S 6.47 Storage of backup copies as part of telecommuting

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Telecommuter

When telecommuting, data may be processed on a variety of IT systems and at various locations, for example on servers and clients in the organisation, but also on clients at the telecommuter's workplace. It must be ensured that all relevant data at the telecommuter's workplace is backed up. The data backup policy of the organisation should not only be restricted to the servers, but also needs to include the telecommuter workstations. In general, the following procedures can be used for backing up the data at the telecommuter's workplace:

• Data backup to external data media
  
  In this case, the telecommuter workstations must have the corresponding technical equipment available. The equipment needed includes the external data media required for the backups, but also the corresponding computer hardware and software. In addition, the telecommuters must be trained accordingly so they can perform data backups themselves.
• Data backup using the network
  
  The local data can also be backed up using the connection to the organisation's network. An advantage of this method is that the data backups are not performed by the telecommuters themselves, which means they do not need to manage any backup data media either.
  
  A deciding factor when backing up data using a network connection is that the network bandwidth is high enough to handle the volume of data to be backed up. The data transmissions should not take too long or cause extensive delays when remote resources are accessed during transmission of the data. When older access technologies are used (e.g. ISDN, modem), it is then only possible to transport small amounts of data during each backup operation. Depending on the data backup program used, it may be possible to transmit only those changes made to the database since the last data backup (incremental data backup). In many cases, this method may significantly reduce the volume of data to be transported.
  
  An important requirement for the software used to back up the data is that it can detect unexpected losses of connection and handle them properly.

For both of these data backup procedures, it is desirable to minimise the volume of data to be backed up. In addition to the use of the lossless compression methods integrated into numerous data backup programs, it is also possible to use incremental or differential backup procedures (see also S 6.35 Stipulating data backup procedures). However, the use of such backup procedures may increase the time and effort required to restore data from a backup under some circumstances.

The data backup should execute automatically, if possible, so that the telecommuters only need to perform a few tasks themselves. If user interaction is required, they should be required to perform data backups regularly (see S 2.41 Employees' commitment to data backup). Finally, it should be checked sporadically whether it is possible to restore the data from the data backups generated (see S 6.22 Sporadic checks of the restorability of backups).

Storage of backup data media

If data backups are generated in the home environment, the data backup media must be stored under lock and key. It must be ensured that only the telecommuter and his/her substitute have access to the media.

One generation of data backup media should be stored at the organisation, though, to ensure the substitutes have access to the data backup media in the event of a disaster.

Review questions:

• Is all data processed while telecommuting backed up regularly?
• Is the data backup procedure selected adequate and suitable for handling the volumes of data to be backed up?
• Is as little intervention as possible required from the telecommuters when backing up the data?
• Is one generation of the data backup media stored at the organisation?