Main Index » ICT »
Data Security - Backup
Many companies are now completely reliant on the data stored on their network servers, PCs, laptops, mobile devices and on data stored in the cloud. Some of this data is likely to contain either personal information and/or confidential company information.
Here we look at some of the issues to consider when reviewing the security of your computer systems and data.
Data backup is an essential security procedure and needs to be undertaken on a regular basis. A business should view the taking of regular backups as a form of insurance policy. There are a number of points to consider.
Systems and Applications Software Installation media
Ideally, once software has been installed, the original media should be stored securely off-site.
Data file locations
In a network environment some data files might be stored on the server and other data files stored on local drives. In which case separate backups may be required for both the server and one or more PC’s.
Ideally, a network solution should be provided which ensures that all data is re-written back to the server.
Backup strategy and frequency
There is likely to be a need for two parallel backup procedures; one to cover a complete systems backup of the server(s) and another to incrementally (or differentially) backup data files which have been updated since the previous backup.
The most common backup cycle is the grandfather, father, son method. With this, there is a cycle of 4 daily backups, 4/5 weekly backups and 12 monthly backups.
Backup media can be re-used many times, but they do not have a finite life and will need replacing after 2-10 years depending on quality and number of times used. Some additional points are made on this issue in the section on backup media degradation.
Someone will need to be given responsibility for the backup procedures. The person responsible needs to be able to:
- Regularly ensure that all data files (server and local) are incorporated in the backup cycle(s)
- adapt the backup criteria as new applications and data files are added
- modify the backup schedule as required
- interpret backup logs and react to any errors notified
- restore data and test data can be restored, from backup media
- maintain a regular log of backups and where the backup media are stored.
Applications backup routines
Many accounting and payroll packages have their own backup routines. It is a good idea to use these on a regular basis, and always just before critical update routines. These data files should be stored on the server drive.
Certain users will have applications data files exclusively on their local drives (such as payroll data for example) and these will require their own regular backup regime, which as mentioned in the previous paragraph may consist of a combination of backing up to media and backing up to the server.
Selecting the right media to use depends on budget, how much data there is and the networking operating software. External hard disks provide a good backup solution, and optical storage such as CD/DVD, or Blu-Ray may also be considered as a cheaper alternative, but capacity and life may be limited. If an external service provider is used, or perhaps a cloud option, they may have their own backup regime.
Backups should be stored in a variety of both on-site and off-site locations. On-site backups are easily accessible when data has to be restored quickly, but are at risk from either fire or other disaster.
A large number of businesses use an on-site safe, however, this will be useless if it’s buried under tons of rubble, or, if the premises otherwise become inaccessible.
Off-site backups have the advantage that they can be recovered in an emergency, but
a) they still need to be stored securely and
b) need to be reasonably accessible.
Finally, certain type of records, such as accounting records for example, need to be kept for a minimum period of time (i.e. 6 years) and this must be borne in mind when developing the data backup strategy (also see below regarding degradation).
Backup media degradation/decomposition
Backup media degrades and the data stored on them decomposes over a period of time.
Optical media such as CD/DVD and Blu-Ray are particularly sensitive to light (photosensitive), so ensure that they are stored in a dark environment. They are also prone to damage caused by writing on them with a pen. Finally, this type of media is not designed for long-term storage - lasting possibly as little as 2 years.
Backups should be checked on a regular basis for signs of digital decomposition, and tested to check that data can be successfully restored.
In-house or cloud?
Many ISP’s and third-party IT service organisations, now offer either as standard or as a chargeable extra, off-site data repositories and also complete online application solutions. The immediate appeal is that the data is stored off-site and is quite likely to be encrypted. However, there are a number of key security issues which should be covered as part of the agreement. These should include the encryption level, the countries in which the data is processed and stored, data deletion and retention periods and the availability of audit trails of who is accessing the data.
We would always recommend therefore that if a third-party is used, that the business uses a combination of both traditional in-house backup solutions, and cloud backup services. Where cloud services are used, then try to ensure that as little personal data as possible is processed and stored off-site.
How we can help
We can provide help in the following areas:
- performing a security/information audit
- drawing up a suitable backup regime
- training staff in security principles and procedures.
Please do contact us if we can be of further help.
Top of page
For information of users: This material is published for the information of clients. It provides only an overview of the regulations in force at the date of publication, and no action should be taken without consulting the detailed legislation or seeking professional advice. Therefore no responsibility for loss occasioned by any person acting or refraining from action as a result of the material can be accepted by the authors or the firm.