Backup and Backup Retention Policy
The document is provided in both Word 2003 and Word 2007 format and is easily modified. This policy is included in the Disaster Recovery / Business Continuity Template. Below is a table from the policy:
Individual PoliciesAll of the policies that are provided here are contained within one or more of the templates that are on this site. These policies have been added as individual documents in WORD format (WORD 2003 and WORD 2007) for those clients who just need this particular policy. All policies are Sarbanes-Oxley, HIPAA, and Patriot Act compliant.
Record Management, Retention, and Destruction Policy
The Record Management, Retention, and Destruction is a detail policy template which can be utilized on day one to create a records management process. Included with the policy are forms for establishing the record management retention and destruction schedule and a full job description with responsibilities for the Manager Records Administration. You areas included with this policy template are:
![]() You can download the Table of Contents and selected pages for this policy template.
|
|
Required Processes |
Recommended Solution |
Cost |
|
Implement formalized security policies and procedures |
Security Manual Template |
|
|
Audit access to databases and network |
Security Audit Program |
|
|
Monitor network activity to identify unusual activity |
Network Event Viewer |
|
|
Monitor user activity to identify unusual activity |
Smart Disk Monitor |
|
|
Archive logs to meet compliance requirements |
Text Log Monitor |
|
|
Automate monitoring |
Network Event
Viewer |
DHS Stresses Need for Communication Capability in Disaster Recovery
The Homeland Security requirements for communications
interoperability include:
-
Ability of agencies to talk across disciplines - via voice, data, image, video, or multimedia that include multiple forms of information.
-
Ability to communicate and share information as authorized when it is needed, where it is needed, and in a mode or form that allows the practitioners to effectively use it.
Since a disaster or business
interruption event or incident can happen anywhere, key staff members must have
data communications on the scene, as well as away from the scene (at home), for
command control and information to complete their missions. Homeland Security
requirements have recognized the need for temporary networks that can form
automatically on-scene among first responders. Temporary networks must be able
to integrate with larger temporary or fixed networks, but need to be independent
of fixed infrastructure in case the latter is disabled. Because disaster or
business interruption scenes often expand as incidents develop, temporary
networks need to be capable of expanding easily with the
scene.
Cost of Computer and System Outage
In today's highly
difficult and competitive
business environment, computer
and information system outages can be devastating. Regardless of
the cause - hurricane, fire, accident, hacker attack, or even terrorist
attack - production system and computer downtime is not only costly, but in some
cases ruinous. With a mobile workforce, global customers wanting to do business
around the clock, and continually greater dependence on technology, companies
need to not only protect data, but also continue business operations virtually
uninterrupted. The cost of downtime, depending on your industry, can be from
thousands to millions of dollars per hour - due not only to disaster
recovery expenses, but also to lost sales, customer defection, and lack of
productivity. Add to that a damaged reputation in the marketplace and diminished
shareholder confidence, and the cost of downtime can be staggering.
Maintaining productivity during a business interruption
Enterprises are being forced to take a new look at their business continuity and disaster recovery plans because of the prospect of business closures, terrorist attacks, and/or pandemics - epidemics affecting wide geographical areas for weeks or months.
Planners are contemplating new scenarios, in which massive closures in business along with a major disaster like a terrorist attack or a pandemic that limit travel and prevent workers from congregating in offices.
The striking new challenge is how to maintain employee productivity when the workforce is confined to their homes or other remote locations. The question is how can a company go from 10% of its employees working outside of the office to 80%?
Key issues facing enterprises that might need to turn office workers into mobile workers, rapidly and in large numbers include:
-
The technical and human challenges of supporting business processes during and after the business interruption event.
-
The planning required.
-
Procedures to equip employees with the information and technology to remain productive.
-
Potential impact on the infrastructure and on support staffs.
Each of these is addressed in the Disaster Recovery Business Continuity Template published by Janco Associates.
