by Brian Brignac | Nov 9, 2012 | Archived, Cybersecurity, Disaster Recovery
Your data protection audit lays out the plan that enables you to sleep at night knowing that data loss couldn’t destroy your business or be a costly and burdensome event.
In the previous installment of our three part data protection audit series, we looked at the questions you need to ask regarding your data requirements to determine what’s appropriate to include in your data protection audit. Those questions were focused on looking at the functional areas of the business.
In this last installment, we will view the business from the perspective of each business system.
There are three areas of concern:
- Support systems
- Devices
- IT operations
Support systems audit
It’s a great start if you have a server and are backing up data on it nightly or even less frequently, but if you have systems on the backup that have a restore time that’s within 24 hours, you’re likely to lose some data in the gap during a data loss event. You’ll need to have a restore system that will be faster for a practical scenario.
But don’t stop with servers, the same methodology goes for PCs. For example, say a company has one PC that is dedicated to processing credit card transactions, what would happen if that one computer went down? It’s imperative that you have that PC well protected. If you were to have an unexpected hardware failure, not only would transactions be interrupted, you’ll lose transaction data — unless you’re able to restore from a data center and run a virtual PC.
Device audit
This is the easier part of your data protection audit, but still necessary. Assess every device your company is using — everything that holds data. That includes servers, PCs, storage devices, laptops, tablets, cell phones that are used in your business, etc. Instead of looking at data recovery from strictly a business function perspective, look at it from the device perspective. How would you recover the device if it were gone? What do you have now and what should you have?
Consider this: Backing up PC’s is an important process, and the same goes for laptops. You’ll need to evaluate whether or not the resources used to protect the data on those devices are critical to your business. If you’re a software development company writing applications at your client sites, billing at $200 an hour… well, one guy losing a laptop could cost billable hours for many days! No, it probably won’t ruin a company, but smaller companies would certainly reel from a $5,000 loss due to one lost laptop. And what about the resources lost if you couldn’t recreate the data on that laptop?
IT operations audit
The final part of your audit process will be IT operations where you’ll identify the level of protection needed and perform testing.
No matter the type of technology that you’re evaluating, you need to analyze what your plan is to recover the device today, and what the plan should be in the future. In the end, you will have your complete needs analysis for all your technology company-wide:
- what needs to be protected,
- how to do it, and
- how to restore it.
There’s an unintended benefit from this whole endeavor. What started as a data protection audit actually provided your company a roadmap for the health and resilience of your business. Your data protection audit lays out the plan that enables you to sleep at night knowing that data loss couldn’t destroy your business or be a costly and burdensome event.
How to Plan and Execute a Data Protection Audit Series:
Part One: How to Plan and Execute a Data Protection Audit
Part Two: Data Protection Audit Planning
Part Three: Data Protection Audit – Systems, Devices and IT Operations
by Brian Brignac | Nov 7, 2012 | Archived, Cybersecurity, Disaster Recovery
In part one of “How to plan and execute a data protection audit,” we discussed the importance of user participation in the design process of your data audit plan. In this installment, we go into more detail about the questions you need to ask about your business processes to determine what you need to secure.
When initiating a data protection audit, the starting point is mapping out the systems that make your company work.
The highly respected author of “Faster, Cheaper, Better,” and “Reengineering the Corporation: A manifesto for Business Revolution” Michael Hammer, identified the following key areas of IT systems that likely impact your data and how it travels within your company:
▪ Shared databases, making information available at many places
▪ Expert systems, allowing generalists to perform specialist tasks
▪ Telecommunication networks, allowing organizations to be centralized and decentralized at the same time
▪ Decision-support tools, allowing decision-making to be a part of everybody’s job
▪ Wireless data communication and portable computers, allowing field personnel to work office independent
▪ Interactive videodisk, to get in immediate contact with potential buyers
▪ Automatic identification and tracking, allowing things to tell where they are, instead of requiring to be found
▪ High performance computing, allowing on-the-fly planning and revisioning
Michael Hammer’s definitions allowed him to develop the “Business Process Reengineering Cycle”
which now provides an excellent framework to develop a thorough data protection audit plan.
We’ve detailed the four main steps of every audit below:
Data Protection Audit Step One:
Identify the processes – which business systems would you need to recover after a complete loss?
A couple of examples:
A service business is not selling widgets, so they charge for their time. A key business process will be defining how they capture their time spent per client and the billing system that works from that data. The audit should define how the company generates invoices. Some invoices may be built with more automated systems like an app on employee smartphones or a cloud based storage system, but some inputs may still be the traditional time slips and people entering the information into the system for payroll. The key is that you look at all the applications that get touched, identify what makes it run and ensure they’re part of the data protection plan.
