Don’t let the idea of a data protection audit make you nervous. While the word “audit” is often associated with something negative—tax audit, licensing audit, etc.—a data protection audit can produce positive results and show areas of improvement before potentially disastrous incidents occur. One positive outcome of such an audit is that it can be performed at any time and limits future risk to a business. It can also evolve processes and documentation to be in line with current workflow and business needs.
What Data Do I Need to Audit?
The short answer is all of it. In our Security Incident Response Plan, we talk about cloud data management and the importance of understanding workloads’ locations. With current hybrid- and multi- cloud mobility, applications, databases, and other connected resources will likely be in different physical locations. For instance, if you have a central, cloud-based database and 50 store locations with a front-end application that updates the central database, all of those resources need to be considered for protection. Also, if the database has an application and/or web front end that also run in the cloud, they are considered an application group and should be treated as such.
Often an afterthought, individual computers, laptops, and company devices should be considered. While a best practice might be to keep data on shared drives or mapped drives from a central resource, users may have company information on their computers that needs to be protected—or not. The important thing is to identify and include these sources.
The locations, criticality, and recoverability for each workload should be tracked and updated frequently, if not automatically. The recoverability part is critical. You need to know what other options are available if a specific cloud region or type is unavailable, or if a physical internal location is compromised or destroyed. This should be a part of your business continuity/disaster recovery plan.
Who Should Be Involved with the Audit?
Each department or line of business should have input around their specific needs. They can then work with the IT department to evaluate the needs and logistics with what they are asking. Since this is a voluntary audit, participation and communication from all areas should be encouraged to accomplish the business’s overall goals.
Hiring a third-party to assist with the audit is also an option and may bring fresh eyes into the environment.
How to Prepare for a Data Protection Audit?
- Identify workloads, applications, processes, and data points.
We discussed the importance of documenting the locations of workloads, servers, etc., but you should also determine RTOs and RPOs for each system or application. This involves determining the critical workloads for your business, the amount of time you can tolerate an outage, and how much data (in a measurement of time) you can afford to lose. This will likely alter your backup strategy. Typically, the lower the RTO and RPO are, the more expensive a solution becomes, and the more frequent backup and/or replication occurs.
At this time, you should also identify the departments and people associated with the applications and processes, as they will be vital in documenting items such as shutdown/startup requirements, recovery requirements, and QA testing.
- Identify gaps in current configurations
As you go through the process of tiering applications based on business needs and determining RTOs and RPOs, you will likely find gaps in current capabilities vs. expectations. Additionally, you will need to document and outline the processes for recovery the way things stand today and put a plan in place to upgrade capabilities to meet the needs of the business.
Often, workloads and systems are added to the environment without adding them to a data protection solution or process. This disconnect can put a company at significant risk, so it is critical to determine if systems are not protected due to oversight.
- Test your backup solution
As with anything, testing a solution is necessary. The recoverability of a backup is key to the whole discussion and, until it is tested, is similar to Schrodinger’s cat. The backup exists, but we do not know if it is recoverable or not—until it is tested. Some solutions allow for automated testing of backups.
- Revisit the audit preparation plan often
Updating documentation and processes regularly is an important step to any preparation planning. An adage states, “proper planning prevents poor performance,” which holds true to many facets of business and life. Updating documentation and processes may be tedious, but it could prevent disastrous outcomes in the future.
Once you complete the exercise or even the audit, you will be well on your way to a better night’s sleep and spending less time on future iterations of an audit or review. The word audit does not have to be scary, especially if you are already properly prepared.