He Who Laughs Last Made A Compliant Backup By Mark Wayne, Solutions Team Lead At iOCO

The risks associated with non-compliant, ineffective backups, are huge, particularly if you consider that around 95% of cyber-attacks will prioritise the backup data to improve the odds of crippling their target organisation. Without the backup data to support a recovery from an attack, the perpetrators will likely be successful in their extortion.

However, cyber-attacks are not the only reason why backups are crucial: organisations of all sizes must comply with the likes of POPIA, the ECT Act, the Cybersecurity Act and ISO 27001 as they relate to backups and the standards, security controls and encryption for backup data.

In addition, during legal proceedings where backup data is used as evidence, an organisation must be able to prove the data has not been compromised. Using backed up data as evidence happens more often than one might think – it could be required in cases of negligence, fraud, or a range of other investigations.

As the concentration point for all the organisation’s data, IP and correspondence, the backup is an irreplaceable repository of everything about the company, and its IT systems.

If your backups are immutable, encrypted and properly secured, then even if the rest of your IT environment is in disarray, you’ll know you’re compliant and can recover from disasters. Compliant backups are your last line of defence, giving you the ability to sleep at night, which is why we say, ‘He who laughs last made a compliant backup’.

Achieving compliant backups

Compliant backups need to be immutable, meaning they cannot be changed, destroyed, or overwritten. They must be protected by role-based access control, multi-factor authentication, and security plus event logging.

Achieving compliant backups start with having the right backup and disaster recovery policies in place.

The backup policy document should be comprehensive, covering everything from exactly what a disaster is,  quantifying the risk of a disaster happening and stipulating how quickly the organisation should recover. Policies and procedures around data retention, change authorisation,  encryption, access control and multifactor authentication must be included.

It should also cover data categorisation – both to comply with retention requirements and to support cost management, since different types of data must be retained for different timespans. This impacts the amount of storage required and the costs associated with this.

Backup policies should also cover physical access controls, including who can sign for the keys and that the server itself has a bezel and a lock. For proper compliance and governance, the policy will also state how regularly disaster recovery tests should be conducted – be that several times a year or every month.

A solid backup policy document is an essential tool to support procurement, since choosing between backup solutions, cloud and storage vendors can be confusing. There are myriad options – cloud options, on-prem options, partner options, all at different price points, and all with different pros and cons. Having a solid backup policy in place will help the organisation choose appropriate solutions that align with the policy and include all the required standards and controls.

Expert support for compliant backups

iOCO supports clients in assessing and improving current backup strategies and implementing robust backup and DR solutions.

Our methodology and preferred route is to start with compliance and look at the existing backup policies to ensure any technologies we recommend align with these policies.

Where backup policies fall short, our compliance and governance consulting teams can support organisations in developing comprehensive and compliant backup policy documents.  Based on these our technical experts implement the appropriate backup hardware and software. It should be noted that most newer systems will be capable of being configured to be compliant – you can make an existing system compliant with the help of the backup and DR specialists at iOCO.