Data Backup And Disaster Management Policy

Systematic Intelligence

Data Backup And Disaster

Management Policy

Version 2.0
Date: 2nd August 2016
 Data Backup And Disaster Management Policy

Introduction
This policy describes the schedule and process for backing up user data located on
Systematic Intelligence computers and servers.

Aim of Data Backup

The purpose of this policy is to define the need for performing periodic computer system
backups to ensure:

1. Mission critical data and archives are adequately preserved and protected against
data loss and destruction.

2. To preserve the integrity of the system in the event of a hardware/software failure

or physical disaster.

3. To provide a measure of protection against human error or the inadvertent deletion

of important files.

The guidelines in this policy exist to protect the intellectual Data of Systematic
Intelligence.

Scope
This policy applies to all employees, staff, temporary contract peoples, and other personnel
within the Systematic Intelligence, including employees of affiliated third-party
organizations. This policy applies to all equipment that is owned, leased, operated, or
maintained by Systematic Intelligence.
 Data Backup And Disaster Management Policy

Threat Scenario
The loss of stored data can have a major influence on IT applications. The loss or forgery
of application data or customer databases could threaten the existence of private
enterprises. The following typical threat is assumed for a data backup policy as part of IT
baseline protection:

1. Demagnetization of magnetic data media (for e.g. in Floppy Disks, Hard disks) due
to ageing or unsuitable environmental conditions (temperature, air moisture),
2. Interference of magnetic data media by extraneous magnetic fields
3. Destruction of data media by force majeure, e.g. fire or water
4. Inadvertent deletion or overwriting of files
5. Technical failure of external storage (headcrash)
6. Faulty data media
7. Uncontrolled changes in stored data (loss of integrity)
8. Deliberate deletion of files with computer viruses etc

Minimal data backup policy

The minimum requirements which Systematic Intelligence needs to fulfill as regards data
backup is stipulated as below. This allows universal handling of many cases, which would
otherwise require extremely, detailed investigations and complex data backup policies. It
also provides a basis generally applicable to all IT systems, including new ones for which
data backup policy have not been prepared yet.

Minimal data backup policy

Software:
All software, whether purchased or created personally, is to be protected once by means of
a full backup.

System data:
System data are to be backed up with at least one generation per month.

Application data:
All application data are to be protected by means of a full backup at least once a month

Additional controls:
All employees, including new ones, instructed on, and committed to, the data backup or
minimal data backup policy.
 Data Backup And Disaster Management Policy

Data backup procedures

Data backup procedures determine how the generated data backups should be documented.
This is necessary for orderly and efficient data backup.

Before taking any backup the following items are to be documented for each generated data
backup:

1. Date of data backup

2. Extent of data backup (files/directories)
3. Data media on which the operational data are stored
4. Data media on which the backup data are stored
5. Data backup hardware and software (with version number)
6. Data backup parameters (type of data backup etc.)

Additionally the following methods of making data backups should be considered and
documented when determining a backup system:

1. Type of data backup

2. Frequency and time of the data backup
3. Number of generations
4. Procedure and storage medium
5. Responsibility for data backup
6. Storage site
7. Requirements concerning the data backup archive
8. Transport modes
9. Storage modes
 Data Backup And Disaster Management Policy

Data backup procedures, Type of data backup

The following types of data backup are evident:

Data mirroring: With this procedure, copies of data are stored redundantly on several
different media. The major advantage of data mirroring is that a failure of one of these data
media can be counteracted quickly.

Full data backup: With this procedure, all data-requiring backup are stored on an
additional data medium without consideration as to whether the files have been changed
since the last backup.

Differential data backup: This procedure stores only the files that have been changed
since the last full data backup.

OS image backup: This procedure backs up the physical sectors of the hard disk instead of
the individual files on it. This is a full backup, which allows very quick restoration on hard
disks of the same type.

RAID Backup: Redundant data storage is allowed by RAID (Redundant Array of

Inexpensive Disks) systems. The RAID concept represents the linkage of several hard disks
under the command of an array controller. There are various RAID levels, RAID level 1
involving data mirroring.

RAID systems are no replacement for data backups! The do not offer assistance in case of
theft or fire. The data stores on RAID systems therefore have to be stored on additional
media, which have to be sited in different fire lobbies.

To select a suitable and economically efficient data backup strategy, the following
factors should be taken into account:

Criticality of the data and its availability requirements:

If availability requirements are extremely high, data mirroring should be considered. If

availability requirements are high, full data backup to be preferred against
incremental/differential data backup.

Data and modification volumes:

If the modification volume is similar to the data volume (e.g. in the use of a database), the
storage capacity saved by differential data backup is so negligible that full backup should
be considered. However, if the modification volume is much smaller than the data volume,
the storage capacity saved by differential data backup is considerable and reduces costs to a
large extent, hence this option to be considered.
 Data Backup And Disaster Management Policy

Data modification times:

Data modification times can have a major influence on the data backup strategy. If an
application requires backup of the entire database at certain intervals (e.g. daily, weekly,
monthly or annual bookkeeping statements), only full backups are recommended for this
purpose.

