Backup systems and recovery

Missing image
Tapedrive.jpg

An example of a typical tape drive backup system.

Businesses must adopt policies and procedures with regular and effective system backups ensuring that their data is adequately protected. Prevention of lost data should include a multi-tiered approach that considers the risks related to viruses, firewall protection, content filtering, identifying vulnerabilities and management as well as intrusion detection. All businesses should have a comprehensive backup and disaster recovery plan to mitigate the risks associated with the loss of data. The business costs associated with downtime and data loss could be astronomical.

Backup Types

There are three types of backups that can be executed on a system, and each of these backups can use disks or tapes as the primary media:

Full Backup

Backs up all files on the systems.

Incremental (Partial Backup)

An incremental backup is a backup that backs up only the files modified since the last backup. Incremental backups are usually appended to the full backup set. The result is a tape with the changes that occurred daily. This method of backing up provides an audit trail of file usage activity on their system and will enable a company to restore a specific day's work without restoring any changes made since that point in time.

Differential (Partial Backup)

A differential backup is a cumulative backup of changes made since the last full backup which only backs up files that have been modified since the last full backup. The backup files increase daily until the next full backup is performed purging the archived files.

Disk-based vs. Tape-based

To back up data and information businesses have the flexibility of using both tape-based and disk-based solutions. Many companies use both types in their operations, the tape would serve as a direct backup and the disk would be used for the day-to-day backup solutions. Disk backups provide flexible and immediate access for everyday use, without having to shut down servers and taking the company off-line. It is recommended that companies require that the disk backups be converted to a tape backup so the information can be archived and stored for a long period of time.

Backup System Tools

Due to the technological advances along with the increased dependence companies have on computers with several different software and hardware options available. It is important for a business to assess its needs, size and operations when choosing the systems for their operations.

A few products include:

DriveWasher
File Shredder
BackUp MyPC
RecoverLost Data
Privacy Protector
Firewall X-treme
Anti Virus

The list of available products is quite extensive. Each company will need to research what products are best suited for them.

Backup System Controls

The objective of auditing backup systems is to ensure that all the systems that are essential to the business along with the appropriate confidential information is properly backed up. The external auditor will review procedures, logs, systems and documents to determine if the procedures are adequate. It is essential that the previous versions (which are already backed up) are retained intact until the new backups are available and stored.

Risk Analysis

Understand the inherent risks of technological advances compared to the options available to mitigate those risks. Implementation of a backup solution is vital to the success of a company but the cost/benefits need to be aligned with the needs of the organization.

Scheduling

Backup schedules should depend on the data that is being backed up. For instance, systems or information that is crucial to the ongoing operations of the business should be backed up more often than information that is not critical.

Data retention

Guidelines need to be established so that employees know how long data should be retained. In some cases, backup data may only be needed for several months and in other cases the duration may be in years.

Review of Logs

Log files generated from each backup job should be reviewed daily checking for errors and the time it took the system to complete the backup job. This review will help to identify problems so that corrective action is timely reducing the risk exposure associated with failed backups. The business could also run a verification procedure to ensure that the data was properly stored in the backup tape. Simple reality checks also aid in this area checking to make sure that the record count, file size or length of tape are appropriate.

Library

Backup Tapes need to be clearly labeled and a method needs to be established where the information is to be stored. If a tape needs to be recalled at a later date, it needs to be readily identified and returned in a timely manner. It also helps with providing an inventory listing of the tapes that should be in storage.

Rotation and Expiration

Depending on the tapes used, backup tapes could potentially be re-used at some point in time.

Disposal

The information stored on the backup tapes needs to be physically destroyed. Policies and procedures should be set so that the information cannot be secured by and unintended party who could possibly use the information illegally.

Testing

Data that is restored should be tested periodically. This will help identify if potential problems exist in the process and improves timeliness of corrective action.

Storage

Storage should be in an off-site secure location. It is imperative that the storage facility is properly ventilated, maintains secured access, and is a reputable company with a good history. The storage facility should also maintain logs of all tapes that are signed in and out and have listing of the authorized company personnel who can request the retrieval of tapes.

Encryption

All files that are backed up should be encrypted. This is always a good idea because it provides another means of protection. It is possible that the tapes could get lost or misplaced and by encrypting the information becomes useless to the party who is able to secure it.

Transportation

All backup tapes need to be restricted to be handled by authorized personnel. Tapes should be locked in a carrying case for transportation.

The goal of every audit is to ensure that the financial statements are prepared timely and represent the correct results of the company. Considering each of these items and improving the company's internal controls will help eliminate audit deficiencies.