- more infoOutsouring Can Help in Disaster Recovery Planning
Between hackers, natural disasters,
or even a pipe breaking in the office above
yours, every business needs a contingency plan. It could mean the difference
between riding out a problem and going out of business. For this reason, most
businesses are concerned about the safety of their backups. Data loss is a
significant concern for any business - and in healthcare and other industries
can have huge financial consequences. Soltions typically require that you spend
more money on a third party backup solution. - more infoWhat is the optimal method of back up for an enterprise's disaster recovery plan?
The Backup and Backup Retention policy is an 11
page sample policy that is a complete policy which can be implemented
immediately.
The document is provided in both Word 2003 and Word 2007 format and is
easily modified.
|
Solution |
Benefit |
Cost |
|
Local
Backup |
Shorter backup times Reduced bandwidth |
More hardware and staff Security risks |
|
Central
Backup |
Less hardware and
staff |
Increased bandwidth costs Increased backup
times |
|
Central
Backup |
Shorter backup times Reduced bandwidth Less hardware and
staff |
One-time technology
investment |
Impact of Going Green On Disaster Plan
Disaster planning and business continuity planning are often impacted by green initiatives undertaken by enterprises. One of the prime areas that CIOs often focus is power consumption. When these are looked at, at least five (5) areas are impacted.
-
Data centers
-
Desktops
-
Working at home
-
Services and processes for customers
-
Services and processes for suppliers and affiliates
These
have to be considered and included in the disaster recovery and business
continuity plan. The question that
also has to be answered is what the cost impact in troubled economic times
is.
Disaster and Business Continuity Control Points
When
selecting the physical infrastructure in which to deploy IT equipment for your
remote offices disaster recovery and business continuity plan demand that you
consider and IT equipement location as a data center and you will to consider
these five controls:
-
Access control - Open racks leave equipment vulnerable to accidental or intentional misuse. Enclosures with locking entries provide physical protections from unauthorized access and other environmental hazards, and permit more deployment options.
-
Temperature Control - Central air conditioning can only go so far in overcoming the heat output of rack server environment. Enclosures can be equipped with fans to keep temperatures within acceptable levels throughout the equipment.
-
Power Control - Power protection and battery backup can be provisioned in compact units to protect servers and enclosures from power problems.
-
Cable Control - Look for options that provide for a neat, well-organized arrangement of cables that will not impede airflow or enable cables to be accidentally unplugged.
-
Flexibility Control - The server environment should accommodate rack-mounted or shelf-mounted equipment, linking of bays into larger units, graceful management of unused space, and the option to roll the entire unit to another location as needs change.
-
Management Control - IT equipment is expected to run unattended most of the time. A monitoring/management system provides good visibility and control of the IT environment from anywhere, over the company network.
Guidelines for Disaster Recovery and Business Continuity Planning
Disaster recovery and business continuity are important business
issues that require awareness and planning. Guidelines that can be used in this
process are:
-
Look at the big picture your business processes, systems, networks, data, and people all need to be considered when planning and implementing these processes.
-
Understand your levels of tolerance for lost work, missing data, and unproductive time.
-
Document and test your plans, and update them when business needs change.
-
Configure your environment to minimize the likelihood of a failure escalating into a disaster.
-
When evaluating technology solutions, take into account meeting your recovery objectives, kinds of disasters youre likely to face, and levels of cost, complexity, and disruption involved.
-
Know the advantages and limitations of each technology, and adjust your expectations accordingly.
-
Remember that backing up your data is the most reliable form of protection, without which your business is vulnerable.
Why Have a Disaster Plan
In the event of a disaster, will your enterprise have the ability to pick up the pieces and get back to work, or will things grind to a halt? While it isn't possible to plan for every event, a solid disaster recovery plan can make all the difference. A disaster recovery plan is one of those difficult but necessary aspects of a successful business.
The first step to crafting an individual disaster recovery plan is mapping out the most critical aspects of day to day business. If a great deal of time is spent communicating with clients over the phone, then a backup phone system needs to be addressed. This can be as simple as having employee cell phones, so that if the office's land line is damaged, workers can call clients using their cell phones. It may also be as complex as having a backup call center located in another state, so that traffic can be routed to another location if problems arise at a certain call center.
