a certain time period.
Client Response:
3. Are there documented procedures for backing up and recovering data?
Guidance:
Although the policy is “what” should be done, the procedure is
“how” the policy translates into specific steps that need to be performed to
achieve compliance with the policy requirements. Procedures tend to be
more dynamic than policies are, as they can change due to changes in tech-
nology, personnel, and the organization structure. Some of the key steps
that the backup and recovery procedure should address include:
AU1706_book.fm Page 298 Wednesday, July 28, 2004 11:06 AM
Appendix F
299
• Communications from data owners to information technology (IT)
regarding backup requirements
• Backup schedules — e.g., incremental, full backups.
•Tape labeling and storage
• Recovery process
There should be enough information so that someone with a little bit of
knowledge of backup and recovery can perform the process.
Risk:
Without clear procedures for backup and recovery, there are several
risks including:
• Backup and recovery processes may be done inconsistently.
• If there is personnel turnover, it will be difficult for someone new to
understand the backup and recovery process.
Client Response:
4. Are there clear and documented roles and responsibilities for backup and
recovery?
Guidance:
Clear roles and responsibilities are critical in helping to ensure
that the process is performed as intended. Clear roles and responsibilities
leave no room for doubt about who is responsible for a specific step in the
process. For backup and recovery, the two key roles and responsibilities
that should be defined are:
•
Data owner
— The data owner should be responsible for defining the
backup and recovery requirements. Data owners are knowledgeable
about any operational or regulatory requirements with which the com-
pany must be in compliance. They should also define how long data
should be retained and how much data needs to be on hand so that
data can be quickly recovered if necessary.
•
IT department
—A person within the IT organization should be respon-
sible for backing up data according to requirements set forth by the
data owner. It is critical that IT does not own the responsibility of
defining the requirement because IT does not own the data. IT should
also collaborate with data owners regarding backup and recovery strat-
egy based on the defined requirements.
You may also find some companies where all data is backed up and kept
indefinitely. Depending on how much data there is, there may be personnel
and cost issues related to managing that much data.
Risk:
The risk associated with not having clear roles and responsibilities
is one of accountability. Without accountability for the different steps in
AU1706_book.fm Page 299 Wednesday, July 28, 2004 11:06 AM
300
A Practical Guide to Security Assessments
the backup and recovery process, there is a risk that the process will not be
completed properly.
Client Response:
5. Have any security incidents related to backups ever occurred?
Guidance:
Past security incidents provide some insight into the effective-
ness of controls related to the backup and recovery process. Some of the
potential security incidents include the loss of backup tapes, incomplete
backups due to technical issues, tapes being accidentally overwritten, and
data not being backed up because requirements were not defined. If any se-
curity incidents occurred, it is worth finding out how the company reacted
and what they did to ensure that such incidents did not happen again.
Risk:
Not applicable. This question is asked to determine how effective
the backup and recovery process and associated controls are.
Client Response:
6. What data is backed up? What data is not backed up and why? How often
are files required to be recovered?
Guidance:
This question is asked to help determine the scope of backup
and recovery activities. There is a range of responses for this question
ranging from all data being backed up to some data being backed up. You
should obtain details on what data is being backed up and the associated
backup schedules (daily, weekly, etc.) and determine whether this is ade-
quate based on the company’s business requirements. If any data is not
being backed up, you should find out why. For example, applications are
often not backed up because they can be restored from CDs or some other
means. You should determine if this is necessarily feasible. Another example
where data might not be backed up is when it is stored on local work-
stations or laptops. Some companies leave these “local” backup responsi-
bilities to individuals, as they encourage personnel to store all critical data
on a network drive that will be backed up. If this is the case, this should be
spelled out in the policy, and some related awareness training should occur.
Risk:
Not applicable. This question is used to help determine the complex-
ity and importance of backup and recovery activities.
AU1706_book.fm Page 300 Wednesday, July 28, 2004 11:06 AM
Appendix F
301
Client Response:
7. What would be the impact to the business if any problems developed with
the backup and recovery process? Some examples include:
• Loss of data
•Failed backups
• Inability to recover data from backup tapes
Guidance:
The impact to the business is one of the main components to
consider when performing a security assessment. In the case of backup and
recovery, impacts can include:
•Downtime resulting from data not being available
•Legal issues (e.g., Health Insurance Portability and Accountability Act
[HIPAA])
• Operational issues related to permanent loss of data (in the event
backup data cannot be restored)
Impacts should be quantified to the extent possible. When quantifying the
impact, the company should consider short-term as well as long-term
losses. Short-term losses might be more quantifiable and measurable, but
long-term losses might be more in the form of loss of customers or the
cost of instituting new processes to reduce the likelihood of an incident
in the future.
Risk:
Not applicable. This question is asked to gain an understanding of
the potential impact to help in assessing the importance of backup and re-
covery processes.
Client Response:
8. Is the backup strategy in line with the business requirements? Some
aspects that should be considered include:
•Tape retention schedule
• Protection based on data classification (e.g., encryption)
• Media used in backup tapes
• Other business requirements
Guidance:
The company’s backup strategy should correlate with the asso-
ciated business requirements. You may find a number of scenarios ranging
from all data being backed up indefinitely to data not being backed up at
all. In some cases, it might be appropriate for all data to be backed up
AU1706_book.fm Page 301 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.