Data Preservation: What to Include in Your Data Protection Policy

Most companies have solid overall default data backup plans; however, many do not have sufficient processes or controls for ensuring proper data protection based on business requirements. To avoid the development of dangerous gaps between the level of protection that exists and that which is needed, every organization should devise and adhere to a sound data protection policy.  

 

 

Common Gaps in Data Protection

Sound data protection is a fundamental part of resiliency and business continuity. 

Most organizations have good overall strategies and solutions for backing up their data. These can include traditional backup, log shipping for databases, and replication. But in many cases, applications or data repositories are not sufficiently protected for data loss.  

One area where we at MHA Consulting see this a lot is when new applications are brought into use. Typically, in such situations, the team involved focuses exclusively on getting the new app integrated into the production process. Little or no thought is given to protecting the data based on the business need. 

Usually, this lack of attention to data protection is accompanied by an assumption that data backup for the new app will be managed by the IT department. This is usually true as far as it goes. But sometimes it does not go far enough.  

Typically in these cases, IT will provide its standard level of protection, which in most cases means backing the data up using a traditional backup (think daily or the old school “tape”) once every 24 hours.  

This is fine if that frequency of backup is appropriate for the new app. But what happens if the app is one for which the loss of 24 hours’ worth of data would create a serious problem for the company?  

Two vital matters are commonly overlooked in situations such as that described above: Determining what level of protection is appropriate for the data associated with an app and ensuring that this level of protection is implemented. 

Potentially Costly Vulnerabilities

When organizations allow holes to develop in their data protection efforts, they are creating potentially costly vulnerabilities.  

Typically, when companies lose data which they are unable to recreate in a timely manner, their ability to perform their missions is compromised, with negative impacts on their customers, revenue, and reputations. 

Imagine the impact on a bank that permanently lost eight hours’ worth of data on its customers’ deposits, withdrawals, and transfers.  

Now, imagine a parallel loss of information at your own organization. 

Clearly, this is a scenario best avoided, and the way to avoid it is to identify and close gaps in your organization’s data protection program. 

Crafting a Data Protection Policy

 The best way to prevent the sort of gaps and losses we’ve been talking about is for the organization to develop and adhere to a sound data protection policy (sometimes called a backup policy). 

Such a policy should contain the following: 

  • A requirement that every production environment be minimally backed up daily. This is the default minimum; some environments might need to be backed up more frequently as explained below.  
  • A standard for the backing up of test or development systems. A schedule of weekly backups might be sufficient for these environments, given the relative unimportance of the data they contain. 
  • Sections describing the different data protection policies and requirements  for systems located on the premises and those that are based in the cloud. 
  • A requirement that when new applications are introduced, application assessments be conducted. These assessments will determine an appropriate recovery point objective (RPO) for the app and whether and how that RPO can be met. These assessments will identify the appropriate backup frequency and data protection strategy. (See this post for an explanation of RPOs.) 
  • A requirement that, all apps be reviewed annually from a data protection perspective to ensure the protection strategy continues to meet the business needs.  
  • A process spelling out how exceptions will be handled. An exception means a situation where it is not immediately feasible to protect the data or environment as frequently as the RPO requires. The usual reasons exceptions are needed are cost or lack of technical capability. Such exceptions should be tracked and noted, with senior management signing off on the granting of the exception. The exception process might spell out a plan for closing the gap and eliminating the need for the exception within a time frame such as six months. The approach might have to be phased, depending on the nature of the gap. Both the IT department and the business department that owns the data should be involved in the exception process for a given app.  

Protect Your Organization by Protecting Data 

Protect your organization by protecting its data. Most organizations do an excellent job with basic data backup, but gaps sometimes develop when the data protection assessment is not part of the implementation or project. These data preservation gaps can amount to serious vulnerabilities.  

The best way to avoid these gaps is by crafting and adhering to a sound data protection policy. Such a policy specifies the minimum level of protection, requires assessments of the data protection needs of new apps, mandates annual reviews of applications and data repositories’ RPOs, and spells out a process for tracking, approving, and closing exceptions.  

Further Reading

For more information on data preservation, protecting your data, and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS: 

About
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
Comments
pingbacks / trackbacks
ransomware resilientEnter the Matrix: Why You Should Employ a Risk Management Matrix