• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Information Technology / Implement effective backup procedures

By Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons) | 3 Minutes Read December 7, 2022

Implement effective backup procedures

backup procedures

Effective backup procedures for personnel, data, and equipment are essential for information and technology (I&T) systems.

Many organizations will develop backup procedures for data but not people. Identify all essential I&T processes and in addition to training primary personnel, train persons who can serve as backups for absences or lack of access to worksites. Absences or lack of access may arise because of natural disasters, pandemics, other disruptions, or personal reasons.

Use cross-training, shadowing, job rotation, knowledge sharing, detailed written documentation, succession planning, leave coverage, and other means to train and transfer knowledge to backup personnel.

Provide training with the frequency and depth to maintain the currency of knowledge that is appropriate for backup purposes. Use hands-on training, tests, drills, quizzes, supervision, and other methods to keep skills updated.

Update backup arrangements after changes to divisions, services, systems, or business processes.

For data, and any related hardware, develop procedures addressing onsite and offsite backup needs. Some organizations will use onsite storage for rapid access to data, especially if they do not have cloud storage capabilities. Other relevant factors include data volume, capacity constraints, backup frequency, data type, and retention periods. Since onsite backups are often susceptible to the same risks as primary data, offsite backups typically offer better assurances about data integrity and availability for recovery from disasters or other disruptions.

Prepare a backup schedule based on daily, weekly, monthly, or other intervals. The nature of the data will determine backup frequency and mode.

Develop a schedule for testing backup data to ensure it remains viable. Assess whether it is possible to restore backup data with the speed that the business process requires. Also include testing as part of overall disaster recovery and continuity procedures.

Conduct tests using a sample of backup data that is decrypted, transmitted, and processed. Compare the results to those generated by primary processing to evaluate the integrity of backup data.

Evaluate backup needs specific to system migration or conversion. Ensure the adequacy of backups up to the point just before migration or conversion for rollbacks or other purposes.

Backup user data, system data, and documentation.

Secure data from fire, flood, and other physical risks. Protect backup data using cryptography, hashes, digital signatures, and other measures. Encryption can protect data at rest and in transit. The appropriate degree of security will depend on data classification; publicly available data will require less security than classified data.

Consider contractual and other legal and regulatory requirements as part of backup procedures. Health and privacy laws may dictate specific security controls for primary data, and these should extend to backup data. Certain statutes or contracts may impose data retention periods. Ensure the ability to meet data retention requirements even if primary data is destroyed or unavailable, in which case, the organization should be able to rely on backups.

Along those same lines, ensure stringent controls over the destruction of backup data. Some organizations use dual authorization or two-person control over data destruction. With dual authorization, two persons with the requisite skills must carry out data destruction. They act as a check on each other, barring collusion or similar susceptibilities. Use strategies like the random pairing of individuals, pairing people from different departments or locations, rotating the constituent pairs of individuals, and selecting persons with no specific interest in the data to be destroyed, to reduce the risk of collusion. Dual authorization helps to ensure destruction of the right data and compliance with secure data destruction policies.

If third parties hold data on the organization’s behalf, ensure that their controls include proper backup procedures.

Meeting your duty of care

Implement measures including those above to ensure that backups facilitate systems and data confidentiality, integrity, and availability. See Chapter 9 – Data Security, SPP IT 5.02 – Data Backup and Storage, SPP IT 11.04 – Backup Schedule, SPP IT 11.05 – Backup Data Stored Onsite, and SPP IT 11.06 – Backup Data Stored Offsite, and many other policies in the Information Technology database in PolicyPro.

Policies and procedures are essential, but the work required to create and maintain them can seem daunting. The Finance and Accounting, Operations and Marketing, Not-for-Profit, and Information Technology databases in PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada), contain sample policies, procedures, checklists and other tools, plus authoritative commentary to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request free 30–day trials of Finance and Accounting, Not-for-Profit, Operations and Marketing, and Information Technology databases in PolicyPro here.

  • About
  • Latest Posts
Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons)
Apolone Gentles is a CPA, CGA and Ontario lawyer and editor with over 20 years of business experience. Apolone is leveraging 20 years of business and accounting experience to build a commercial litigation practice with an emphasis on construction law. She has held senior leadership roles in non-profit organizations, leading finance, human resources, information technology and facilities teams. She has also held senior roles in audit and assurance services at a “Big Four” audit firm. Apolone has also lectured in Auditing, Economics and Business at post-secondary schools.
Latest posts by Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons) (see all)
  • Employee’s time theft revealed by electronic monitoring - February 2, 2023
  • Petty cash controls - January 4, 2023
  • Implement effective backup procedures - December 7, 2022

Article by Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons) / Information Technology / backup data, backup procedures, data disposal, data retention, Internal Controls, risk, training Leave a Comment

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons)

Apolone Gentles is a CPA, CGA and Ontario lawyer and editor with over 20 years of business experience. Apolone is leveraging 20 years of business and accounting experience to build a commercial litigation practice with an emphasis on construction law. She has held senior leadership roles in non-profit organizations, leading finance, human resources, information technology and facilities teams. She has also held senior roles in audit and assurance services at a “Big Four” audit firm. Apolone has also lectured in Auditing, Economics and Business at post-secondary schools.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy