São Paulo/SP – December 30, 2022. Data management and backup are subjects of vital importance for the continuity of the business. It is important to describe the term backup as a backup of digital data from a device that is performed by companies and people with the intention of recovering some data or information when necessary.
*By Paulo Cilira
It is important to describe the term backup as a backup of digital data from a device that is performed by companies and people with the intention of recovering some data or information when necessary. Usually people and companies only realize the importance of having a frequency of Backups of their files when a security incident occurs, being necessary to take the alternate measures for data recovery, many of which are of vital importance for the operation of the business.
When data is lost and the company's activities are completely or partially paralyzed, customers feel the impact. And depending on the extent of the damage, the company may lose its credibility. The longer the time to resume activities, the worse the damage to the company's image.
Even with a pre-defined Backup process, this may not be enough if done incorrectly, not due to negligence, but often due to lack of knowledge on the part of the information custodian. For not respecting the planning phases, gathering information, criticality of data, classification of information, among others that, when ignored, end up not validating the need and what information should be included in the Backup process. Given this scenario, it is essential that there is an established and documented Backup Policy.
The Backup Policy
The Backup Policy has a set of rules to be followed to guarantee the integrity of the company's data and consequently the continuity of the business after a security incident. According to good practice, this policy should address the following topics:
- Responsible for backups,
- Technology to be implemented (hardware/software),
- volume of data,
- Backup frequency (monthly, weekly, fortnightly, yearly)
- Information Lifespan (the date of the oldest backup),
- Interference in the company's functional environment (windows of backups),
- Operational procedures (indicating how, where, when and who does the backup),
- Backup Media Storage Location,
- Types of media (LTO, DLT, DAT, AIT, CD, DVD, NAS (Network Arry Storage),
- Need for replication or not of information,
- Systems imaging,
- Needs for agents (special programs that make connections to email data, databases in a secure way, as these applications are proprietary)
- Testing and restoration, copying open files (Open File)
Backup Types:
Below we list some of the main types of backup adopted by companies. Choosing the most appropriate backup type should consider the context, reality and data volume of each company.
- Full or Complete Backup: Is the one in which all files are copied from a given environment or server to another storage location, whether local, virtual or in the cloud. It is the type that demands more storage space and takes longer to complete, precisely because the volume of data is greater;
- Daily/Incremental Backup: This Backup focuses on files created/changed on the current date, or that have not been copied yet, so it does not demand a schedule or directly interfere with the operation of the IT environment;
- Weekly/Differential Backup: Similar to Daily/Incremental, but with a focus on a larger batch of changed files based on a Full Backup;
- Backup Copy: Focuses on copying specific files regardless of date or alteration, and can be done at any time without changing the functioning of the operating environment;
Final considerations
data management and backup are subjects of vital importance for the continuity of the business. In the Backup Policy, it is important to pay attention to 'what to copy', and questions such as:
- What is the importance of information and its value for your company?
- What is the validity period of this information?
- What impacts will the loss of this information bring to the Organization?
- Can the Company continue if this information is corrupted/compromised?
- If management needs access to information and it is unavailable, what happens?
It is also important to focus on software used in the management of data/backups, since software native operating systems even deliver information management, but they are still very scarce in the variety of options in handling information and its classification according to criticality. In software (proprietary) backup files, there is a possibility that the tool will be able to do this backup and, in this case, agents are installed that allow the tool to access the database and make the necessary backup according to the predefined criticality classification.
Finally, there is no point in having a structured backup process if tests and restores are not carried out to verify that the data that was copied on magnetic media can be recovered when required in an emergency. It is also recommended that the backup media storage location should also be different from the location where the business servers operate, since in a possible incident, they would also be compromised.
— Paulo Cilira is a GRC Consultant at [SAFEWAY]
How can we help?
THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.
today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.
In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law Suit, People and Technology.
through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!
