S 6.32 Regular data backup

Initiation responsibility: Head of IT Section, IT Security management

Implementation responsibility: Administrator, IT users

In order to avoid data losses, regular backups must be made. In most computer systems they can, for the major part, be made automatically. Provisions must be laid down on what data are to be saved by whom at what intervals. Development of a data backup policy is recommended.

Depending on the quantity and importance of the data which are currently being saved and with due regard to the possible damage in case of loss of such data, the following must be laid down:

• Intervals

Examples: daily, weekly, monthly (depending on the data quantities).

• Time

Examples: at night, on Friday evening.

• Number of generations to be kept

Example: in case of daily full backup, the last seven backups will be kept, as well as the Friday evening backups of the past two months.

• Extent of data to be saved

The simplest approach is to define partitions or directories to be covered by regular data backup; adequate differentiation can provide a better survey and help to save effort and cost.

Example: self-made files and individual configuration files.

• Data media

Examples: tapes, cartridges, floppy disks, mirroring on 2nd hard disk.

• Erasure of data media before renewed use (tapes, cassettes).

• Responsibility of implementation (administrator, user).

• Responsibility for monitoring the backup activities, especially in the case of automatic backup (error messages, remaining storage capacity of data media).

• Documentation on backups (date, type of backup procedure / selected parameters; marking of data media).

In view of the expenditure of time and effort involved, full backups can, as a rule, only be made once a day at the most. It is not possible to replay the data generated after the last backup. For this reason and for cost reduction, incremental backups (i.e. only the data newly generated after the last full backup will be saved) shouldbe regularly made in the intervals between full backups. (If several incremental backups are made between two full backups, it is also possible to backup only the data generated after the last incremental backup.)

Incremental backups can be made more frequently, e.g. immediately after the set-up of important files or several times per day. Compatibility with current operations must be ensured.

As regards the software used, it will, as a rule, suffice to keep the original data media and their backup copies. It will then not be necessary to include such software in regular backup arrangements.

All users should be informed of the data backup regulations so that they will be able to point out any deficiencies (e.g. intervals that are too short for their own requirements) or to make individual amendments (e.g. interim mirroring of essential data on their own disks). Information provided by users on the period over which data can be restored is also important: if, for instance, only two generations are retained in case of weekly full backup, there will, depending on the point of time at which a loss occurred, be only two to three weeks left to restore lost data.

If, in the case of networked computers, backups are made only of the server disks, it must be ensured that the data to be saved will be regularly transferred to those disks either by the users or automatically.

Paper print-outs of data are not considered an appropriate means of data backup.

Additional controls:

• Are all computer data backed up?

• Are generated data backups being documented?

• Does the data backup procedure conform to an available data backup policy?