Data safety is a crucial and overlooked aspects of disaster recovery. Being able to call your customer and clients on another phone system is little help if you do not have a list of customers and clients, their orders, and their phone numbers. You cannot take new orders if you do not have access to your inventory system or are unable to put in new shipping orders. Data disaster recovery often includes making frequent backups of all critical data and records, both digital and hard copies, and storing them in a secure, remote location.
It is also important to keep in mind the time frame for disaster recovery. If your company needs to be able to recover almost instantly from a disaster, much more complex and redundant steps must be taken than if you have the ability to spend more time recovering. If your company works in a real time, online environment, you need multiple backup systems standing by so that, in the event of a disaster, they can instantly come online. If your company works in longer time frames, then allowing for several hours or days to recover records, organize documents, and resume work may be acceptable.
In the event of a disaster, will your business have the ability to pick up the pieces and get back to work, or will things grind to a halt? While it isn't possible to plan for every event, a solid disaster recovery plan can make all the difference. A disaster recovery plan is one of those difficult but necessary aspects of a successful business. With luck, you may never need to rely on your disaster recovery plan, but if you ever do, you'll be glad that you planned ahead.
- more infoRoles in Developing a Disaster Recovery Plan
The
disaster recovery policy must be reviewed at least annually to assure its
relevance. Just as in the development of such a policy, a planning team that
consists of upper management, and personnel from information security,
information technology, human resources, or other operations should be assembled
to review the disaster policy. Roles and responsibilities of the planning team
should be as follows:
-
Perform an initial risk assessment to determine current information systems vulnerabilities.
-
Perform an initial business impact analysis to document and understand the interdependencies among business processes and determine how the business would be affected by an information systems outage.
-
Take an inventory of information systems assets such as computer hardware, software, applications, and data.
-
Identify single points of failure within the information systems infrastructure.
-
Identify critical applications, systems, and data.
-
Prioritize key business functions.
The Disaster Recovery Plan Template has tools that can be used immediately and defined in detail all of these responsiblities and provides a work plan that can be use as is.
- more infoWhat Should a Data Center Disaster Plan Have
What
should a Data Center Disaster Plan Have? Janco has found that a go
Disaster Recovery Plan should have:
-
A section that describes the strategy and procedures for recovering Data Center processing of applications should a disaster substantially disrupt operations.
-
The disaster recovery plan should ben organized into three parts: the main body which provides a general description of the disaster recovery strategy and program, the appendices provide detailed information for conducting the recovery, and the attachments provide supplemental information. The main body is public information and may be freely distributed; the appendices and attachments contain sensitive information that is restricted to the individuals responsible for recovering Data Center operations. The appendices and attachments must be destroyed when updated versions are received.
-
The plan is frequently updated to reflect current hardware, software, procedures, applications, and staffing. Revisions are distributed to the disaster recovery team members at least twice a year following the disaster recovery tests.
There is More to Disaster Planning Than Creating Backup Files
The
definition of the necessary level of data backup and restoration processes are
crucial components of business continuity and disaster recovery planning. But
they are not the only factors that the enterprise and its IT organizations need
to consider when defining the strategy they will use in protecting critical data
against various disasters including unforeseen events such as severe weather,
natural disasters or power failures. They also need to take into account
applications, servers, networks, communications, work spaces, and the people who
run the applications.
How can organizations effectively evaluate their business continuity needs and ensure that the technologies in place are effective? One key step is to conduct a business impact analysis which examines all the business functions and assesses the damage if a function suffers outages. Storage systems - and more specifically the data thats stored in them - are extremely relevant for business continuity. But so are the applications, servers, networks and people who run the applications.
