CIOs, CSO's, Disaster Recovery Managers, and Business Continuity Managers constantly are working to improve their recovery point objective (RPO) and recovery time objectives (RTO) by performing fast, non-disruptive backups, and data restoration.

All comprehensive data protection solutions involve many considerations and contingencies.

• Accidental or malicious deletion of critical data - Requirement that provides the ability to quickly and easily restore individual files and folders.
• Data that is lost or corrupted over a period of time - Requirement to roll back individual records to fix  database corruptions. The ability to recover data from any previous point in time, and have it as granular as possible.
• A crashed disk - Requirement to recover a disk volume is different than recovering a single file, but it should be done just as quickly, and with automation to help keep operational disruptions to a minimum.
• A server failure - Requirement to restore operations when replacing a broken server may be complicated by the need to install different drivers on the new system if the hardware is not an exact match. It helps to have the capability to move the application workload to a standby server (with different hardware) or virtual server while the system is being replaced or repaired.
• A local or regional disaster - Requirement when you lose an entire office to fire, flood, or other disaster, have a current copy of your important information in another location that is outside the disaster zone.
• Remote offices and branch offices - Requirement  to have a process in place to restore with minimal technical support as remote and branch offices often do not have the luxury of having an on-site technical resource to assist in backups and restores.
• Resource-intensive backup processes - Requirement frequent or even continuous backup that is not resource-intensive .
•  Security breaches - Requirement to secure data. When moving data between sites, it needs to be protected from potential security breaches. A breach of data security, whether actual damage is done or not, can be devastating to your company's reputation, as dozens of large enterprises and government agencies have found in recent years.

The Backup and Backup Retention policy is an 18 page sample policy that is a complete policy which can be implemented immediately. 

The document is provided in both Word 2003 and Word 2007 format and is easily modified.  This policy is included in the Disaster Recovery / Business Continuity Template.

Below is a table from the policy:

Data Deduplication - Cost Savings Potential

It is estimated by some that corporate data has grown by 25% in 2009 after several years of increases at two to three times that rate. When you combine this with flat to decreasing IT budgets, something eventually has to give. Companies are now forced to make a choice. They will have to either keep buying more storage - which means other budgeted items go unfunded -and deal with the increased operating costs associated with managing more devices, such as power, cooling, and data center space or reduce the amount of data retained, which could impact compliance, recovery service level agreements, and business intelligence initiatives. Data deduplication approaches offer IT a hybrid alternative, which is to remove redundant content before it is ultimately stored - eliminating most of the downstream negative effects, which capacity would cause.

The gains in capacity savings provide customers with much more optimistic outcomes, such as the ability to retain more “virtual” and true information online for longer periods, dramatically lowering the operating impact of supporting that data and enhancing data protection operations with disk. These outcomes can lead to huge downstream financial benefits, such as moving corporate archives from tape to disk to assist corporate counsels in responding to electronic discovery requests.

For example, in a 2009 survey, approximately 60% of U.S.-based trial attorneys reported having cases that raise electronic discovery issues. Of that group, over 86% have issued or received a discovery request for electronically stored information since the new Federal Rules of Civil Procedure went into effect in December 2006. Corporate counsels need to quickly be able to run searches against centralized online archives in order to facilitate early case preparation and potentially avoid legal expenses because of reaching a settlement prior to trial.

Mounting financial and legal liability risk

Recovery and restore failures lead to serious financial and legal risk. The risk increases if there are no organizational retention policies with thorough organizational carry through. IT admins are by their nature, pack rats. They want to keep everything just in case. This leads to backups being stored for years, even decades. This increases potential legal liability. If there is litigation, a potential legal hold can be placed on any or all data that might be pertinent to the lawsuit. This can mean years of backups. Every bit of that held data must be searchable. To be searchable it has to be recovered and restored. If it cannot be recovered and restored, the judge will, based on precedent, tell the jury to regard that failure as data that would be detrimental to their case. Data retention without consistent practiced policies of data destruction leads to massive liability risk.

Urgent Data Protection Recovery and Restore Problems

• Inability to recover and restore data when it's required
• Data recovery and restore takes longer than required RTOs
• Too complicated recovery and restore processes that increase errors
• Storage snapshot recovery and restore issues
• Mounting financial and legal liability risk
• Missed data protection windows
• Inadequate protected data versioning
• Insufficient data protection RPO granularity
• Too many data protection errors
• Data protection as well as Business Continuity and Disaster Recovery (BC-DR) TCO is much too high

Long Term Data Retention

Long-term data retention includes weekly, monthly or other long-term backup, primary backup copy of data, off-line copy of static or fixed content data, archive and strategic data preservation. The emphasis is on low cost, long-term durability, compatibility, and energy efficiency for lengthy data retention. Tape is leveraged as a high performance bulk storage medium to off-load the disk cache, boosting the effectiveness and utilization of disk-based systems. From a green and economic efficiency standpoint, data staged off-line to tape consumes no energy while enabling exceptional performance during bulk restore operations. The combination results in both very green and economically efficient storage in addition to supporting business sustainability and enabling compliance.

