Organizations typically create a backup policy to answer critical questions related to backups. If you’re planning to take the Security+ exam, you should have a basic understanding of risk management best practices that include creating backup policies.
For example, can you answer this question?
Q. A continuity of operations plan for an organization includes the use of a warm site. The BCP coordinator wants to verify that the organization’s backup data center is prepared to implement the warm site if necessary. Which of the following is the BEST choice to meet this need?
A. Perform a review of the disaster recovery plan.
B. Ask the managers of the backup data center.
C. Perform a disaster recovery exercise.
D. Perform a test restore.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Backup Policies and Plans
Organizations typically create a backup policy to answer critical questions related to backups. Once the backup policy is created, administrators then implement backup plans to meet the needs addressed in the backup policy.
Unfortunately, many organizations operate without a backup policy, making it difficult for administrators to create appropriate backup plans. If they don’t do any backups, management will blame them when data is lost. More than a few administrators have asked managers, “How much data are you willing to lose?” and heard “None!” as the response. However, if they try to back up everything and keep it forever, management will blame them for spending too much money. The ideal solution is somewhere in the middle, but where? How many backups and how much money is appropriate?
The backup policy is a written document and will often include the following details:
- Identifies data to backup. This identifies data important enough to back up. When management doesn’t identify this in a backup policy, administrators and technicians have to make individual decisions on what data they consider important. Their decisions might not match management’s value of the data.
- Requires off-site backups. A copy of a backup should be stored in a separate geographical location. This protects against a disaster such as a fire or flood. Even if a disaster destroys the site, the organization will still have another copy of the critical data.
- Requires labeling media. Media labels identify the data and the date of the backup. When data needs to be restored, the administrator should be able to quickly identify the backup that holds the relevant data.
- Mandates testing of backups. The policy identifies how often to test backups and the level of testing. For example, the policy may dictate performing full test restores weekly.
- Identifies retention requirements. How long data is held directly relates to how much backup media the organization must purchase and maintain. Laws or regulations may require retention of some data for several years and the organization can choose to limit retention of other data. Some organizations limit the amount of data they keep to reduce potential exposure to future legal proceedings. For example, a court order could direct administrators to comb through email for an investigation. The time spent will be significantly different if the organization kept archives of email only from the past year, or if it kept archives for the past 10 years.
- Designates frequency of backups. The business impact analysis helps an organization identify backup frequency by identifying recovery time objectives and recovery point objectives. This also helps determine the backup strategy, such as a full/incremental or full/differential strategy.
- Protects backups. Backup media is handled with the same level of protection as the original data. If an attacker gets a copy of a backup, it’s a simple matter to restore it and access all the data. This helps prevent data loss or theft.
- Identifies acceptable media disposal methods. Backup media such as tapes holds a significant amount of information. Organizations often require the sanitation or destruction of tapes at the end of their life cycle. For example, you can erase all the data on a tape by degaussing it. A degausser is essentially a large magnet that makes the data unreadable. It’s also possible to burn or shred tapes.
A key point here is that the backup policy identifies policy decisions related to backups. Administrators use the backup policy as a guide when creating backup plans.
Without a policy, these important decisions may never be addressed. The organization may not maintain off-site backups. They may not label backups. They may never test backups. All of this adds up to a catastrophe waiting to happen.
Remember this
Best practices associated with backups include storing a copy off-site for retention purposes, labeling the media, performing test restores, and destroying the media when it is no longer usable.
Q. A continuity of operations plan for an organization includes the use of a warm site. The BCP coordinator wants to verify that the organization’s backup data center is prepared to implement the warm site if necessary. Which of the following is the BEST choice to meet this need?
A. Perform a review of the disaster recovery plan.
B. Ask the managers of the backup data center.
C. Perform a disaster recovery exercise.
D. Perform a test restore.
Answer is C. The best way to test elements of a business continuity plan (BCP) or disaster recovery plan (DRP) is to test the plan by performing a disaster recovery exercise.
Asking managers if they are ready and reviewing the plan are both helpful, but not as effective as an exercise.
Performing a test restore verifies the backup capabilities, but not necessarily the steps required when implementing a warm site.
You may also like to view the blog post related to BCP and DRP Testing.
