The ability for a business to rebound after a catastrophic disaster is paramount to its success.
How does one begin to write a backup policy? This backup policy primer with a little tweaking can be used in many small to medium businesses. The key to remember is that a policy is only as good as the people implementing it. Regular checks and measures are still required to ensure the policy is being followed.
Outline
This section outlines exactly what is backed up including specific computers and servers. Ensure you specify whether local desktops are backed up or if the users must move data to the servers. Specify the roles of the computers to be backed up such as file servers, mail and web servers.
Purpose
This component of the backup policy states why you have the policy in the first place. The data will need to be recoverable in case of an emergency including terrorist activities, severe weather, server failure and theft. While it may seem ridiculous to state the purpose of a backup policy, you would be amazed at the number of executives who simply believe that backups are magic and that they just happen. Put it in writing.
Capacity
This component details exactly what systems are included. Is it all servers, all servers on the second floor? Does it include rented equipment? Does it include home equipment? What is the process of backing up data on laptops? These should all be addressed in this section. Specify the locations of the servers as well. Where are the tapes stored? Who has access? What is the process when a system administrator leaves and still has access?
Definitions
Remember that this document is being written for some of your less technical coworkers. Do not leave anything for them to second guess. Some simple definitions will go a long way in explaining how the process works. For example you may want to define the term Backup, Archiving, Incremental backup, Full backup, Differential backup, Restore and any other term some users may not understand. Consider explaining the backup process, what media is being used etc.
Frequency
Use this section to explain when the backups occur. List each (Incremental, Full and Differential) and when each occurs. For example, full backups may be completed on Sundays at 2am with an incremental backup being completed daily at 3:00am of all production servers. Users will need to know when their files need to be on a server to ensure they are backed up.
Media Rotation
While not a very exciting section, it is important for management to understand how tapes are stored and rotated. How many tapes are in your rotation? Are they stored off site? Do you use a third party storage facility?
Restore Testing
How often do you test the tapes? Do you do full or partial restores. A full policy on the restoration process should be configured an attached as part of the Backup Policy. Ensure there is accountability for testing. Finding out at 3am on a Friday night when the server dies, that the SysAdmin has not tested his backups is going to make everyone bitter.
Responsibility
The IT manager is ultimately responsible for backups. That role will need to specify someone to perform the backups and a frequency with which to do so. If multiple people are involved in the backup process, ensure each has a clearly defined role. Ensure a sign off takes place with a checklist to ensure all policies have been followed to avoid any omissions or confusion on the part of the people conducting the backup.
Data
Reiterate exactly what gets backed up. This section should include both Servers and Workstations. Do you backup data only, do you back up the system state. Are permissions maintained? Do you use imaging software? List the roles of all computers and their location and schedule
Archiving
What happens at year end? You must allot to constantly keep your data secure. Many new legislative acts require businesses to keep their backups for a set number of years. You will want to ensure all pertinent information pertaining to theses backups is stated in this policy. Where the tapes are stored?
File Retrieval
Outline the process for users who have lost data to restore it. Do they fill in a request form? How much data can be restored? Time constraints. Emergencies. This component should be iron clad so as to avoid minor annoyances with users complaining they have lost their favourite chocolate chip cookie recipe and would like you to retrieve it.
Encryption
Depending on the sensitivity of the data backed up, especially if the backups are kept off-site, encryption may be required to secure the contents of the backup.
This document will help to serve as a quick guide for a small business to complete a backup policy to ensure that their data is secure and available. Remember, now is the time to have this document completed and remember to remind your users that if your data is important to you, have it stored in two locations. Always.
| 