Tape versus Disk for Data Retention

A tape copy operation may be made locally and then physically transported to another location for safe off-site storage, or data may be replicated as part of the backup and data protection process to a remote VTL or tape library where a removable tape copy is made. Hybrid solutions also leverage diskto- disk locally with snapshots or other point-intime copies that are then replicated to another location or to a cloud-based storage managed service provider (MSP). Data and network bandwidth optimization techniques and technologies, including compression and deduplication among others, enable more data to be moved on available networks or to reduce networking requirements.

Other Individual Policies

All of the policies that are provided here are contained within one or more of the templates that are on this site. These policies have been added as individual documents in WORD format (WORD 2003 and WORD 2007) for those clients who just need this particular policy.  All policies are Sarbanes-Oxley, HIPAA, and Patriot Act compliant.

 

---

 

Record Management, Retention, and Destruction Policy

The Record Management, Retention, and Destruction is a detail policy template which can be utilized on day one to create a records management process.  Included with the policy are forms for establishing the record management retention and destruction schedule and a full job description with responsibilities for the Manager Records Administration.

You areas included with this policy template are:

• Record retention requirements for SOX sections 103a, 302, 404, 409, 801a and 802.
• Policy
• Standard
  • Scope
  • Responsibilities
  • Record Management
  • Compliance and Enforcement
  • Email Retention and Compliance
• Job Description Manager Record Administrator
• 12 forms for Record Retention and Disposition Schedule

You can download the Table of Contents and selected pages for this policy template.

 

---

 

Internet,
e-Mail, Social Networks,
Mobile Device,
Electronic Communications, and
Record Retention 
Policy

This policy is is compliant with all recent legislation (SOX, HIPAA, Patriot Act, and Sensitive information), and covers:

• Social Networks
• Appropriate Use of Equipment
• Mobile Devices
• Internet Access
• Electronic Mail
• Retention of Email on Personal Systems
• E-mail and Business Records Retention
• Copyrighted Materials
• Banned Activities
• Ownership of Information
• Security
• Sarbanes-Oxley
• Abuse

Included with the policy are forms that can be used to facilitate the implementation of the policy. Included are these ready to use forms:

• Internet & Electronic Communication Employee Acknowledgement
• E-Mail - Employee Acknowledgement
• Internet Use Approval Form
• Internet Access Request Form
• Security Access Application Form

 

---

 

Outsourcing Policy

Outsourcing Policy - This policy is eighteen page in length and defines everything that is need for function to be outsourced.  The policy comes as a Microsoft Word document that can be modified as needed.  The template has been updated to include a HIPAA audit program definition in length and covers:

• Outsourcing Management Standard
  • Service Level Agreement
  • Responsibility
• Outsourcing Policy
  • Policy Statement
  • Goal
• Approval Standard
  • Base Case
  • Responsibilities

 

 

Note: Look at the Practical Guide for Outsourcing over 110 page document for a more extensive process for outsourcing

---

 

Sensitive Information Policy

Includes HIPAA Audit Program Guide and a PCI Audit Program

This policy is easily modified and defines how to treat Credit Card, Social Security, Employee, and Customer Data.  The template is 34 pages in length and complies with Sarbanes Oxley Section 404, ISO 27000 (17799), and HIPAA.  The PCI Audit Program that is included is an additional 50 plus pages in length.

This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals). 

The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates. 

You can download the Table of Contents and some sample pages by clicking on the link below.

 

---

 

Travel and Off-Site Meeting Policy

Travel and Off-Site Meeting Policy - Protection of data and software is often is complicated by the fact that it can be accessed from remote locations. As individuals travel and attend off-site meetings with other  employees, contractors, suppliers and customers data and software can be compromised.  This policy is seven (7) page in length and covers:

• Laptop and PDA Security
• Wireless and Virtual Private Networks (VPN)
• Data and Application Security
• Public Shared Resources
• Minimizing attention
• Off-Site Meetings
• Remote Computing Best Practices

This policy has been updated to reflect the requirements of PCI-DSS, Sarbanes-Oxley, HIPAA, and ISO.  The policy comes as both a WORD file and a PDF file utilizing a standard CSS style sheet.