Backup and Backup Retention Policy Template
CIOs and IT Managers need to consider manadated compliance requirements
Just added Best Practices for Backup, Cloud Backup and Mobile Device Backup
Question that need to be answered are:
- Is our data safe in transit and at rest?
- What prevents hackers from gaining access to our data?
- Is our data properly handled, stored, and deleted?
- Who can access our data?
- What are the benchmark measurements?
- Is our data backup strategy compliant?
- Will our recovery be successful?
Managing backup and recovery in today's environment is a multi-dimensional challenge with both near and long term business requirements. Recent technological developments in disk backup have had a positive impact on short term data retention requirements (see also BYOD policy). But these improvements do not replace the need to execute and deliver on a long term data retention strategy which includes:
- Business and Regulatory Requirements Demand a Long-term Plan
- Manage and Contain Your Total Cost of Ownership (TCO)
- Encrypt Your Data for Secure Long-term Retention
- Weigh the Environmental Impacts and Minimize Power and Cooling Costs
- Simplify Management of the Entire Solution
IT organizations of all sizes contend with a growing data footprint with more data to manage, protect, and preserve for longer periods of time. Online primary storage, has focus a on fast low latency, reliable access to data while near-line secondary storage has a focus on low cost and high capacity.
Long-term data retention requires a combination of ultra-low cost, good performance during storage and retrieval, and reduced footprint in terms of power, cooling, floor-space and economics - also known as a small green footprint - for inactive data.
The Backup and Backup Retention Policy Template has been used to create customized policies for well over 2,000 enterprises world wide. This policy in concert with the Record Management Policy Template are must have Best Practices Tools for CIOs and IT professionals.
For example, factors that CIOs and IT professionals need to consider for backup retention include:
- Business and regulatory requirements – regulatory compliance and data preservation
- Economic and budgetary concerns – doing more with less
- Data loss prevention and information protection – protect, preserve and serve
- Environmental and business sustainment – green and economically efficient
- Maximize IT resource effectiveness and return on investment (ROI)
- Reduce total cost ownership (TCO) of IT resources and service delivery
Burgeoning data continues to put pressure on legacy backup and recovery systems. Migration from tape to disk is accelerating, and innovative approaches to backup, such as target-side disk backup appliances with deduplication in an architecture provides Companies powerful capability to better manage backup and recovery and the scalability burdens associated with data growth.
A "Best of Bree " back up strategy considers how to:
- Back up critical application data — across mixed operating systems and storage configurations
- Restore desktops and mobile users quickly
- Restore systems to dissimilar hardware or virtual systems
- Back up data and system information to off site locations, so that you can quickly recover your business even from a total loss of your facility
- Leverage new cloud based backup offerings to properly secure, back up,and archive critical data
CIOs, CSO's, Disaster Recovery Managers, and Business Continuity Managers constantly are working to improve their recovery point objective (RPO) and recovery time objectives (RTO) by performing fast, non-disruptive backups, and data restoration.
All comprehensive data protection solutions involve many considerations and contingencies.
- Accidental or malicious deletion of critical data - Requirement that provides the ability to quickly and easily restore individual files and folders.
- Data that is lost or corrupted over a period of time - Requirement to roll back individual records to fix database corruptions. The ability to recover data from any previous point in time, and have it as granular as possible.
- A crashed disk - Requirement to recover a disk volume is different than recovering a single file, but it should be done just as quickly, and with automation to help keep operational disruptions to a minimum.
- A server failure - Requirement to restore operations when replacing a broken server may be complicated by the need to install different drivers on the new system if the hardware is not an exact match. It helps to have the capability to move the application workload to a standby server (with different hardware) or virtual server while the system is being replaced or repaired.
- A local or regional disaster - Requirement when you lose an entire office to fire, flood, or other disaster, have a current copy of your important information in another location that is outside the disaster zone.
- Remote offices and branch offices - Requirement to have a process in place to restore with minimal technical support as remote and branch offices often do not have the luxury of having an on-site technical resource to assist in backups and restores.
- Resource-intensive backup processes - Requirement frequent or even continuous backup that is not resource-intensive .
- Security breaches - Requirement to secure data. When moving data between sites, it needs to be protected from potential security breaches. A breach of data security, whether actual damage is done or not, can be devastating to your company's reputation, as dozens of large enterprises and government agencies have found in recent years.
The Backup and Backup Retention policy is an 18 page sample policy that is a complete policy which can be implemented immediately.
The document is provided in MS WORD format and is easily modified. This policy is included in the Disaster Recovery / Business Continuity Template.
Below is a table from the policy:
Data De duplication - Cost Savings Potential
It is estimated by some that corporate data has grown by 25% in 2009 after several years of increases at two to three times that rate. When you combine this with flat to decreasing IT budgets, something eventually has to give. Companies are now forced to make a choice. They will have to either keep buying more storage - which means other budgeted items go unfunded -and deal with the increased operating costs associated with managing more devices, such as power, cooling, and data center space or reduce the amount of data retained, which could impact compliance, recovery service level agreements, and business intelligence initiatives. Data de duplication approaches offer IT a hybrid alternative, which is to remove redundant content before it is ultimately stored - eliminating most of the downstream negative effects, which capacity would cause.