Frequency and times of data backup

To decide upon the frequency and times of data backup it should be understood that if data
is lost (e.g. due to a head crash on the hard disk), all data changes since the last backup
have to be restored. The shorter the backup intervals, the less the restoration effort in
general. At the same time, it must be noted that in addition to regular data backup intervals
(daily, weekly, every workday...), event-dependent backup intervals (e.g. after certain
transactions or following the execution of certain programs after system modifications)
might also be required.

The following factors must be considered during the determination of the frequency and
times of data backup:

Availability requirements, reconstruction effort without data backup, modification

volumes:

The interval between data backups should be selected so that the restoration time (the
restoration time required for modified data which has not been backed up) for the data
changed within this period (modification volume) is shorter than the maximum permissible
downtime.

Data modification times:

If data are changed to a large extent (e.g. program sequence for salary payments or
different software version) or the entire database needs to be made available at certain
points in time, it is advisable to carry out a full data backup immediately afterwards.
Regular as well as event-dependent intervals need to be stipulated here.
 Data Backup And Disaster Management Policy

Number of generations
On the one hand, data backups are repeated in short intervals in order to have up-to-date
data available, on the other hand, the data backup must guarantee that saved data are stored
for as long as possible. If a full data backup is considered as a generation, the number of
generations should be determined, as should the time intervals, which must be observed
between the generations. These requirements are illustrated using the following examples:

1. If a file is deleted intentionally or unintentionally, it will no longer be available in

later data backups. If it turns out that the deleted file is still required, it can only be
restored by using a backup version made before the time of deletion. If such a
generation no longer exists, the file must be created again.

2. A loss of integrity in a file (e.g. due to a technical failure, inadvertent modification

or computer virus) will probably be noticed at a later stage instead of immediately.
The integrity of such files can only be restored using a generation dated earlier than
the occurrence of the loss.

3. It is always possible for data backups to be carried out incompletely or incorrectly.

In such cases, an additional generation often proves to be useful.

For the generation principle to remain useful a basic condition must be fulfilled, i.e. the
time interval between generations must not fall short of a minimum value. Example: an
automatic data backup process is disrupted repeatedly; as a result, all existing generations
are overwritten successively. This is prevented by overwriting generations only after
ensuring that their minimum age has been maintained.

The generation principle is characterized by two values: the minimum age of the oldest
generation and the number of available generations. The following applies here:

1. The higher the minimum age of the oldest generation, the greater the probability of
the existence of a previous version of a file in which a loss of integrity has occurred
(including deleted files which would have proved useful later).

2. The greater the number of available generations, the higher the degree of updating
of the previous version.
 Data Backup And Disaster Management Policy

Procedure For Data Backup Under Different Network Scenarios

Having determined the type of data backup, the frequency and the generation principle, it is
now necessary to select the procedure, including appropriate and economically feasible
data media as per network scenarios. The following illustrates this:

Example 1: Manual, decentralised data backup on PC's

On non-networked PC's, backups of application data and work related files to be performed
manually by IT users as a full backup. Floppy diskettes or CD’s are to be used as data
media.

Example 2: Manual, central data backup in LAN's

In LAN's (Local Area Networks) with connected PC's, data backup to be carried out in that
the PC user backs up his data, files on a central network server, after which the network
administrator backs up these data centrally; this involves weekly full backup and daily
incremental backup.

To minimize the volume of data on the storage medium, data compression algorithms (like
to zip the file) should be considered.
 Data Backup And Disaster Management Policy

Backup schedule
1. At a minimum, modified data on file servers must be incrementally backed up at the
end of each work day and a full system backup must be performed at least once per
month.
2. Mission critical data should be backed up, regardless of where it resides. On a
monthly basis at least one full backup must be stored off-site.
3. A process must be implemented to verify the success of the electronic information
backup.
4. Legible, unique labels shall be placed on all backup media

Backup schedule logs

The backup software should capture a list of all files and directories encountered and saved
to backup media. Logs should contain information about successful backups, unsuccessful
backups, backup media that were left in place accidentally and overwritten, when and
where the backup media were sent offsite, the success or failure of restore tests and bad
media encountered which may affect your ability to obtain files from a previous backup.

Write an entry for successful backups, the date and which tape was utilized. Keep the
written log with the computer or backup unit that performs the backup.
 Data Backup And Disaster Management Policy

Data Restoration
Before doing any data restoration it must be followed that the restoration of data using data
backups must be tested at irregular intervals, at least after every modification to the data
backup procedure. It must at least once be proven that complete data restoration is possible
(e.g. all data contained in a server). This ensures reliable testing as to whether

1. Data restoration is possible

2. The data backup procedure is practicable
3. There is sufficient documentation of the data backup, thus allowing a substitute to
carry out the data restoration if necessary
4. The time required for the data restoration meets the availability requirements

When testing for data restoration, the following should also be taken into consideration:
1. The data must be installed on an alternative IT system

2. Different writing/reading equipment to be used for the data backup and data
restoration

Steps for Data Restoration

1. The user should raise the requirement for data restoration indicating the purpose to
the IT administrator for the backup restoration

2. User to indicate the file name and if not remembering then probable file name (for
e.g. First three or last three characters of the file name)

3. IT administrator to locate from the backup the file and then communicate with user
for confirmation.

4. Before applying any restoration, IT administrator to backup the current data or files
as per the backup policy mentioned here.

5. Apply the backup; inform the user to test for the correct backup if restored.

6. Once tested and verified, allow the usage of the old backup including date entry or
file access.