Backup and Recovery Process: Choose It or Lose It

Control of the Week 15 – Backup and Recovery Process

This week’s control involves the backup and recovery process. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), Jitendra Juthani (Senior Manager, IS Risk & Compliance), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why backing up data is critical to your audit (and business continuity).

Why this control is important

CR1 – Backup and Recovery Process – Formal procedures that outline the backup and recovery processes are documented. The procedures are reviewed by IT management and updated annually.

CR2 – Data Backup and Monitoring – Weekly full-system and daily incremental backups are performed using an automated system and replicated to offsite location. Backups are monitored for failure using an automated system.

CR3 – Backup Restoration – Backup restoration testing is performed on a quarterly basis to test the integrity and completeness of backup information. Incident Management Process is invoked for anomalies.

“Don’t forget about talking to your business about what, when, where and how often to back up your data.” – Jose Costa

Despite our best efforts, sometimes things go wrong. The best way to handle situations should they arise, is to have a plan to act in advance, and keep that plan updated when threats change. This not only covers risks to your data by bad actors but plans in the event of a server outage or a natural disaster as a few examples. 

Documenting a plan in case of a disaster is key to the continuity of your organization. Plans to safeguard data, assets which also include the people/employees, infrastructure and even office facility/spaces will give you more tools to keep you afloat when the worst happens. At the very least, backups and recovery plans will at least be a failsafe if you delete your whole business

How to implement this control for your audits

This control requires formal documentation of the backup and recovery process. This is a document that your employees can refer to in the event of a disaster for the purpose of data recovery. This document should include:

  • How often you will perform backups and check the integrity of those backups once they are created.
  • Where the backups are located and whether there is an offsite location and/or physical copies.
  • When backups should be restored for testing the integrity of backup data and/or how often you want to access your backup data.
  • What assets/data are the most critical to preserve or general support system?  Large enterprises can’t keep track of the volume of data so that information is backed up in subsets. Documentation is critical in these cases as you will want to know where each subset is located. 

Auditors will look at the entire backup process to determine whether an organization has made sufficient plans to maintain the business and preserve assets in the event of a disaster. As an organization, you want to ask if there will be downtime required for migrations or repairs and backups just in case that data is lost.

As always, with many other procedures, ensure that you perform regular tests and restoration of data to ensure that backups are an accurate representation of the data you need to continue to operate. Monitor the backups as they’re being processed to ensure that you are successfully backing up your data, especially if it is in an offsite location. Any issues or failures should be resolved in accordance with the defined incident management process.