Backup Restore Frequency 1377



  • Some companies test their ability to restore backed up data twice yearly, and external auditors are fine with that. However, others test quarterly, and I’m told it’s because their external auditors determined it to be best practice. I believe that twice yearly is more than sufficient to demonstrate the effectiveness of an assertion regarding control over backup/restore. Anyone have experience of their own to share?
    Thanks.



  • I searched my knowledgebase and found the following:
    Backup frequency is another important issue in centralized PC recovery solutions. For mobile PCs that only occasionally connect to the network, it may be appropriate to perform a backup each time a connection is made.
    For desktops and laptops that are frequently or always connected, timing is a function of policy. Frequent backups minimize potential data loss, but also create additional overhead and increase network bandwidth requirements.
    The decision to perform backups hourly, annually, or somewhere in between should be based on a quantitative analysis of value at risk and the total cost of the solution.
    Others on this Forum who are IT professionals might be able to provide more specifics and minimum guidelines that provide the auditor with reasonable assurance.
    Hope this helps,
    Milan



  • Thanks for the quick response. However, if you’ll review my original post, what I’m actually looking for is a frequency for testing of a company’s ability to restore backed up data, not back up the data itself. I’ve heard that some companies get away with doing this once or twice a year. I’d prefer to suggest that to my client, rather than a quarterly restore. Anything you or others have heard in this regard will add value.
    Cheers,



  • In an IT Services Agreement with a large IT Service Provider Co. and the Client Company, the following excerpt might be helpful:
    Recovery Testing
    Recovery testing validates that the disaster recovery plan meets recoverability objectives and evaluate how well the recovery plan integrates with the various other service providers to provide timely recovery from a disaster. An annual, scheduled test of the recovery process in a xyz recovery center is recommended.
    IT Service Provider Responsibilities
    IT Service Provider will perform the following tasks under the provisions of the SLAs referenced in the SLA Matrix document.
    Provide the required personnel resources to perform disaster recovery testing
    Schedule annually, with XYZ, up to 36 hours of disaster testing time within a XYZ recovery facility in conjunction with the Client Company.
    Execute the disaster recovery plan procedures for the test period
    Document the activities performed during the test, for subsequent review
    Create disaster recovery test report, outlining suggested changes to the disaster recovery plan, following completion of the test
    Client Responsibilities
    Client will perform the following tasks:
    Work with IT Service Provider and XYZ Recovery Co. to designate an available weekend for disaster recovery testing, which may require up to four hours of production downtime to complete.
    Hope this helps,
    Milan



  • Formal Semiannual restore drills to check the quality of backups are acceptable to most of the external auditor.
    Some more points for consideration are:

    1. The Backup media is used according to vendor specification (Defined no of read and writes per media, Environmental controls for storage, handling etc)
    2. Are the restore operations a common part of the regular IT operations. This is more about how many regular backup are restored (successfully) as a part of the normal IT operations (per day/week). The more the number the more time gap can be maintained for the restore drills.
    3. Is there a DR plan which is activated/tested every year? If that’s so u can coincide one restore drill with it/ or pass it as a restore drill.
      Calvin


  • Restoring once a year is sufficient for SOX Compliance.



  • Once or twice a year restore testing should be enough. However, if your auditor claims you for a higher frequency, you may argue that you restore data ‘on demand’ according with the requirements and support our position with the logs. :lol:



  • On the technical side can I suggest a daily restore to ‘dev/null’?
    It impacts very little on the machine doing the work but verifies the readability of the backed up data, as well as reporting the size of the backup etc. I see no reason why this can’t be done as part of the backup script.
    An alternative is to fully restore the data onto a 2nd, identical machine which can then be used for development, standby, testing or training purposes.
    Also note, I understand there is a peculiar crossover into SARBOX requirements in respect of backups where the audit records themselves need to be available from the backup so you can not only be compliant in a disaster, you can demontrate your compliance after a disaster (and recovery) happens.



  • As one of my managers once said, ‘anyone can take a backup, but recovery is another story’ 😉 🙂 … A few additional thoughts that may or may not be directly related to SOX compliancy requirements:

    1. It is indeed important to ensure backups are tested, as well as key aspsect of your Disaster/Recovery process (e.g., if you’re using cold or hot site recovery techniques). D/R testing goes beyond just recovering servers – as you may recover mainframes, communication controllers, etc.
    2. It’s beneficial to have Off-Site tapes mailed back in to test readability and recovery capabilities (e.g., usually an older file, and it’s good check to ensure the media is okay in it’s off-site storage location with respect to temps and humidity controls)
    3. I liked OTL’s idea for the daily tests as that improves assurances that all is well in the backup/recovery process.
    4. Security is important to consider throughout the process, so that no customer information is accidently exposed.


  • The main purpose of backing up data (on tapes) is to ensure that u will be able to restore it at some point of time in future. Now the restoration shouldnt be daily as the data is fresh on tapes (tapes may not be even out of the library in most cases) and it doesnt verifies that it can be kept stored a little longer and still can be restored. Anyone can refresh the data they backed up in the morning in the evening but can you do it after 6 months …is an important question here.
    Getting the business user to test the data on daily basis is really difficult and a restore without testing it for accuracy is no good as a control.
    In case u want to restore the data from all pervious dates today on daily basis then it will be serious overhead on IT operations.


Log in to reply