In the dark ages of computing, there were paper records that were keyed into the computer for processing to generate reports. If the data was lost, then the paper records were retrieved and keyed back in.

Today, paper records aren't so common, as paperless offices grow in popularity. As a result, the need for timely reliable system backups has become critical as they serve as a safety net. If the data relating to these all-digital records is lost or corrupted, then all records are gone.

In order to have timely and reliable data backups, there must be a careful blending of people, technology and processes using a systemic perspective to ensure that goals are met.

For any data backup project, it is important to have a defined scope of what data and servers/hosts will be included. For each type of data, IT should work with stakeholders to identify what hosts need to be backed up, how often, the level of security and the available service window for doing so.

In addition, an estimate of how often data needs to be retrieved from the archival system is needed to better understand the possible technology, people and processes that will be required. An understanding of the risks confronting the organization and each data set for backup will serve to guide additional factors that need to be considered.

These requirements should drive not only the identification of a solution but also be documented in the organization's formal backup policies and procedures.

People

As a foundation element for the initial implementation project and ongoing backup and restoration processes to be successful, the people involved must have sufficient training and understanding to grasp what must be done. Management must support the people and the processes by ensuring that the correct people are hired, training is provided and that policies and procedures are adhered to. The ''tone from the top'' is vital to this, and any other, project.

Avoid Techno Babble

As a tip, when dealing with a non-IT stakeholder, including senior management, be sure to frame communications in language that the others can understand. Don't leave them dazed and confused with a slew of techno babble. Focus on the services they need, risks to those services, regulatory requirements and business needs. And make sure to quantify things in terms of time-frame, dollars and risk whenever possible.

The goal is to put in a solution for the business. To do this, business execs must be able to understand and be involved.

Technology

There are a variety of types of backup systems, ranging from tape drives to full host redundancy with real-time fail over. The solution that is put in place and its corresponding level of investment must be driven by a combination of risks confronting strategic, operational, reporting and compliance objectives. One group may need a $5 million hot spare data center with real-time fiber optic feeds and another may just need redundant $2,000 tape drives with $1,000 worth of software.

Compatibility

One recommendation given to organizations of any size is to be very aware of the backup technologies in use relative to the data in storage.

It is vital to ensure that any restoration process will be able to handle the vintage of media created in the backup process. Tape drives provide a clear case in point. It is common to walk into an organization with several models of tape drives of varying vintages. The groups religiously back up. However, if there is a fire or other disaster, they are in a bind. Why? Because the needed combination of tape drives and software may not be readily available after a disaster.

Having all the needed tapes but no way to read them defeats the purpose. Carefully consider how the correct model of tape drive, version of software and corresponding backup data can be stored offsite and made available when needed.

Ultimately, whether the redundancy is simple or complex, the solutions put in place must be driven by risk.

To be explicit, the probability of negative events and their impact to strategic, operational, reporting and compliance objectives must be understood. By using a risk driven approach, investing in systems that either provide too little protection or investing too much in extremely elaborate systems can be avoided. Some people may find it odd to be warned against buying too much redundancy, but it is because redundancy increases systemic complexity.

This increase in systemic complexity comes at a cost in terms of resources. And it's not always obvious. Initial purchase cost, additional training and more avenues for failure must all be considered.

In looking at the confidentiality, integrity and availability of data backups, we must look carefully at the supporting processes. The best technology in the world can be negated by ill-conceived processes.

Different technologies may require specialization but the following bear consideration:

  • Ongoing Risk Analysis -- An understanding of threats, what management is willing to accept and how to mitigate those risks are vital to not only implementing a backup solution, but also for keeping it aligned with the needs of the organization;
  • Scheduling -- Work with system and business stakeholders to understand when backups can happen and how long the system can be unavailable;
  • Data retention -- Work with system, business and legal stakeholders to understand how long data should be retained. In some cases, backup data may only be needed for several months and in other cases the duration may be in years;
  • Review of Logs -- Log files generated from each backup job should be reviewed to check for errors, duration of the backup job and so on. Try to identify problems and take corrective action to reduce any risks associated with failed backups. From a compliance perspective, be sure to date and sign reviewed logs in a method that mirrors your policies and procedures. Auditors need to see proof that reviews are happening due to the critical nature of the data;
  • Library -- Be sure to clearly label media and note where it is stored;
  • Rotation and Expiration -- Depending on the model used, backup media can be re-used at some point in time. To be cost effective, it makes sense in some cases to re-use media when possible versus constantly buying new media. But it, in turn, means that organizations need to track media to understand when it can be put back into the available media pool, and when it has reached its end-of-life and needs to be properly disposed of;
  • Disposal -- Do NOT throw media in the trash. Physically destroy it so it can not be read by an unintended party;
  • Testing -- More than one IT administrator has had an awful moment where she finds out her data restoration is flawed. It is far better to find out the causes and take corrective action in the safe confines of monthly or quarterly testing than it is in the heat of battle.

    Data is increasing critical these days as timeframes compress, risks increase and businesses run on information that increasingly exists only in digital form. Data loss can result not just in financial losses to the company, but can also impact the strategic, operations, reporting and compliance objectives of the organization. Each group must collectively identify, understand and manage the risks associated with its data to safeguard the overall organization.