Data backup is defined as the copying and archiving of computer data so that it may be used to restore the original after a data loss event or recover data from an earlier point in time. Backups are an integral part of your Disaster Recovery (DR) plan but by themselves should not be considered your DR plan. We will delve more into DR Plans in future months. Let’s first work on building our Backup plan so that we have a solid foundation to build our DR Plan.
First things first, you need to decide what data needs to be backed up.
- The first question is do you have any governmental or possibly client mandated compliance requirements regarding your data retention? If the answer is yes, this will help in identifying some of the data that must be backed up, the security level at which it should be stored, as well as help us determine what the retention policy should be for data.
- Next you need to determine what data is absolutely critical to running the business and identify where it is. Many organizations will set up folder redirection or shared drives on a server to insure their end users files are stored on the server and therefore easily backed up. With a remote workforce, you will need to decide how critical having their data is to your organization and may need to make arrangements for cloud based backups or implementing a local backup policy for those users.
- Now that you know what data needs to be backed up you should prioritize the order in which it should be restored in the event of a large scale data loss. For example, in order to provide at least minimal capabilities for your employees to service your clients you may need to first restore your critical Line of Business (LoB) data first. Identifying which applications allow you to perform your critical business tasks and restoring that data first will help in mitigating the impact of a data loss event.
You have identified the information you need to protect, so what’s next? How long do we need to hold it?
- Your retention policy may be dictated by federal compliance requirements or possible contractual obligations with your clients. Identify what data is subject to these compliance requirements and set the retention policy accordingly.
- Now set a retention policy for the data not subjected to the requirements above. Ask yourself how long do I reasonably need to keep this data? Holding data longer than is necessary provides very little benefit and opens it up to discovery during any potential litigation.
- Once you have defined your retention policy you need to document it and make your employees aware of it. This not only sets the expectation internally of how long your data will be held but it also becomes part of the legal defensibility record.
- You have set your retention policy, you have documented it the final step is to enforce it. As the age of your data exceeds the retention policy term it should be deleted.
The next part of this series will expand on your back up options, so keep an eye out and sign up for our newsletter to get the information directly to your inbox!