IT Baseline Protection Manual S 6.50 Archiving database
S 6.50 Archiving database
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
If the information in a database system needs to be archived, an appropriate concept needs to be prepared for making the data available when it is required at a later stage. The following items must be considered here:
Archiving
The available possibilities of archiving must be identified.
The data model underlying the data to be archived must be documented.
The times of archiving must be documented.
The archive must be specified in terms of design, methodology and configuration criteria.
A maximum life span must be specified for all archiving media on the basis of the related manufacturers' specifications and empirical values. The times of refreshing the archived data must be determined accordingly.
The availability of the archived data is to be tested and adapted on actual requirements, if necessary. For example, there might be a requirement to make data archived over the last six months available at short notice, whereas information dated earlier is only to be restored on request at longer notice. This criterion influences, among other things, the selection of the archiving medium and archiving method. If high demands are placed on availability, a redundant archive might need to be maintained.
It must be ensured that all existing storage deadlines are observed.
Restoring
The current data stock must not be influenced by the archived data stock.
Sufficient storage space must be available for restoring archived data.
The archived data must remain restorable, even if the data model changes in the meantime. In this case, the data model applicable at the time of archiving must be known in order to allow restoration of the previous version.
If the restored data needs to be processed by an application, the version of the application supporting the previous data model must also be available.
Sporadic checks are required as to whether archived data can be restored.
During the archiving of person related data, it is necessary to take into account the fact that these persons have the right to correct, lock and delete the stored data concerning them. Appropriate technical and organisational procedures must be developed to allow this. In particular, previously performed corrections, locks and deletions must be retained even after old data have been restored.
Additional controls:
Is there documentation in existence which describes the procedures for restoring archived data?
Has a current archiving strategy for the institution been documented?
How are changes in the influencing factors taken into account?