Floods, fires, tornados, ice storms and other disasters happen all over the world every day. When these events occur close to home, we sometimes wonder if we are as protected as we should be, and we begin to discuss what few steps we can actually take to protect our resources and infrastructure from unforeseen disasters.
Disaster recovery planning is not something a lot of us want to think about, especially when our to-do lists are a mile long and full of things we know are going to happen tomorrow or next week. But it is important to have a plan in place to minimize the effects of a disaster should one occur in your community.
There are many important factors to consider when thinking about your disaster recovery plan. Begin by making a comprehensive list of all of the essential elements your organization needs to have up and running as quickly as possible should a disaster strike. The plan should establish priorities for each and every hazard on your list and detail contingency plans for each item.
The safety and security of personnel is highest on the list of priorities and it’s often followed by data retention for your various city departments. Preventative measures such as having insurance coverage on properties and assets are also high on the list when it comes to disaster recovery.
While detailed in nature, a lot of the elements in a disaster recovery plan can be decided by simply answering the “what if” questions for your organization. That seems to be an easy and solid approach -- until you come to the data retention and data protection portion of the plan. Then the flood gates open and the questions become hard. What does it mean to backup your data instead of simply storing a backup of your data? If you backup your data to a thumb drive that you keep in the office, is that really an effective backup?
Whether this is the first time your organization has considered backing up data or you have a backup policy already in place; this handy checklist is a great way to begin answering important questions, prioritizing needs and improving your organization’s data security as part of your overall Disaster Recovery Plan.
- Does your organization currently have a policy for your data’s safety and retention?
If you are unsure or the answer is no, this exercise is a great opportunity to clarify this with your administration.1 By the end of this checklist, you will be well on your way to having a policy drafted or a current policy improved. If you have a current policy in place, this checklist will be a great way to check off items needed to follow your organization’s protocol.
- Identify your data
Set up a matrix to identify all of the data in your organization and the amount of storage space that data requires. You will use this matrix to later classify and assign risk to your data. A simple spreadsheet can be very useful. Once your data is all logged into a spreadsheet, you can filter and sort by classification, risk and storage amount required to determine different scenarios of how to backup your data. Below are some common backup methods organizations use.
Network Backup: A cloud backup solution that provides offsite storage for mission-critical data. Data should be encrypted prior to leaving the site and stored in an encrypted state by use of a provided backup software solution.
Network Storage: A low-cost cloud storage solution that provides offsite storage for data that needs to be offsite, but does not require a high level of security. The storage location is typically secure, but the file protocols that access the data are not as secure. Data can be accessed from any location and uses standard network file protocols for access. No custom software is typically provided or required for this type of storage.
Data Replication: Data replication is the process of duplicating data between storage devices. This typically requires two devices either in the same data center for fault tolerance and high availability or separated geographically for disaster recover. Email Archiving: A low-cost cloud storage service used for archiving email records. Email is stored in a secure environment and cannot be accessed directly by the account holder. The method of storing data is configured via the email server and is handled automatically.
Colocating Data: Colocation of data is typically done by housing hardware in a 3rd party facility and replicating the data to the remote hardware. Full control of all data is retained by the organization and the cost can be much higher as there are fees for the rack and space or possible bandwidth utilized. This is an excellent solution for high volume data storage and disaster recovery.
- Classify your data
Every organization classifies its data in different ways. If your organization’s data were to disappear tomorrow, what critical elements would be necessary to maintain business “as close to usual” as possible? What would you need to keep the municipal offices open? If we all had unlimited resources, we could just say, “back it all up.” But since that is not usually the case, let’s begin this exercise by classifying your data into three categories.
Guidelines to Help Classify Your Data2
Restricted data is considered to be highly sensitive business or personal information. Financial information for your town or city, payroll information, Social Security numbers of your employees or utilities customers and other critical business information would be considered restricted data.
Restricted data is intended for a very specific use and should not be disclosed except to those who have explicit authorization to review such data, even within a workgroup or department. Unauthorized disclosure of this information could have a serious adverse impact on the municipality or individuals. Restricted data may require additional security requirements when selecting an appropriate backup method.
Sensitive data is data that has personally identifiable elements attached to it. Sensitive data is intended for use within the organization or within a specific department or group of individuals with a legitimate need to know. Unauthorized disclosure of this information could adversely impact the municipality or individuals. Sensitive data may require additional security requirements when selecting an appropriate backup method.
Public data has been approved for distribution to the public by the data owner or through the organization’s administration. Public data requires no authorization to view and may be considered informational in nature. While public data could be troubling to lose if a disaster occurred, day-to-day operations could continue and no harm would come to your organization legally if it were lost for a time period.
- Assign risk to data
Not all data is created equal. It is simple enough to classify your restricted data as critical to backup, but beyond that it might be difficult to distinguish what should be backed up and what can just be replicated or stored. For your sensitive data and public data, it is a good practice to take your information one step further and rate the risk of losing that information or that information becoming corrupt. To assign risk you will want to look at several factors. Is this data essential to continue business immediately? How many staff hours will it take to recreate this data? Decide what the risk of losing this data is for your organization’s business continuity and “sub-categorize” the data risk as high, medium or low.
Below are some examples of how classifications and risk might look at an organization. Every organization is going to classify its data differently.
- Financial Systems - Restricted Data/High Risk
- Payroll Information – Sensitive Data/High Risk
- City Clerk Election Data – Restricted Data/High Risk
- Emails – Sensitive Data/Medium Risk
- Website – Public Data/Medium Risk
When choosing a backup product, make certain you are comparing apples to apples. Does the product you are looking at offer encryption, support and compression/de-duplication? (De-duplication is the process of removing duplicate data from within a data set to decrease the overall stored size, which may help reduce your costs).
- Determine the cost
Now that you have several scenarios in place for your classified data and your data’s risk, you will have an easier time of pricing the backup products you are investigating. Just remember step #5 and make certain you are paying for the same functionality when you are comparing products. What does your organization do with the files that are not being backed up?
After you have determined what data will be put in a backup service, what should your organization do to maintain and secure the remaining data in your organization?
- Finish defining your data policy
You have come this far, so why not determine what is left to define a data policy for your organization? Below are some other items to consider:
- Data retention policy – how long should your municipality keep its information? Is there a law that determines this for your city or town?
- Does your organization fall under any guidelines that would require special documentation, reporting or security?
- Do your utilities offer online bill pay?
- What is your email retention policy?
- Do you have a formal procedure to put policies into place?
Disaster recovery planning can be a time consuming process, so time consuming that we may be tempted to put it on the back burner with “someday” projects. However, if disaster strikes, your organization is going to be thankful you planned properly. Taking care of the recovery of your critical information needs is just one step in a full disaster recovery plan, but in many cases it can be one of the most critical steps. Take the time to get it done; you will be glad you did. MOREnet would be happy to answer any questions for you along the way. We can help make this daunting task a little easier.
For more information visit www.more.net or call Matt Parris, Manager of Member Relations at (573) 882-8697.
- This checklist is a guideline to help your organization get started or improve the data security in case of a disaster or system failure. It does not replace legal advice.
- Classifications and definitions were in part created in reference to the University of Missouri System, Information Security - Data Classification. For more information visit http://infosec.missouri.edu/classification/dcs.html.