Embrace the Audit

The word “audit” strikes fear in the hearts of most business owners, but a pre-emptive data protection audit should actually be embraced. Taking stock of your data and the many scenarios which could impact its continuity is vital to the livelihood of a business after a disaster or other data loss event.

Twenty years ago, the data that companies were concerned about protecting was largely automated data: accounting data, inventory, payable, receivables, accounting ledger, etc. Today’s business has all of those components plus all communications, email, scheduling, project management, web enabled stuff, databases… there is so much more now that needs to be considered when planning for a data protection audit.

Preparing for a Data Protection Audit

The first step of every data protection audit is to perform a data protection needs analysis: evaluating the company’s essential needs, creating an overview of what data needs to be protected and what systems must be protected.

Once those areas have been identified, top-level management must determine how soon the company needs to recover the computer systems in the event of a disaster, and how current the data needs to be (its RTO and RPO), and then ultimately marry that with what the business can afford.

A critical component of the evaluation phase of any data protection audit includes user participation. While the IT department is a key member of the audit team, they should NOT be making the sole decision on what functions and requirements are required for each business unit’s data integrity. IT will focus on protecting a database, but may overlook the functionality that the database delivers. For example, the application that speaks to a company’s SQL database may reside on a single PC and if the RPO restores the database but not the PC, you’ve accomplished nothing!

Data Protection Audit – Questions to ask each business unit or department

  • What are all the all the sources of data that need to be restored?
  • What systems need to be restored? Keep in mind, while databases may be stored on the server, some programs that run the databases live on individual desktops.
  • How quickly does the data need to be restored? (RTO) If you’re running ecommerce, you may need to have zero downtime so you don’t lose any transaction data. If your business is a service business, maybe a 20 minute or even a few hour delay would be inconvenient, but would not severely impact the flow of revenue.
  • How fresh does the data need to be? (RPO) For some companies, a restore of data from midnight the previous night is sufficient, while others may require a 5 minute or less restore time.

Once the questions have been answered, then the budget and priorities can be formed. If the business unit says data RTO must be 30 minutes, then IT can say, “Great, in order to have an RTO of 30 minutes, this is the cost for it. Can we budget for a 30 minute RTO or are we happy with a 6 hour RTO based on the cost differential?”

Any successful data protection audit should be approached as a design project. Making a plan at a high level that everyone can agree on before actual execution is key.

Part Two – Data Protection Planning

Part Three – Business System Perspectives