Question

Urgent !!! Please help with this assignment, Database Backup Policy and Process Discuss backup policy and backup process. Develop a backup policy for the community organization's volunteer database and describe the backup process.

Answer 1

Answer:-

It is important to establish a regimen of data protection defined by clear backup policies that can be followed by IT and business stakeholders.

Performing consistent, regular backups of critical business data is a vitally important part of any recovery strategy. When treated as an afterthought or merely as a checkbox item on an annual IT audit, the risks of losing critical data are significantly elevated. For these reasons, it is important to establish a disciplined regimen of data protection defined by a set of clear backup policies that can be closely followed and monitored by IT and business stakeholders alike.

What is a backup policy?

A backup policy is a pre-defined, set schedule whereby information from business applications such as Oracle, Microsoft SQL, email server databases and user files is copied to disk and/or tape to ensure data recoverability in the event of accidental data deletion, corrupted information or some kind of a system outage. The policies will typically have a default protection scheme for most of the servers in the environment, with additional policies for certain critical applications or data.

For example, a default backup policy for all application data may be a nightly backup to tape from Monday through Friday whereby one set of tapes is kept on-site to facilitate local recovery, and a second, duplicated set is sent off-site for storage in a secure location. Critical business data may be further protected by a super-set of policies. This might specify that, in addition to nightly tape backups, point-in-time snapshots of data should be taken and replicated at frequent intervals during the business day to provide rapid, granular data and application recoverability.

In general, backup policies typically consist of capturing an initial full backup of data onto disk and/or tape, followed by a series of intervening incremental or differential daily backups.

Regardless of which method is used, at a minimum, two backup copies should be maintained -- one to enable on-site recovery and a second copy for vaulting to a secure off-site facility. That way, if the data center were to be destroyed by a flood, fire or some other disaster, the off-site copy becomes the recovery copy of last resort.

For the purposes of this article, terms such as "incremental" and "differential" backup are being used generically. Be mindful that some vendors use these terms to describe entirely different backup methodologies.

Introduction

Develop a backup policy for the community organization's volunteer database and describe the backup process.

Goals

The main goal of this policy is:

• To define and apply a clear backup and restore standard for all corporate informational systems;
• To prioritize systems accordingly to data sensitivity;
• To definition backup and recovery standards per data prioritization;
• To prevent the loss of data in the case of an accidental deletion or corruption of data, system failure, or disaster;
• To permit timely restoration of information and business processes, should such events occur;
• To manage and secure backup and restoration processes and the media employed in the process;
• To set the retention periods of information contained within system level backups designed for recoverability and provide a point-in-time snapshot of information as it existed during the time period defined by system backup policies.
  • Backup retention periods contrast with retention periods defined by legal or business requirements.

List of Service and controls that should apply the policy

• Corporate file services:
  • Sensitive / Confidential Resolver’s Corporate data.
  • Sensitive / Confidential Data related to Resolver’s Customers
• Corporate source control services:
  • Resolver’s intellectual property data
• Corporate configuration files:
  • Network devices configuration files e.g.: WiFi Router, WiFi Access Points, Corporate Firewall, Managed Switches, Routers.
• Corporate internal services:
  • critical services configuration
  • critical resources OS System states
• Customers’ production applications:
  • Resolver’s hosted application production deployments serving customers’ needs and holding customer’s data.

Principle

The following principles direct this policy:

• Proper backup, storage, and handling of data are necessary for all departments to achieve their objectives.
• Staff must accurately follow the policy and protect the availability, confidentiality, and integrity of data.

Policy

1. Data will be protected by regular backups.

Appropriate IT team must perform backup for responsible data e.g:

• DevOps Team for customers’ data and for production environments configuration settings
• Corporate IT for internal resources.

2. Exceptions to the standard process must be approved by the CISO.

3. All backup data MUST be stored in an encrypted manner, encrypted at rest with the AES-256 symmetric encryption algorithm.

4. Backup copies must be stored in an environmentally protected and access controlled secure offsite location.

5. Stored copies must be stored with a short description that includes the following information:

Backup date / Resource name / type of backup method (Full/Incremental)

6. Stored copies must be made available upon authorized request:

The request for stored data must be approved by an authorized person nominated by a Director/Manager in the appropriate department.

Requests for stored data must include:

• completion of a form that outlines the specifics of the request, including what copy is being requested, where and when the requester would like it delivered and why they are requesting the copy;
• acknowledgment that the backup copy will be returned or destroyed promptly upon completion of its use;
• submission of a return receipt as evidence that the backup copy has been returned.

7. A record of the physical and logical movements of all backup copies shall be maintained.

Physical and logical movement of backup copies shall refer to:

• the initial backup copy and its transit to storage;
• any movement of backup copies from their storage location to another location.

