S 2.138 Structured data storage

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: User, Administrator

Poorly structured data storage can lead to a wide variety of problems. For this reason, all IT users should be instructed on how to store data in clear, well-structured patterns. Appropriate structures should be specified by the administrators on all servers. This is also a prerequisite for achieving a differentiated allocation of access rights.

Program and work files should always be stored in separate sectors. This provides a clear overview and also makes it easier to perform data backups and ensure correct access protection. In the case of most application programs, no or only very few configuration files are modified following installation. If possible, all files which are modified regularly should be stored in separate directories so that only these directories need to be included in the regular data backups.

When programs and data are separated clearly, it is sufficient to include the data in the regular data backups. It is important to store and secure work files carefully; they can thus also be processed on other systems if necessary.

In the case of networked systems, it is also necessary to determine which programs and files should be stored on local hard disks or on a network server. Both options have advantages as well as disadvantages and must be evaluated in accordance with the existing organisational structure as well as the hardware and software in use. For example, files which need to fulfil high availability requirements and the related application programs should be stored on workstation computers instead of the network server. In this case, appropriate contingency planning measures also need to be implemented for these workstation computers.

Task-specific or project-specific directories should be created in order to facilitate the allocation of files. As few files as possible should be stored in personal directories.

To prevent the existence of different versions of basic files required for ongoing activities, such as letter templates, forms, project plans etc., such files should be managed centrally. For example, these files should be stored on a server so that all users have read access to them, but only one person is authorised to modify each individual file.

The following example shows how data can be structured on a server by specifying directory paths:

\
\bin
\bin\program1
\bin\program2
\bin\program3
\user
\user\user1
\user\user2
\projects
\projects\p1
\projects\p1\texts
\projects\p1\images
\projects\p2
\projects\p2\projectplan
\projects\p2\sub-project1
\projects\p2\sub-project2
\projects\p2\sub-project3
\projects\p2\result
\standard forms

A regular check is required as to whether

• data can be removed from the production system through archiving or deletion,
• access rights can be withdrawn after employees have left a project group,
• the latest versions of forms, templates etc. are stored on all IT systems.

These checks should be performed regularly by users on their IT systems and the directories managed by them, and by the server administrators. The checks should be made at least once every three months; otherwise employees will no longer be able to recall the contents and origin of the files.

Review questions:

• Are structures for structured data storage created on all servers of the organisation?
• Are all users informed on how data is stored in a structured manner?
• Are program and work files stored separately?
• Are there rules specifying which data is to be stored locally and/or in the network?
• Is storing data in personal directories avoided?
• Are template files managed in a centralised manner?
• Is it checked at least once every three months if the specifications regarding the structured data storage are complied with on the servers?