S 2.137 Procurement of a suitable data backup system

Initiation responsibility: Head of IT

Implementation responsibility: Administrator

The majority of the errors occurring when creating or restoring a data backup can be attributed to incorrect operations. Therefore, not only the performance capability of a data backup system should be taken into consideration during procurement, but also its user-friendliness and particularly its tolerance for user errors.

When selecting backup software, it should be ensured that the selected solution meets the following requirements:

• The data backup software should be able to detect an incorrect medium and a damaged medium in the backup drive.
• It should cooperate smoothly with the existing hardware.
• It should be possible to perform the backups automatically at specified times and/or at adjustable regular intervals without requiring manual intervention (other than providing backup data media when needed).
• It should be possible to inform one or more selected users automatically of the results of the backup and of any error messages by email (or using a similar mechanism). The implementation of data backups, including the backup result and possible error messages, should be stored to a log file.
• The backup software should support protection of the backup medium using a password or, even better, using encryption. Furthermore, it should be able to save the data backed up in compressed form.
• It should be possible to specify exactly which data should be backed up and which should not by specifying suitable Include and Exclude lists when selecting the files and directories to be backed up. It should be possible to add these lists to backup profiles, save them, and then use them again for later backup jobs.
• It should be possible to select the data to be backed up based on the date it was created and/or its time of last modification.
• The backup software should support the generation of full logical and physical backups as well as incremental backups (change-only backups).
• It should also be possible to store the data to be backed up to hard disks and network drives.
• The backup software should be able to automatically compare the data backed up to the original data after the backup and to automatically compare the restored data to the data stored on the backup data medium after restoring the data.
• When restoring files, it should be possible to select whether the files should be restored to their original locations or to another hard disk and/or directory. Likewise, it should also be possible to control the response of the software when there is already a file of the same name stored at the destination specified. In this case, it must be possible to select whether this file is always overwritten, never overwritten, only overwritten when the existing file is older than the file to be restored, or only overwritten after providing confirmation in an explicit query.

If the program used provides for password protection for the data backup, this option should be used. In this case, the password must be stored securely (see S 2.22 Escrow of passwords).

Most operating systems provide data backup programs. However, not all of these programs meet the requirements regarding products for professional and convenient data backups. If no such products are available, the programs provided by the operating system should be used.

Review questions:

• Were data backup systems meeting the requirements of the security and backup policies procured?