Backup and Recovery controls

[jeffmartintx]

Fairly new to this as our company recently went public. We have around 15 'in-scope' databases and have a key control that essentially states that on a defined schedule incremental and full backups are performed, and that our group is notified when failures occur. This has proved to be problematic for a few reasons.

I am curious how others have designed their controls/key controls around this area.

[Cassandra]

The key question is how does management obtain comfort that their data would be recoverable in the event of a failure and need to restore? Below is our objective and risk statement. Typically data storage testing covers

Backup program
Retention and Storage (encryption)
Inventory of disks
Testing of backup
Access to backup



IT Control Objective:
Controls provide reasonable assurance that data is backed up and management procedures are appropriate.
Risk Statement:
Controls may not provide reasonable assurance that data is backed up and that data management procedures are appropriate. If controls relating to data backup and management are not adequate, it increases the risk that:

(1) Historical records may be unavailable or inaccurate;

(2) IS&T personnel may not be able to restore and recover systems in the event of an operating incident or erroneous processing;

(3) The procedures that are followed to archive data may not satisfy legal and regulatory requirements; and,

(4) The procedures followed to manage and control data backups may be inferior to controls for on-line data leading to sensitive data being damaged, lost, modified or inappropriately disclosed.

[jeffmartintx]

Cassandra, Thank you for the prompt response. The way our control is written, EVERY time there is a backup failure, we need to show a resulting Trouble Ticket..this has been the challenge due to some backup job scheduling conflicts and the fact that the tickets are manually generated. For the most part our backup environment is solid, with a few scattered failures. We do perform recovery exercises on a annual basis.

I am trying to understand how other companies have written their Key Control(s) for this area, specifically showing that important data is backed up and the results are monitored. Please forgive me if your reply states this...SOX terminolgy is new to me. Thanks again.

[Cassandra]

Your control should reflect your process as long as your process provides resonable assurance that the data is backed up and recoverable. I would suggest that management re-write the control to reflect the current process and also discuss with your external auditors.

[fastforward]

Hello.
I have small firm and 12 pcs. As I do not know how to take backup from all of the pc by using server. May I have the link or procedure how to make server and taking backup of all the pcs. Wright now I am doing it by pen-drives.
_________________
When there is a will there is a way.

[harrywaldron]

Hi - While USB flash drives are a good approach, it does require time (esp if you are personally doing all of these).

Some ideas might include:

1. Backup Services - Carbonite.com is a popular approach, which will automatically do this in a secure manner with high levels of encryption during transmissions and at their site. I'm personally inexperienced with this approach and would suggest more research. It will backup all PCs automatically provided they are connected to the Internet. It will cost some $$$ to do this, but your own time and your staffs time might offset this.

2. Create Network Shares on Servers - Users can map to network shares on server and store documents there. Disadvantage is they will usually still store some things on their own PCs that might be lost - as you're relying on the procedure.

3. Have the Staff backup with PEN drives - If you're personally doing each workstation, you can buy a drive for each PC and have the users copy key folders across. You can even create a batch file that runs every Friday (but that's outside the scope of these forums and my current experience).

4. Create standard folders for staff to use - One idea is to only backup data and rebuild the operating system plus reload apps. If everyone saves to standard folders, just those can be backed up.

5. PC Backup Software - Lots of products out there with automation and they can be expensive. Some will poll centrally from server over weekend to automatically backup. Maybe talking with someone at a computer store like Staples or other firms might have a solution for your size network that's cost effective.

[reese]

Hi, I think my concern is related to the discussion. Currently in our company an in-house back-up program is installed in all PCs. With this every employee is oblige to run the back-up program to backup employee files once a week and IT monitors this by maintaining a checklist of who performs and did not perform the weekly backup. However despite the monitoring, there are still employees who fail to back up there files for several reasons. To address this. the IT group has this plan to set up a shared folder that will be used as storage of essential business files of the employees. Meaning, all employees in a department will maintain there files in a common folder. And before the week ends an IT staff will backup the file server.

In this new backup approach, what do you think will be the risk and disadvantage? And what do you think will be the best solution to maintain the regular backup of employees' files.

Thanks in advance.

[kymike]

Reese - Your IT department needs to force a backup on a regular basis if that is your policy. They should be able to do this fairly easily. While my compnay does not force us to backup our desktops and laptops, they do force weekly virus scans and software updates. They write their scripts to push updates to us and allow us to apply them at our leisure within a given timeframe to help avooid work disruption. If we don't apply them within the given timeframe, then the updates automatically are applied. The same logic could be applied to backups.

[harrywaldron]