On the other hand, an oil refiner has a process that tracks raw materials coming in and finished goods going out through pipelines/freightliners. This type of company is required by law to trace material points of origin from producers to its logistics system. The oil refinery would need to include the systems and the data capture devices in the field that sit behind these tracking mechanisms.
If you’re a retailer, you’ll need to asses all your process from inventory systems, to time and attendance systems, to scheduling to couponing.
In all industries, the audit team must ask what processes does the business rely on to function and where does the data live?
Data Protection Audit Step Two: Analyze these on an “as-is” basis.
- How would you recover today from a complete loss?
- How long would it take?
- In what condition and how current would the recovered data and systems be?
These questions must be posed:
- How would you recover your data and systems now if everything was gone?
- What would your first step be to build those data and systems back?
- In what condition would the current recovered data be?
- How well would you recover in the event of a significant data loss?
Remember to consider outsourced information. If your company is using smartphone apps, ask who is holding the data and where are the interfaces? You might even have to contact vendors to confirm where your data resides and what protections they have for your information.
As you identify the business processes bit by bit, map out the connections and interfaces that connect with the internal systems.
Data Protection Audit Step Three:
Design the new process. What SHOULD this look like?
At the end of this whole discovery, you will have a list of all your business processes and what your recovery would look like, and the requirements to recovery. Stand back and compare what it would look like and what it should look like. There will be obvious gaps and opportunity for improvement. Those opportunities are where you need to focus your efforts to ensure a sensible recovery.
Data Protection Audit Step Four: Test & Implement
Once you’re comfortable with the outcomes of steps 1 – 3 and chosen your data protection provider or technology, you absolutely must test it. And test it on a regular basis. As companies add new roles, new products, new services, the systems that touch those must be adapted and sometimes those adaptations can alter your data protection program. Regular testing is critical to the success of any data protection plan.
We see many companies and even service providers that do not do these tests. They are not easy! But they are essential – exactly because they are not easy.
In the concluding part of this series, we’ll examine the organization in a different perspective by looking at it from a device and system perspective.
by Brian Brignac | Oct 24, 2012 | Archived, Cybersecurity
Embrace the Audit
The word “audit” strikes fear in the hearts of most business owners, but a pre-emptive data protection audit should actually be embraced. Taking stock of your data and the many scenarios which could impact its continuity is vital to the livelihood of a business after a disaster or other data loss event.
Twenty years ago, the data that companies were concerned about protecting was largely automated data: accounting data, inventory, payable, receivables, accounting ledger, etc. Today’s business has all of those components plus all communications, email, scheduling, project management, web enabled stuff, databases… there is so much more now that needs to be considered when planning for a data protection audit.
Preparing for a Data Protection Audit
The first step of every data protection audit is to perform a data protection needs analysis: evaluating the company’s essential needs, creating an overview of what data needs to be protected and what systems must be protected.
Once those areas have been identified, top-level management must determine how soon the company needs to recover the computer systems in the event of a disaster, and how current the data needs to be (its RTO and RPO), and then ultimately marry that with what the business can afford.
A critical component of the evaluation phase of any data protection audit includes user participation. While the IT department is a key member of the audit team, they should NOT be making the sole decision on what functions and requirements are required for each business unit’s data integrity. IT will focus on protecting a database, but may overlook the functionality that the database delivers. For example, the application that speaks to a company’s SQL database may reside on a single PC and if the RPO restores the database but not the PC, you’ve accomplished nothing!
Data Protection Audit – Questions to ask each business unit or department
- What are all the all the sources of data that need to be restored?
- What systems need to be restored? Keep in mind, while databases may be stored on the server, some programs that run the databases live on individual desktops.
- How quickly does the data need to be restored? (RTO) If you’re running ecommerce, you may need to have zero downtime so you don’t lose any transaction data. If your business is a service business, maybe a 20 minute or even a few hour delay would be inconvenient, but would not severely impact the flow of revenue.
- How fresh does the data need to be? (RPO) For some companies, a restore of data from midnight the previous night is sufficient, while others may require a 5 minute or less restore time.
Once the questions have been answered, then the budget and priorities can be formed. If the business unit says data RTO must be 30 minutes, then IT can say, “Great, in order to have an RTO of 30 minutes, this is the cost for it. Can we budget for a 30 minute RTO or are we happy with a 6 hour RTO based on the cost differential?”
Any successful data protection audit should be approached as a design project. Making a plan at a high level that everyone can agree on before actual execution is key.
Part Two – Data Protection Planning
Part Three – Business System Perspectives
