Create data protection team - one of four industry experts making security recommendations about a fictitious multinational firm's international network

It is becoming standard practice for auditors to take a close look at all company data--not just data stored on mainframes. Due to these stringent audits, many corporations are working to develop cohesive backup strategies.

Amprox faces several issues in developing a comprehensive data protection strategy. The proliferation of different types of operating systems and the global dispersion of equipment and data complicate the backup scheme. These difficulties are not nearly as troubling, though, as the realization that there is no one responsible for providing reliable support in some localities.

Because Amprox needs to establish a mission-critical data protection scheme quickly, I recommend it institute a five-phase strategy: 1) select a data protection team; 2) perform a top-down data value assessment; 3) develop a backup policy and guidelines; 4) acquire and install the necessary systems; and 5) put the plan in motion.

Due to Amprox's size and the need for a comprehensive strategy, a backup policy dictated from corporate MIS will be less than effective. It is essential that the individuals familiar with and responsible for the programs affected by this policy be involved in its development. These individuals possess the most complete understanding of how specific systems and data are used by their departments. The team should work together to develop guidelines that ensure the protection of corporate assets while maintaining enough flexibility to accommodate a range of operating environments.

ASSESS DATA VALUE, STABILITY

Before Amprox can institute a comprehensive backup policy, it needs to assess the relative value and stability of the data flowing through the company's operating systems. Chances are that Amprox does not want to back up all corporate data daily, as this would likely bring the company's networks to a crawl.

I suggest Amprox assess the relative value of corporate data against four categories: how often the data changes, how long it takes to recreate it, how critical the data is to system/network operation and the length of time the data must remain online. To keep this task manageable, the assessment should be made on a system-by-system or volume-by-volume basis, rather than file-by-file.

Once a value has been assigned to the data, the system manager must map out its location. The appropriate backup device and method is dictated to a large extent by the location of the data within the system. This data assessment phase is critical for determining the appropriate backup method and device. Amprox is in a good position to perform this assessment since its MIS department already manages most of the corporate data.

After the data assessment is complete, Amprox can move forward with developing corporate backup procedures and guidelines. The expertise of the MIS department will prove invaluable when adapting current backup procedures to networks and standalone PCs.

Amprox must consider the differences between operating systems when developing its backup strategy. Backing up data residing on a network can prove to be much more challenging than backing up data stored on a mainframe. The team must consider the speed of the network and the amount of data stored on workstations. Perhaps most important, the team must identify individuals responsible for ensuring that corporate data is backed up regularly.

Because Amprox's data is distributed on a global basis, its backup scheme should be physically distributed with centralized control. The physical distribution of backup devices will allow individual offices to restore data quickly and efficiently.

However, Amprox should require each remote office to deliver a copy of its backup tapes to corporate headquarters on a regular basis for archival storage. The remote offices, on the other hand, should retain daily and weekly backup tapes.

Amprox will most likely end up with a mix of administrator-controlled and client/server-based network backup devices, as well as some standalone backup units.

Once the company has its data backup and restore procedures in place, it should design an overall disaster prevention and recovery plan.

Even with a complete disaster prevention recovery plan in place, Amprox must make an ongoing commitment to maintain this program through regular virus protection programs and testing. With this commitment to data protection, the company will find itself able to operate through and recover quickly from just about any diaster.

COPYRIGHT 1992 Wiesner Publications, Inc.
COPYRIGHT 2004 Gale Group