Key factor involved in building Corporate Infrastructure

This is some thing that every thing think about every day looking at their current infra or when planning to build a new infra, during this discussion I will be focusing on Data backup handling strategy.

Five major components Hardware, Operating System, Software, Networks and Storage are part of Corporate IT infrastructure that is designed to be scalable with minimum complexity. These work together to run a production setup that help create a product for respective company. Backup solution is most important software that is required when these components get halt at hardware or software level. The issues faced could be hardware failure, ransomware, data loss, OS corruption or even site disaster. Business continuity to near normal production along with data is most important for any organization.

Here, we would be discussing different aspects of Backup Policy for any organization and keeping it up-to-date. With advent of technology and advancement, all above components have become redundant if we are able to get production setup running.

Some basic factors to keep in mind when establishing Backup Policy are;

Backup Strategy

Follow 3-2-1 backup rule that means having 3 copies of data, 2 of which are local (on different media) and  at least 1 copy off-site. Importance of using different storage mediums, specially by keeping a copy online is important to keep recovery time short and even achieve best recovery point by increasing frequency of backup. While an off-site recovery option can increase the budget requirements but at time of disaster it becomes only option to stay up. Another off-site option could be to keep a copy in cloud that can rotate backups periodically and overwrite copy base on retention policy that we are going to discuss below.

Data Backup Procedures

Identify the objects that need to be backed up. Inventory should be established for machines, databases, software with configurations, files and plans. Keep it up-to-date like executing an Audit. There would also be definition on how and where backup copy moves, sensitivity of each object and access control required to protect it from un-authorized access or exfiltration.

Scheduling Backups

Here frequency as well as type of backup is defined. To achieve most recent recovery point, frequency must be kept high and during work hours. Keeping in mind that all backup can’t fit in a single solution so we should be open to variation of backup solution. Like, an organization dealing in financial transactions across multiple sites has critical point to keep each transaction replicated that can be managed from within deployed Database solution. Trying to handle it through general backup software would have issues getting back to a workable state.   

It also depends, that type of backups are combination of Normal, Incremental and Differential backup and how often a normal backup is created.

Retention Policy

To keep compliant, clear understanding of applicable law must be communicated and documented with I.T department so that maximum and minimum time period can be ensured for keeping that data. Data differentiates as business and personal information and each has period defined for retention. Along with life of data/record, specify method on how data will be destroyed after retention period.

Data Recovery

Identify and list the order of services that need restoration in case of disaster. Link associated systems, databases and published software for each service to get it working. Prepare similar restoration order for  important files that are needed to get operations running. Finally, verify service functionality and data availability through each restore.

Point of Contact to Execute Recovery Plan

Disaster can happen anytime. Available resource could immediately make first contact via call to listed POC under backup and disaster recovery policy. It would be a person who will confirm disaster, define scope of recovery and lead the process. Similarly, list and train resources who will verify the systems are functioning as required and check the data files are current and accurate as of the last backup execution.

Organization does not value defining backup policy and for sake of running operations does not document or audit because its absence does not show anything absent on a normal day. It is responsibility of people leading technology in an organization to highlight importance of documenting backup and recovery strategy. They should set forth importance of backup, define areas of planning, execution and validation of backups. It must be consistent, kept up-to-date, reliable and verified through dry run.