Welcome » IT Booklets » Operations » Risk Mitigation and Control Implementation » Storage/Back-Up
Management's primary objectives in providing data storage solutions are to ensure the integrity and availability of data, particularly mission critical data. Management and institution customers should receive current, complete, and accurate data. Management also needs to implement a storage solution that is manageable from an administrative perspective and usable and accessible from the customer and end-user perspectives. Storage solutions should be appropriately scalable to allow for future growth.
Management's primary defense against such risks is proper planning. There should be written standards that ensure consistent application of data management standards. Management should choose data storage solutions after careful consideration of configuration options, vendor options, cost/benefit analyses, and anticipated institution growth. Management should maintain an inventory of data sets and primary locations, so it is aware of the scope and breadth of its data storage systems. Management should also be aware of the impact an outage will have on each business line application at any point in time in order to implement appropriate recovery operations. Where feasible an institution should develop redundancy, either through duality in storage architecture or secondary on-site copies of data, to minimize the need to use off-site back-up materials.
An institution should back up and store its data and program files in a secure off-site location to allow restoration of systems, applications, and associated data in the event normal processing is disrupted by a disaster or other significant event. Management should develop a rotation scheme that addresses varying storage durations as well as how to transport and store multiple formats of media at the off-site storage location. Another consideration is the ability to retrieve media stored off-site in a timely manner. In the event of a disruption, management should not have to reconstruct data from more than one business day. The process of designing strategies for the back-up of program and data files should begin with a comprehensive inventory of all of the institution's systems and data. The inventory should include a risk assessment of the criticality of the applications and the associated data. This will provide management with the information necessary to determine what back-up methodologies are appropriate for the institution.
The primary risk associated with data and program back-up is the inability to recover systems, applications, and data in case of a disaster or other disruptive event. This can be caused by incomplete or sporadic performance of back-up procedures, unreliable back-up media, or the inability to access off-site back-up material. Written standards should document back-up methodologies, delineate responsibilities of appropriate personnel, and ensure uniform performance throughout the institution. Management should maintain inventories of back-up media stored off-site and periodically perform physical inventories to ensure all required back-up material is available. Procedures should include verifying adherence to the back-up schedule and reviewing actual back-up copies for readability. Similarly, management should periodically test back-up copies by actually using them to restore programs and data.
For further details on back-up processes, refer to the IT Handbook's "Business Continuity Planning Booklet", specifically the sections on off-site storage, software back-up, data file back-up, and back-up and storage strategies.