Description of Risk
If units do not have documented plans in place that have been clearly communicated to all key unit personnel and tested, there is the risk, in the event of a disruption in services due to power outages, fire, etc., that mission critical operations may be adversely impacted. This could result in loss of information resources, loss of proprietary data, loss of productivity, and damage to the reputation of the Institute.
Technological emergencies may include interruption of utilities, hardware failure, theft of hardware or software or anything that causes downtime unexpectedly. Several guides to emergency management address backup and recovery. The National Institute of Standards and Technology’s Contingency Planning Guide for Information Technology Systems addresses all aspects of backup and recovery. The Institute has not put out set criteria for backup and recovery of systems contained within campus units but does hold them responsible for backup and recovery. NIST’s guide provides guidance and templates for backup and recovery options.
Backing up software and having backup hardware devices is a large part of information systems availability. It is important to be able to restore data. For example, if a hard drive fails, a disaster takes place, or there has been some type of data corruption, a backup procedure enables rapid restoration.
Auditors look for:
- Policies and procedures in place that indicate what gets backed-up, frequency and where these back-ups are safely maintained
- Testing procedures for these policies
- User workstations and portable devices containing important data are included in the back-up policy
- That users are aware of their responsibilities to backup their data
Policies and procedures should consider each of the following aspects of backing-up valuable IT resources: hardware, software, data, personnel and off-site facilities.
Back-up procedures should answer the questions:
- What happens if I have a server failure, what will be the most current backup I can restore to?
- What happens if my Computer Support Specialist is unable to return to work for a period of time?
- What happens if I am denied access to my workplace due to power outage, or other sudden impediment?
- Can I get access to my backup capabilities?
- Can my users access their important files, data and student/personnel records?
- What happens in case one of my priority users’ workstations has an unrecoverable failure?
- Where are my original disks maintained for source code? Are they up-to date with current patches?
- What are the procedures for letting my internal and external business partners know when service will be restored?
- Are my backups stored off-site?
- Is my current system configuration documented?
- Are my software licenses stored in a secondary location?
- Are there procedures in place to ensure individuals back up data on their local PCs?
- Is my recovery equipment inter-operable with my current configuration?
- Are servers configured to shut down gracefully upon power loss?
- Is there redundancy between critical system components and capabilities?
- Is there a test procedure for validating restoration data?
- Is there a call tree for notification of key individuals upon system failure?
Campus units maintaining multiple servers and providing various services should have internal backup capabilities. These capabilities could include backup to tape or other media and/or remote network storage device. Whatever amount of work you can afford to replace dictates the frequency of your data backup.
Units should conduct a daily backup of differential changes, followed by a total backup weekly. Weekly backups should be stored in an off-site location where they can be accessed by authorized members of the unit in case of a needed recovery. Depending upon the needs of the unit, daily full backups might be required and should be rotated off-site as well.
Individual workstation data should be backed up by the user. The procedures that the user can employ to backup data should be a part of the local policy and procedures manual.
EMPOWER THE PEOPLE RESPONSIBLE
Develop and put in a place a training program where all information system users know where their data is maintained and how it is backed up. Be clear with individual users over their portion of the shared responsibilities. Be sure that all personnel in the recovery team are aware of the policy. Semi-annually, conduct a test, including all members of the team.
COMMUNICATE WITH EVERYONE
Put out reminders of what the unit’s policy is via occasional email or bulletin board notices.
DISSEMINATE POLICIES AND PROCEDURES
Write down your policy, publish it to all the team members and make sure it is exercised by conducting systematic tests.
USE A SYSTEMATIC APPROACH
Human nature is such that the un-inspected gets put off. Schedule at least an annual exercise requiring personnel to respond and actually restore from backup.
Information Systems backup and recovery operations are only a portion of your overall business recovery and disaster recovery plans. Each unit should have an updated disaster recovery and business continuity plan.