IT Risk #1 – Not having a formal Data Backup Policy

All organizations realize the importance of data backup, but often have little interest in the mechanics of the data backup process. Frankly, it’s boring, geeky, and therefore business leaders typically assign this task to IT and promptly forget about it.

That is, until something bad happens: data corruption, malware, hardware failure, fires, flood, air conditioning failure, etc. The list of risks that can affect IT systems is a long one.

While this situation is exceedingly common, this approach represents a huge risk to both the business and IT that can be easily avoided with a little legwork.

In our role as IT experts, Shandam has been asked multiple times to perform failure analysis of data backup systems, often after a client experienced data loss.  In every case we found that IT had been tasked with designing a data backup system with little or no guidance from the business leadership.  This leads to assumptions on both sides, with large gaps between business expectations and IT reality.  In each case this approach has resulted in lost data and adverse business impact which in some cases, resonated for years afterward.

We call these situations “resume generating events” and they are far more common than you may think. When data loss happens, businesses lose customers, face hard questions from investors, stockholders and employees, and people lose jobs.   This is not a situation anyone wants to be involved in, including us. Fortunately, there is a zero-cost way to avoid this situation by following a few simple steps:

How to avoid being a candidate for a “resume generating event”

1. Work with organizational leaders to develop a formal, written, Data Backup policy:
   1. What data needs to be backed up? – classify data by level of importance to the business.
   2. Backup interval – how much work can you lose without adversely impacting the business?  1 week? 1 day? 1 hour?
   3. Retention interval –  how long will you keep the backup data before it gets deleted? Data storage costs money, so this often will require a cost/benefit discussion.
   4. Offsite storage –  where is the data stored to keep it from being affected by a potential disaster such as fire/flood/earthquake?
   5. Restoral interval – what is the amount of time the business will accept before it gets its data back from backup?
2. Build a Data Backup process that can meet the needs of the formal Data Backup Policy:
   1. Software
   2. Hardware
   3. Storage
   4. Locations
   5. Schedules
   6. Sources
   7. Targets
3. Test the data backup process on a periodic basis:
   1. Random file restorals – delete and restore from backup a random file
   2. Simulate failures and restoral of entire systems – servers, storage arrays, etc.
   3. Audit backup performance – verify restoration duration, accuracy, etc.

Establishing a formal data backup policy and building the backup system around it will allow IT to avoid accepting unnecessary risks while also allowing business decision makers to understand the cost/performance tradeoffs with data backup systems.   Hope is not a strategy, and unless your organization has had a detailed discussion about data backup, the chance that it will work flawlessly when you need it is low.