PROTECTING YOUR ASSETS

Protection of Data – Backups, Software and Policies According to Strategic Research Corp., the primary causes of data loss within companies are:
• Hardware system - 44%
• Human error - 32%
• Software - 14%
• Virus - 7%
• Natural disaster - 3%

Unlike tangible property, computer data are intangible information. However, stored information is more often than not, the lifeblood of the organization. Protecting your data and information is extremely important. As you can see, human error and hardware failure are major factors; however, the growing threat of viruses and malicious attacks further emphasize the need to protect your files and computer systems as closely as possible.

1. Backups - Creating a mirror image of the intangible data onto tangible media (disk, tape, CD, etc.) provides a backup of this information. When the original data are rendered useless, the backups can be used to re-create the data. With client-host and distributive processing becoming more popular it is important to backup all workstations since they all work in a synergistic whole.
2. System - System backups provide a spare copy of all the information on a computer system. The operating system (Windows, NT, etc.), application software, and volatiledata are all backed-up. This should be done both on individual workstations as well as on host servers.
3. Monthly - Even if no major hardware or software changes are made, system backups should be done on a monthly basis. Some software products can dynamically make changes to pointer files and other indexes that pertain to user data, but are actually stored elsewhere on the system.
4. Hardware or software changes - When hardware changes are made they are often saved in the CMOS. Battery failure could cause the CMOS to "forget" the hardware configuration making restoration from system backups necessary. A system backup should be done just prior to any major hardware or software changes. Another separate system backup should be done just after the changes. This provides a way to return to "square one" should any problems occur.
5. Operating system backup of backup software - Some operating systems provide basic programs for making backups. However, most systems use more efficient software in addition to the basic operating system to make backups. Before restores can be done to recover information from backups the software used to make the backups to begin with needs to be put back onto the computer. By using the operating system to backup the software used to make the bulk of the backups it ensures that the more efficient software can be restored using the basic operating system. Once the backup software is restored it can then be used to restore the rest of the system.
6. Create bootable disk of operating system - (Windows, NT, etc.) After a damaged computer has been repaired or replaced the operating system needs to be restored. For this restoration to take place the computer needs to be powered-up or "booted" using the operating system (OS). This typically means that a diskette, diskettes, or CD replicating the original OS need to be used. Some Local Area Networks (LANs) use a Network Operating System (NOS) that can be restored using diskettes, CDs, and tapes created from more elaborate backup software packages.
7. Data Only - Unlike system software, which typically doesn't change often, user data changes daily. Making backups of data is like having tangible insurance in that the hours of work a computer user has done has been protected.
8. Daily - System backups usually only need to be done on a monthly, or at most a weekly, basis. However, most non-home PCs should have their data backed-up on a daily basis.
9. Monday-Friday - Each day of the workweek should have its own data set backup. In other words if the work-week is Monday through Friday and it takes two tapes each day to do a data backup then a total of (10) tapes should be used on a rotational basis.
10. Weekly - In addition to the daily backup sets a separate data backup set should be done weekly. This backup is then archived in case past information needs to be retrieved.
11. Fridays - Weekly data backups should be kept for a period of (5) weeks. This ensures that past information can be retrieved on a week-by-week basis for up to a month's period back.
12. Monthly - Separate data backup sets should also be done on a monthly basis. These backups should be kept even after data is purged from the system for later referral. Data is typically not purged for at least (1) year.
13. Archives - Monthly data backup sets should be kept until archival backups are made. Archival backups are typically made on a yearly basis and/or just prior to purging rather obsolete data from the computer. This ensures an audit trail is maintained in case theinformation needs to be retrieved after it is purged.
14. Storage - Correct storage of backups is a necessity. Backups that have been damaged by incorrect storage may not restore.
15. On-site - One set of system backups and data backups should be kept on-site at the location of the computer systems. The most current backups are usually the sets kept onsite.
16. Paper fire safes - Fire safes for protecting papers reduce the flash point of the documents. This is accomplished by a cement-like material in the walls of the safe that evaporate vapor into the safe to dampen the paper. This allows the temperature to rise to the 300-400+ degree range without igniting the paper. Important papers to be stored should also include software license numbers since they are often required if a software product is to be reinstalled.
