IT Baseline Protection Manual S 6.71 Data backup for a mobile IT system
S 6.71 Data backup for a mobile IT system
Initiation responsibility: IT Security Management Team, Head of IT Section
Implementation responsibility: Administrator, IT users
Mobile IT systems (laptops, notebooks) are generally not permanently integrated into a network. Data exchange with other IT systems is normally effected over data media or temporary network connections and can, for example, be implemented through remote access or direct connection to a LAN on returning to the workplace. Unlike with stationary clients, it is therefore generally unavoidable with mobile IT systems that data at least temporarily has to be stored locally instead of on a central server. Appropriate data backup measures must be taken to prevent loss of this data.
Generally the following data backup procedures are available:
Data backup on external data media
The advantage of this method is that the data can be backed up in virtually any location and at any time. The disadvantage is that a suitable drive and sufficient data media must be carried and that proper handling of the data media entails additional effort on the part of the user. The data media should possess sufficient storage capacity so that the user does not have to insert several media into the drive every time a backup is performed. Where the data is kept in unencrypted form, there is also the danger that data media could get lost and that as a result sensitive data could be compromised. The data media and the mobile IT system should as far as possible be kept separate from each other so that in the event of loss or theft of the IT system the data media are not lost as well.
Storage on external data media for data backup purposes is especially recommended where data is also exchanged with other IT systems using external data media, as it may be possible to combine the two processes. On returning to the workplace, the data backups on the data media must be incorporated into the backup system or the operational system or into the central databank of the organisation.
Data backup over temporary network connections
If it is possible to connect the IT system to a network regularly, for example using remote access, the local data can also be backed up over the network connection. The advantage of this is that the user does not have to bother with any data media, nor does he have to take the appropriate drive along with him. Moreover, the procedure can be largely automated, for example, with remote access data backup can be automatically initiated following every dial-in.
When backing up data over a temporary network connection it is essential that the bandwidth of the connection is adequate for the volume of data to be backed up. Transmission of the data must not take too long or lead to excessive delays if the user has to access remote resources at the same time. With current access technologies (e.g. ISDN, modem, mobile phone) this means that only low volumes of data can be transported on each backup process. Some data backup programs therefore offer the possibility of only transmitting information about changes in the data set which have occurred since the last backup over the network connection. In many cases, this can significantly reduce the volume of data to be transported.
An important requirement for the software used for data backup is that unexpected termination of a connection should be detected and handled in a proper manner. Termination of a connection must not result in impairment of the consistency of the data backed up.
Under both data backup methods it is desirable to minimise the volume of data to be backed up. As well as using loss-free compression techniques, which are integrated into many data backup programs, incremental or differential backup procedures can also be used (see also S 6.35 Stipulating data backup procedures). However, use of such procedures means that restoration of a data backup takes longer.
Data backup should be automated as far as possible so that users themselves are required to perform as few actions as possible. If users must be involved, they should be placed under an obligation to perform regular backups (see S 2.41 Employees' commitment to data backup). Finally, sporadic checks should be carried out to verify that data backups created can be restored (see S 6.22 Sporadic checks of the restorability of backups).
Additional controls:
Is all the data which is stored locally on mobile IT Systems backed up regularly?
Is the chosen backup method suitable for the volume of data?
Is the number of actions required of the user during data backup kept to a minimum?