Effective backup procedures for personnel, data, and equipment are essential for information and technology (I&T) systems.
Many organizations will develop backup procedures for data but not people. Identify all essential I&T processes and in addition to training primary personnel, train persons who can serve as backups for absences or lack of access to worksites. Absences or lack of access may arise because of natural disasters, pandemics, other disruptions, or personal reasons.
Use cross-training, shadowing, job rotation, knowledge sharing, detailed written documentation, succession planning, leave coverage, and other means to train and transfer knowledge to backup personnel.
Provide training with the frequency and depth to maintain the currency of knowledge that is appropriate for backup purposes. Use hands-on training, tests, drills, quizzes, supervision, and other methods to keep skills updated.
Update backup arrangements after changes to divisions, services, systems, or business processes.
For data, and any related hardware, develop procedures addressing onsite and offsite backup needs. Some organizations will use onsite storage for rapid access to data, especially if they do not have cloud storage capabilities. Other relevant factors include data volume, capacity constraints, backup frequency, data type, and retention periods. Since onsite backups are often susceptible to the same risks as primary data, offsite backups typically offer better assurances about data integrity and availability for recovery from disasters or other disruptions.
Prepare a backup schedule based on daily, weekly, monthly, or other intervals. The nature of the data will determine backup frequency and mode.
Develop a schedule for testing backup data to ensure it remains viable. Assess whether it is possible to restore backup data with the speed that the business process requires. Also include testing as part of overall disaster recovery and continuity procedures.
Conduct tests using a sample of backup data that is decrypted, transmitted, and processed. Compare the results to those generated by primary processing to evaluate the integrity of backup data.
Evaluate backup needs specific to system migration or conversion. Ensure the adequacy of backups up to the point just before migration or conversion for rollbacks or other purposes.
Backup user data, system data, and documentation.
Secure data from fire, flood, and other physical risks. Protect backup data using cryptography, hashes, digital signatures, and other measures. Encryption can protect data at rest and in transit. The appropriate degree of security will depend on data classification; publicly available data will require less security than classified data.
Consider contractual and other legal and regulatory requirements as part of backup procedures. Health and privacy laws may dictate specific security controls for primary data, and these should extend to backup data. Certain statutes or contracts may impose data retention periods. Ensure the ability to meet data retention requirements even if primary data is destroyed or unavailable, in which case, the organization should be able to rely on backups.
Along those same lines, ensure stringent controls over the destruction of backup data. Some organizations use dual authorization or two-person control over data destruction. With dual authorization, two persons with the requisite skills must carry out data destruction. They act as a check on each other, barring collusion or similar susceptibilities. Use strategies like the random pairing of individuals, pairing people from different departments or locations, rotating the constituent pairs of individuals, and selecting persons with no specific interest in the data to be destroyed, to reduce the risk of collusion. Dual authorization helps to ensure destruction of the right data and compliance with secure data destruction policies.
If third parties hold data on the organization’s behalf, ensure that their controls include proper backup procedures.
Meeting your duty of care
Implement measures including those above to ensure that backups facilitate systems and data confidentiality, integrity, and availability. See Chapter 9 – Data Security, SPP IT 5.02 – Data Backup and Storage, SPP IT 11.04 – Backup Schedule, SPP IT 11.05 – Backup Data Stored Onsite, and SPP IT 11.06 – Backup Data Stored Offsite, and many other policies in the Information Technology database in PolicyPro.
Policies and procedures are essential, but the work required to create and maintain them can seem daunting. The Finance and Accounting, Operations and Marketing, Not-for-Profit, and Information Technology databases in PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada), contain sample policies, procedures, checklists and other tools, plus authoritative commentary to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request free 30–day trials of Finance and Accounting, Not-for-Profit, Operations and Marketing, and Information Technology databases in PolicyPro here.