Backup and Recovery Planning
Important job of an Information Security Professionals and IS Auditor is to ensure/check whether the existing backup policies are capable of supporting adequate data recovery in the case of a disaster. A capable backup and Recovery system requires a proper planning and considerations in the in the initial stages of Backup and Recovery System Development.
A backup and recovery system should be designed by considering following facts:
1. Nature of the Information System
Nature of the system largely decides the way backup and recovery required. System could be of following types:
Online Vs Offline System
OLTP Vs OLAP System
Financial Vs Non Financial System etc.
For example, an online system does not require traditional way of a backup as needed for many of offline systems. Online Transaction Processing (OLTP) system backup will be relatively smaller in size as compared to Online Analytical Processing (OLAP) systems. Backup of the financial system should involve a lot of logs as compared to Non financial system.
2. What to backup
What to backup is primarily dependent on nature of Information System? Broadly following elements should be the member of backup set.
System log
Application log
Data Files
Transaction and master files
Compiled Object and Source Code
Network logs
3. How to backup
This depends on the requirement and the available resources. An Information System should have one or more of the following backup systems.
Full Backup
Incremental Backup
Automated backup
Manual Backup
4. Periodicity and Timing of backup
Periodicity and timing of backup depends on the nature of Information system and requirements. For example we can not have offline backup or root backup during business hour. Periodicity is decided by amount and criticality of data. Where as online backup system is generally always on.
5. Where to backup
In present era we have a lot of options for backup. Following options can be used based on the need:
DAT Drive
DLT Tapes
Compact Disc (CD ROM/RW)
Digital Versatile Disc (DVD)
Secondary Sites
Near sites
6. Where to store
Backup can be stored in following major ways:
Onsite storage
Offsite storage
7. Recovery Arrangements
Following recovery arrangements can be made:
Hot Sites
Cold Sites
Alternate/Reciprocal arrangement
Warm sites
For details please, refer to Disaster Recovery Services for CISA Exam.
8. Division of labour
A backup tape librarian should be given only compatible jobs. For details please, refer to Segregation of duties from CISA Exam Point of View & More Segregation of duties for CISA Aspirants - job allocation for various Administrators.
9. Periodical Testing of Backup
This is the most important stage of any Backup and Recovery Plan.
10. Periodical Audit of Backup and Information System
This should also be considered in the design phase itself.
11. Documentation
A clear documented backup procedure manual should be prepared and available.
Summary:
Important points to remember about Backup and recovery System:
- Backup should be properly labeled.
- Retention period should be clearly mentioned
- System log and application log should be separately stored
- Periodic testing of backup data is most important part of a backup and recovery facilities.
- Periodic audit of the Backup & Recovery System should be there.
- Backup and Recovery Manual should be available.
This article is useful for CISA Preparation, IS Auditors & Information Security Professionals
0 comments:
Post a Comment