The record of physical and logical movements of backup media shall include:

• all identification information relating to the requested copies;
• purpose of the request;
• the person requesting the copy;
• authorization for the request;
• where the copy will be held while it is out of storage;
• when the copy was released from storage;
• when the copy will be returned to storage.

8. The Infrastructure Operator shall develop procedures for the handling and storage of information in order to prevent unauthorized disclosure, misuse or loss.

Media in transit and store shall be protected from unauthorized access, misuse or corruption, including sufficient protection to avoid any physical damage arising during transit and store. All personnel responsible for data backup processing shall have:

• relevant identification;
• relevant authorization.

Where special controls are required, i.e. to protect sensitive or critical information, the following should be considered:

• use of a secured container(s);
• hand delivery;
• tamper-evident packaging;
• in extreme cases, the delivery split and dispatched by separate routes.

9. Backup copies must be maintained in accordance with the Resolvers Retention and Disposal Schedule for backup copies.

The schedule will determine the status of the information, as to whether it can be disposed of, cycled back into production or remain in archive storage.

10. All backup media shall be appropriately disposed of.

Media will be retired and disposed of as described below:
Prior to retirement and disposal, IT will ensure that:

• The media no longer contains active backup images;
• The media’s current or former contents cannot be read or recovered by an
  unauthorized party;
• With all backup media, IT will ensure the physical destruction of media prior to
  disposal.

All relevant department backups should be verified periodically and report on its ability to recover data (relevant for Logical/Cloud-based backup procedure).

On a daily basis, log information generated from each backup job will be reviewed for the following purposes:

• To check for and correct errors;
• To monitor the duration of the backup job;
• To optimize backup performance where possible.

IT will identify problems and take corrective action to reduce any risks associated with failed backups.

• Random test restores will be done once a quarter in order to verify that backups have been successful.
• IT will maintain records demonstrating the review of logs and test restores so as to demonstrate compliance with this policy for auditing purposes.

11. Every quarter the Backup Operators shall report on its ability to recover data (relevant for physical storage media).

The ability to recover data shall be measured by:

• ability to retrieve backup media sample (copies);
• a backup recovery exercise.

The backup media recovery sample shall include:

• visual inspection of backup copies and media boxes to ensure safekeeping and secure transit. Selection should be from various boxes and include daily and weekly backup copies;
• general comments relating to backup copy conditions;
• random selection of backup copies to measure the integrity of stored media.

Inspection of the storage facility will culminate in the creation of a Media Storage Environmental Report, which includes issues such as:

• site security;
• climate control including temperature and humidity;
• date of last fire system review;
• potential for flood inundation;
• general comments relating to any environmental issues.

The ability to recover data shall be reported to the departments via the monthly Directors reporting process.

Summary of Responsibilities

General backup approach for:

• Corporate file services:
  • Weekly Full backup
  • Daily incremental backup
• Corporate source control services:
  • Weekly Full backup
  • Daily incremental backup
• Corporate configuration files:
  • Monthly Full backup
  • Relevant backup initiated by Configuration change.
• Corporate internal services:
  • Weekly Full backup
  • Daily incremental backup
• Customers production environments:
  • Monthly Full backup
  • Weekly incremental backup
  • Hourly DB transaction logs backup.

Employees

All Resolver’s employees are responsible for:

Storing corporate data in the cloud or network resources approved by IT Department.

NOT ON A LOCAL DRIVE!!!

IT Department

The IT Department is responsible for:

• developing detailed step-by-step procedures that conform to this policy;
• instructing appropriate staff in data backup and recovery procedures;
• providing adequate operational resources for data backup and testing of the system;
• ensuring the data backup and recovery procedures are followed;
• ensuring only authorized people with sufficient knowledge conduct the backup and recovery processes;
• outlining the roles and responsibilities relating to backups in IT Department job descriptions;
• establishing measurements to ensure that Service Level Agreement requirements are met.

DevOps Department

The DevOps Operator is responsible for:

• developing detailed step-by-step procedures that conform to this policy;
• maintaining backup and recovery procedures in accordance with changes to IT systems;
• documenting exceptions in their procedures for event-dependent backups, such as after the processing of certain transactions or the execution of programs after system modification;
• ensuring only authorized people make, transmit and restore backups;
• appointing people with sufficient knowledge specifically for the role of backup and recovery;
• ensuring that documentation regarding backup and recovery processes is sufficient to allow a substitute to carry out data restoration;
• recovering media from the offsite storage facility, including after hours;
• randomly testing copies to ensure that the information stored on them is still recoverable;
• recovering lost data reliably and within defined timeframes as per the Infrastructure Service Level Agreement;
• a process for redressing backup failures;
• reporting to the Department backup failures and corrective action taken;
• providing regular reports on the status of the storage facility and environment.