Backup systems
Backups provide protection against many forms of data loss by creating multiple, regular, distributed copies. While they ensure short-term integrity and the ability to reconstitute data, they are not intended to store data over a long period of time or permanently.
Backup systems are designed to create a copy of all relevant records, information and data for the purpose of recovery and mitigating data loss. Backups are essential to mitigate the effect of cyber attacks, hardware or software failures, and human errors. Keeping up-to-date backups ensures that in an event of damage or loss to the original records, there is minimal impact on business, reputational damage, and downtime.
There are many types of backups including full backups, local backups, incremental backups, remote and cloud backups. A risk assessment should be undertaken to identify the most appropriate backup for your organisation.
Note: Backup systems are not a recordkeeping system. |
|---|
Backup systems are not a long-term information management strategy. Rather, they are designed to restore a system to a fixed time and date and generally can only be accessed and read on the system they back up. If that system has been retired or superseded, the backup may be inaccessible.
Long-term information access is one of the purposes for organisational recordkeeping and information management strategies. This generally makes backups unsuitable for long term information management, because they do not provide an easy means to go back and analyse past data, and access past decisions, actions and transactions.
Organisations need both information management strategies and backup processes to comprehensively protect their records, information and data. Managing backup systems is a specialist role for ICT staff, and State Records NSW does not prescribe detailed requirements for the management of backup systems.
Public offices need to consider the following when identifying and planning how backups can assist with maintaining the integrity of records, information, and data.
1. Backup processes copy data only as it was maintained in your corporate systems and networks at a particular point in time.
Access to information and determining where you might find it, therefore relies on knowing the administrative and IT structures that were used to create and control the information.
Administrative and IT structures can change significantly quite quickly. One or two years down the track, it may be difficult to determine where it was located or on which disk/tape.
This may necessitate restoring large volumes of data, at great expense, to find the required information.
You need all of the following to extract information from backup:
- the software used for the backup (probably within a short version range)
- a physical device that will read the backup media (for example an SDLT or LTO tape drive to read SDLT or LTO tapes) and
- a similar physical infrastructure to the original environment that was backed up (for example, a Windows server with particular disk characteristics).
All of these components will be readily available in short term scenarios but as soon as you move into timeframes of 3 to 5 years, gaining access to appropriate components will become increasingly expensive or difficult.
Once any of these components are no longer available, or no longer work effectively with the other components, access to the backed-up information is effectively lost.
Backup media also physically deteriorates without active management which increases the likelihood of information loss if the backup is used as a longer-term information management strategy.
2. Management of backup systems
Records and information management staff and the ICT unit must work together to develop coordinated information management and backup strategies.
Business continuity strategies and information management strategies must work hand in hand, with the latter relied on to protect and maintain information of long-term business value.
To develop these coordinated approaches, records and information management staff and the ITC unit need to:
- work together to understand their respective approaches
- determine the information management strategies that are needed to support long term value business information
- ensure that backup systems are only retained for as long as required to meet business continuity purpose.
determine the approach to backup systems including type or backups, quality testing of backups and how often the backups are updated (e.g. daily, weekly, monthly)