Best Practices for Storage Security
by Allan Rocek - Director, Professional & Education Services, Symantec Enterprise Administration - Wednesday, 9 June 2004.
IT professionals and their businesses have learned the hard way in recent years that disaster can strike at anytime and that they must be prepared. Companies unable to resume operations within ten days of a disaster hit are not likely to survive, stated a study from the Strategic Research Institute. In an attempt of protection, upwards of 60-70 percent of companies begin a disaster recovery plan, but never finish due to the overwhelming and complexity of plans or they gets put on the back burner. However, the business costs associated with network downtime and data loss make secure backup and recovery an economic necessity. A recent study by Pepperdine University states that 40 percent of data loss stems from hardware failure and 29 percent from human error. Thus, specific procedures for creating backups and a plan of action for recovery are essential to any modern business wishing to secure storage.

Prepared Plan with Regular Performance Checks

Data loss can result from many factors, including: fire, power outages, employee theft, viruses and hackers, as well as modern tragedies that can leave companies without access to buildings and important documents. Preparation is the key. Those who are prepared have a better chance of overcoming losses with minimal damage. The first step is to back up the system regularly. Often times the problem isnít that companies are not creating backups, but that they are not verifying the efforts. This results in "false backups" where data is believed to be secured, only to find in an emergency the backups failed and data has been lost. This is especially true with tape backups as tapes can be more easily corrupted, damaged, worn out, or employees can forget to change the tapes. In either case, it is too late and data is already lost which can often take weeks, or even months for these systems to be restored, if ever. Therefore, it is extremely important for companies to follow best practices and create policies and procedures for creating regular backups and for testing their recovery environments. Among these policies should be regularly scheduled test recoveries in order to ensure that backup policies and procedures are working properly. Recovery events should be conducted once a quarter to make sure backups are running as planned.

The Recovery Plan

Companies must also implement fast recovery plans in the event of data loss or systems interruption in conjunction with regular backups. The first step in planning for recovery is the assessment of your environment. When assessing what to include in a disaster recovery plan, companies should keep in mind the following:

1. What network resources are most important?

2. What is the value of those resources, monetary, or otherwise?

3. What possible threats do these resources face?

4. What is the likelihood of those threats being realized?

5. What would be the impact of those threats on the business, employees, or customers, if those threats were realized?

6. Which resources do you need to bring online first?

7. What is the amount of time each one of these resources can be down?

8. Set an allowable downtime for each resource.

9. Set decontamination process for viruses, worms, etc.

When determining the value of an asset, organizations must consider both its monetary value and intrinsic value. Monetary value can be determined by considering what would happen if the asset was unavailable for any reason. Intrinsic value is the loss of data, privacy, legal liability, unwanted media exposure, loss of customer or investor confidence, and the costs associated with repairing security breaches. Once information assets are identified and valued, threats to those assets must be evaluated.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th