17. Magnetic media fire safes - Fire safes for tapes and diskettes differ from fire safes designed to protect paper. Condensing moisture can damage magnetic media, so these safes typically do not contain vapor-inducing materials. Tapes, disks, and other media should be kept in safes that insulate against fire heat to keep internal temperatures below 125 degrees. Safes should not be opened for at least 24hrs after fire exposure to allow the internal temperatures to stabilize gradually. It is important to keep the original installation diskettes/(CDS) for software packages should the need arise to reinstall a given program.
18. Off-site - At least (2) system and data backup sets should be kept off-site from the location of the computer systems. If a large-scale disaster occurs at the computer system locations the on-site backups may be destroyed. The geographic distance needed for offsite locations depends on the anticipated threats; across town is sufficient for building
fires, for hurricanes the distance should be 30+ miles, for earthquakes it may require locating in a different area of the country.
19. Paper fire vaults - The storage space needed for paper documents can expand quickly depending on the amount of paper generated by a system. Critical papers can be kept in fire safes, but large volumes of paper may require a vault. Fire vaults are entire rooms that are protected against fire rather than individual safes.
20. Magnetic media fire vaults - Vaults for magnetic media are also entire rooms protected against fire rather than having to go to the expense of many individual fire safes. Magnetic media fire vaults differ from in that the internal temperatures should be kept lower and that fire suppression systems are usually Halon or Inergen instead of water sprinklers.
21. Magnetic media - Ironically, as organizations transfer documents to magnetic media for long-term storage, they may actually be shortening the storage life of the information. Properly stored, paper can last for decades or even centuries. However, diskettes have a shelf life of 1-2 years, tapes/drives 3-5 years, and CDs 10+ years. For irreplaceable information it is best to have paper documents to augment the magnetic media. One example is the popularity of video wills; paper wills should still be done in the event that the magnetic VHS tape is no longer readable.
22. Restores - Backup data sets are only of use if they can be restored properly. Financial institutions are often required to test their backups and disaster recovery procedures (2) times per year. Some LAN server backup products make "images" of volumes instead of using a file-by-file method; this drastically reduces the number of steps needed to recover a system.
23. Boot with copy of operating system (OS) - Computer systems need to be started with an operating system (OS) in order to function. A copy of the OS (Windows, NT, etc.) should be kept with each backup set. Other operations, such as drive partitioning, may also have to be performed prior to restoring backup data sets.
24. Restore Backup Software - Before a backup set can be restored the software that was used to create the backups originally must be placed back onto the computer system. Backups are usually unreadable by the native operating system and can only be read by the dedicated backup software.
25. Restore system backup - After the backup software itself is loaded onto the computer the system backup data set can be restored. Once the system backups are restored the computer should then indeed be back in an operable mode.
26. Restore latest data - Although a computer system may be once again operational after restoring system backups, the data may not be current. If data-only backups were made subsequently to the system backup then they too should be restored in order to bring the information up to the most current state possible.
27. Hot-site - Disasters that destroy data and software can also destroy the computer hardware that runs the software. A hot-site is an alternate location that has compatible hardware and facilities to restore software to. Cold-sites cost less, but don't have equipment already installed in the facility.
• Location - The location of a potential hot-site should be considered. In a hurricane or earthquake for instance, the disaster area could be tens of miles wide. If widespread disasters are identified in a risk assessment then the hot-site location should be distant enough to be unaffected by the same disaster.
• Equipment - The computer hardware and other equipment should be compatible with that of the original system. Other office equipment such as phone systems, fax machines, and employee workspaces should also be examined.
• How soon to utilize: One key decision to be made, particularly during a "predictable" disaster such as a hurricane, is to decide how soon to utilize a hot-site. Software tools can be used to help predict the onset of some disasters.
• Too soon- operating costs - It might be thought that it is never too soon to utilize a hot-site if a potential disaster, such as a hurricane, is approaching. However, there are costs involved in moving backups, equipment, and personnel to a hot-site. If the disaster doesn't occur then the costs were unnecessarily incurred.
• Too late- alternative site? In an effort to save unnecessary costs of utilizing a hot-site the decision could be made to wait on the declaration of a disaster. However, hot-sites generally have multiple contracts with other clients that may also be declaring disasters. For this reason it is advisable to have an alternate hot-site identified in the event that the primary site is already occupied.
28. Many companies are investigating the virtues of online data backup - a process that involves transferring backups over the Internet and storing them in secure, offsite vaults.
• Ease of data transfer - A system that mitigates the amount of work that must be done in order to transfer data to a secure location - but still does its job properly.
• Security - A system that ensures data, even if stored off site, is always protected.
• Easy access and fast retrieval - access within minutes.