S 6.71 Data backup for a mobile IT system

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: User, Administrator

Mobile IT systems (e.g. laptops, notebooks) are normally not connected permanently to a network. Data exchange with other IT systems is normally performed using data media or temporary network connections. For example, the latter may be implemented via remote access or direct connection to a LAN when returning to the workplace. As opposed to stationary clients, it is therefore mostly unavoidable for mobile IT systems to store the data locally at least temporarily instead of storing it to a central server. This data must be protected against loss by taking the appropriate data backup measures.

In general, it is possible to use the following data backup procedures for backing up the data:

• data backup to external data media
  
  The advantage of this procedure is that data can be backed up at virtually any location and at any time. The disadvantage is that a suitable drive and sufficient data media must be carried along and that the user must handle the additional complexity of properly handling the data media. The data media should have sufficient memory capacity so that the user is not required to insert several data media into the drive for each backup procedure. If the data is being stored without any encryption, there is furthermore the risk of data media being lost and sensitive data being compromised this way. The data media and the mobile IT system should be stored separately as far as possible so that the data media are not lost in the event of a loss or theft of the IT system.
  
  Storing the data to external data media for data backup purposes particularly makes sense if the data is also exchanged with other IT systems using external data media. It may be possible to combine those two processes. After having returned to the workplace, the data backups on the data media must be populated into the backup system or the production system and/or the central data storage of the organisation.
• data backup using temporary network connections
  
  If it is possible to connect the IT system to the network at regular intervals, e.g. using remote access, the local data may also be backed up using the network connection. Here, the advantage is that the user does not have to manage any data media and carry along a corresponding drive. Furthermore, the procedure may be largely automated, for example data backup may be started automatically after every login procedure when using remote access.
  
  A deciding factor when backing up data using a temporary network connection is that the bandwidth must be high enough to handle the volume of data to be backed up. Data transmission must not take too long and must not cause any excessive delays if the user must access remote resources at the same time. When older access technologies are used (e.g. ISDN, modem, mobile phone), it is only possible to transport small amounts of data during each backup operation. Therefore, some data backup programs provide the option of only transmitting information on the changes to the database performed since the most recent data backup using the network connection. In many cases, this method may significantly reduce the volume of data to be transported.
  
  An important requirement for the software used to back up the data is that it can detect unexpected losses of connection and handle them properly. The consistency of the backed up data must not be affected adversely by lost connections.

When one of these two data backup procedures is used, the objective is to minimise the volume of data to be backed up. In addition to the use of the lossless compression methods integrated into numerous data backup programs, it is also possible to use incremental or differential backup procedures (see also S 6.35 Stipulating data backup procedures). However, the use of such backup procedures may increase the time and effort required to restore data from a backup under some circumstances.

The data backup should be automated as far as possible so that the users only need to perform as few tasks themselves as possible. If user interaction is required, they should be required to perform data backups regularly (see S 2.41 Employees' commitment to data backup). Finally, it should be checked sporadically whether it is possible to restore the data from the data backups generated (see S 6.22 Sporadic checks of the restorability of backups).

Review questions:

• Is data backup regulated for mobile IT systems?