The gains in capacity savings provide customers with much more optimistic outcomes, such as the ability to retain more “virtual” and true information online for longer periods, dramatically lowering the operating impact of supporting that data and enhancing data protection operations with disk. These outcomes can lead to huge downstream financial benefits, such as moving corporate archives from tape to disk to assist corporate counsels in responding to electronic discovery requests.
For example, in a survey, approximately 60% of U.S.-based trial attorneys reported having cases that raise electronic discovery issues. Of that group, over 86% have issued or received a discovery request for electronically stored information since the new Federal Rules of Civil Procedure went into effect in December 2006. Corporate counsels need to quickly be able to run searches against centralized online archives in order to facilitate early case preparation and potentially avoid legal expenses because of reaching a settlement prior to trial.
Mounting financial and legal liability risk
Recovery and restore failures lead to serious financial and legal risk. The risk increases if there are no organizational retention policies with thorough organizational carry through. IT admins are by their nature, pack rats. They want to keep everything just in case. This leads to backups being stored for years, even decades. This increases potential legal liability. If there is litigation, a potential legal hold can be placed on any or all data that might be pertinent to the lawsuit. This can mean years of backups. Every bit of that held data must be searchable. To be searchable it has to be recovered and restored. If it cannot be recovered and restored, the judge will, based on precedent, tell the jury to regard that failure as data that would be detrimental to their case. Data retention without consistent practiced policies of data destruction leads to massive liability risk.
Urgent Data Protection Recovery and Restore Problems
- Inability to recover and restore data when it's required
- Data recovery and restore takes longer than required RTOs
- Too complicated recovery and restore processes that increase errors
- Storage snapshot recovery and restore issues
- Mounting financial and legal liability risk
- Missed data protection windows
- Inadequate protected data versioning
- Insufficient data protection RPO granularity
- Too many data protection errors
- Data protection as well as Business Continuity and Disaster Recovery (BC-DR) TCO is much too high
Long Term Data Retention
Long-term data retention includes weekly, monthly or other long-term backup, primary backup copy of data, off-line copy of static or fixed content data, archive and strategic data preservation. The emphasis is on low cost, long-term durability, compatibility, and energy efficiency for lengthy data retention. Tape is leveraged as a high performance bulk storage medium to off-load the disk cache, boosting the effectiveness and utilization of disk-based systems. From a green and economic efficiency standpoint, data staged off-line to tape consumes no energy while enabling exceptional performance during bulk restore operations. The combination results in both very green and economically efficient storage in addition to supporting business sustainability and enabling compliance.
Tape versus Disk for Data Retention
A tape copy operation may be made locally and then physically transported to another location for safe off-site storage, or data may be replicated as part of the backup and data protection process to a remote VTL or tape library where a removable tape copy is made. Hybrid solutions also leverage disk to disk locally with snapshots or other point-intime copies that are then replicated to another location or to a cloud-based storage managed service provider (MSP). Data and network bandwidth optimization techniques and technologies, including compression and de duplication among others, enable more data to be moved on available networks or to reduce networking requirements.
The policies have just been updated to comply with all mandated requirements and include electronic forms that can be Emailed, filled out completely on the computer, routed and stored electronically -- a total solution.
We have just completed a major update of most of the individual polices and almost all of the electronic forms.
- CIO IT Infrastructure Policy Bundle (All of the policies below are included as individual MS Word files and a single PDF file. Electronic forms are all individual documents that are easily modifiable)
- Backup and Backup Retention Policy
- Blog and Personal Web Site Policy (Includes electronic Blog Compliance Agreement Form)
- BYOD Policy Template (Includes electronic BYOD Access and Use Agreement Form)
- Google Glass Policy (Includes Google Glass Access and Use Agreement Form)
- Incident Communication Plan Policy (Updated to include social networks as a communication path)
- Internet, e-Mail, Social Networking, Mobile Device, Electronic Communications, and Record Retention Policy(Includes 5 electronic forms to aid in the quick deployment of this policy)
- Mobile Device Access and Use Policy
- Patch Management Policy
- Outsourcing and Cloud Based File Sharing Policy
- Physical and Virtual Server Security Policy
- Record Management, Retention, and Destruction Policy
- Sensitive Information Policy(HIPAA Compliant and includes electronic Sensitive Information Policy Compliance Agreement Form)
- Service Level Agreement (SLA) Policy Template with Metrics
- Social Networking Policy(includes electronic form)
- Telecommuting Policy(includes 3 electronic forms to effectively manage work at home staff)
- Text Messaging Sensitive and Confidential Information (includes electronic form)
- Travel and Off-Site Meeting Policy
- IT Infrastructure Electronic Forms