Appendix F
303
users want it done immediately, particularly if it affects a mission-critical
process. To help ensure this quick turnaround time, tapes should be labeled
properly so information can be quickly located. The key benefits related to
labeling backup tapes include:
•Turnaround time for restoring files is faster than if not labeled.
• It reduces the dependency on one or few individuals who are the only
ones who know the contents of the backup tapes. With labeling, any
IT person who knows the restore process can find the right backup
tape in the event a restoration is required.
Risk:
The risk associated with not clearly labeling backup tapes is poten-
tially not being able to perform restorations on a timely basis. In addition,
there is a risk associated with a limited number of people knowing the con-
tent of the tapes.
Client Response:
11. Are there Service Level Agreements or Objectives (SLAs or SLOs) related
to restoring data for users?
Guidance:
Some organizations have agreements (SLAs or SLOs) for
restoring data. The difference between SLAs and SLOs is that the SLAs
are more contractual in nature in that penalties exist if the terms of the
agreement are not kept. SLOs are objectives for which a servicing organi-
zation is striving. With backup and recovery processes, the agreements are
between the user community and IT and can specify target metrics for var-
ious aspects of backup and recovery. Depending on the organization, these
agreements may have financial implications — e.g., if the IT department
is charging individual departments of a company for its services, charges
may be adjusted if service level requirements are not met. Agreements
establish accountability for all parties involved and provide a mechanism
to identify processes that are not working properly. In a security assess-
ment, two key aspects of the agreements should be reviewed:
• Are the current processes adequate to achieve the metrics established
in the agreements (acceptable time frames for file restoration, tape
retention requirements, etc.)?
• Does the company manage to the agreements — i.e., does the company
enforce the agreements? Without enforcement, the value of the agree-
ments is significantly diminished.
Risk:
Not applicable. A lack of SLAs or SLOs does not necessarily pose
any security risk, but the presence of SLAs or SLOs does enhance the over-
all security posture by adding accountability to the tasks in the information
security program.
AU1706_book.fm Page 303 Wednesday, July 28, 2004 11:06 AM