2. What is the value of those resources, monetary, or otherwise?
3. What possible threats do these resources face?
4. What is the likelihood of those threats being realized?
5. What would be the impact of those threats on the business, employees, or customers, if those threats were realized?
6. Which resources do you need to bring online first?
7. What is the amount of time each one of these resources can be down?
8. Set an allowable downtime for each resource.
9. Set decontamination process for viruses, worms, etc.
When determining the value of an asset, organizations must consider both its monetary value and intrinsic value. Monetary value can be determined by considering what would happen if the asset was unavailable for any reason. Intrinsic value is the loss of data, privacy, legal liability, unwanted media exposure, loss of customer or investor confidence, and the costs associated with repairing security breaches. Once information assets are identified and valued, threats to those assets must be evaluated.
Although types of sensitive data can be quite broad and vary from organization to organization, there are a few key types of information that every business should plan to protect. These include all data related to strategic plans, business operations, and financial data. Damage to or loss of any of this information can result in decreased sales, reduced competitive advantage, and decreased profits for the victimized company.
Companies also need to make sure that their backup, retention and recovery policies comply with industry standards and government regulations when thinking about the security of their storage. Industry guides such as the International Standards Organization (ISO) 17799 and government regulations such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes-Oxley Act help provide a framework for improved corporate governance and controls. Accurately written and enforced, information security policies enable organizations to not only demonstrate their adherence with these critical regulations and standards but also articulate their own.
Combine Backups with Other Security Technologies
Companies also should plan beyond back up storage and use preventative measures to ensure systems are safe guarded. This includes the use of antivirus software, firewalls, and intrusion detection software. Intrusion detection, which acts as an alarm system protecting vulnerable data from both internal and external threats is vital because it monitors critical files for tampering and checks network traffic for "attack signatures." If an anomaly is detected, an alarm notifies the administrator for further investigation or action. With intrusion detection, if an attack should occur, companies will have early warning to quarantine the threat and their current backup data, before damage can be done to critical systems. Also, using products and best practices for integration from the same vendor creates continuity planning, resulting in an easily managed comprehensive solution.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.