Metric for business continuity and disaster recovery include timelines for recovery point objectives (RPOs) and factors defined as recovery time objectives (RTOs). For data to be available when needed, it needs to be replicated to a remote site. Depending on the desired RPO, that could be synchronous or asynchronous data transfer. In some cases it could be a combination of data that is replicated synchronously to a location that is geographically close and then asynchronously replicated to an out-of-region recovery center.
But data is only part of the equation. Servers, networks and other IT components also play a major role. Just having the data replicated might be okay for a disaster recovery environment with longer acceptable recovery time objectives. The high cost of storage, communications, network access, and software replication are just a few of the challenges in implementing adequate business continuity. For a complete real business continuity plan, more than just the data needs to be replicated and available at a secondary site - employee workstations, communication, servers, and applications need to be available. Only with a complete business continuity and disaster recovery plan and strategy in place can organizations ensure continuous operation of the enterprise and availability of vital information.
- more infoRisk Assessment is First Step in Disaster Recovery and Business Continuity Planning
The
first step in creating a disaster recovery plan (see Disaster Recovery Plan
Template Business Continuity - http://www.e-janco.com/DisasterPlanning.htm) is conducting a risk analysis of your business
operation, (see Threat Vulnerability Assessment -
Sarbanes Oxley 
Compliance Tool - http://www.e-janco.com/threat.htm) computer applications, and your computer
systems. List all the possible
risks that threaten the continuity of your business operations, system uptime,
and evaluate how imminent they are in your particular IT entity. Anything that
can cause a system outage is a threat, from relatively common man-made threats
like virus attacks and accidental data deletions (most common occurrence) to
more rare natural threats like floods and fires. Determine which of your threats
are the most likely to occur and prioritize them using a simple system: rank
each threat in two important categories, probability and impact. In each
category, rate the risks as low, medium, or high.
For example, a small distribution company (revenues of $25,000,000) located in Florida could rate a hurricane an high probability with a high impact, an earthquake threat as low probability and high impact, while the threat of utility failure due to a power outage could rate high probability and high impact. So in this company's risk analysis, a hurricane and power outage would be a higher risk than an earthquake and would therefore be a higher priority in the disaster recovery plan.
- more infoDisaster Recovery Communication Requirements Defined
Disaster Recovery Planning requires a communication network in
place that meets at least the following requirements:
-
Voice: It would be absolutely essential for disaster recovery personnel to communication with one another on a common voice channel. A useful service in this regard is provided by the push-to-talk voice call system that has been incorporated by the GSM standard in its Phase 2+ version as an additional service. The push-to-talk system enables an almost instant voice connection to be setup between the speaker and the intended call recipients, thus saving precious time in emergency situations.
-
Data: Disaster recovery personnel at the disaster site must be able to exchange data with the Remote Command Center in real time. Further, the personnel must be able to exchange data with one another. Lastly, they should be able to connect to the public internet and possibly to a remote third party via a secure link.
-
Location information: Each of the disaster recovery personnel at the disaster site must be able to see the locations of all other active personnel in a specified area, relative to their own positions. This service may prove crucial in situations where in a worker want to warn nearby workers of dangerous conditions (e.g. collapsing buildings after an earthquake) or wants to request backup for immediate help in rescuing disaster victims.
Staff Training Critical for Business Continuity

A statistic that may be alarming to those with
remote locations who may not be properly managing the storage at those sites is
that up to 80 percent of the information deemed "important" to "critical" for
the average multiple-location business resides in their branch offices. That
means the office manager, salesperson, or computer-savvy marketing guy is
responsible for 80 percent of the companys future! Whether that person takes
vacation, business trip, gets too busy or simply forgets to perform the nightly
backup, your data is at risk.
Even if the job is assigned to the most responsible person in the
entire company the person whos always around there's no guarantee that the
job will be done correctly, consistently, or in a timely manner across sites.
The office manager at one site may have a different method than the inside sales
representative in another location. The marketing manager at a third site may
perform the task with less consistency than the other
two.










The
Backup and Backup Retention policy is an 11 page sample policy that
is a complete policy which can be implemented immediately. 

Internet, 







