Rebound - The process of recovery and returning to a “business as usual” state is known as “rebound” and it is the decisive factor in managing and validating data integrity, confidentiality and accessibility. Information security breaches would undoubtedly negatively smear an otherwise successful restore operation. Thus confidentiality should be paramount when developing a backup policy.

Another factor that needs to be taken into consideration is that a backup policy; no matter how thorough, does not in itself a disaster recovery plan make. It is but one element of the more expansive disaster recovery plan albeit a critical one. Think of it as a team player.

Compartmentalization - Although disaster recovery plans can be very intricate, lengthy and involved it is compartmentalization that allows us to ease the burden of their design, development, implementation, maintenance and updating. All elements should work together transparently as a unit and yet still possess the modularity that allows for their independent parallel development.

Restoration - One critical component of the overall disaster recovery planning process is the ability to restore all data to its pre-catastrophe days. It is here that your backup policies and backup processes weigh heavily

Vigilance - Regular checks and measures must be made in order to test, repair and ensure that the policy is indeed being followed.

The following sections are intended to serve as a quick guide for a small business to complete a backup policy to ensure that their data is secure and available. Here are some of the components that will need to be included in backup policies suitable for the small to medium business:

Overview - Outlines exactly what is to be backed up and how. Details will include specific computers, servers and their roles (file server, mail server, web server, FTP server, authentication server etc.) The roles to be played by users will also be detailed here.

Purpose - States the intended purpose(s) for having a backup policy in the first place. For example: to ensure that data is recoverable in the event of an emergency such as terrorist activities, severe weather, server failure and theft.

Capacity - Details of exactly what systems and components are to be included in your backup regimes (e.g. laptops, rented machines, home, shop, or just company assets). Location details will be included in this section of your backup policy. What data and data sources will be included as well as where are the backups going to be stored. Who has access to the backups?

Definitions - Highly trained computer aware technical experts are not the only ones that will need to be using this backup policy. So it is important that technical terminology is clearly stated and define in order to eliminate misunderstandings and misconceptions. Explain how the entire process works. Terms that might be included here include: Backup, Archiving, Incremental backup, Full backup, Differential backup and Restore etc. Provide details regarding the backup media to be used including its advantages and disadvantages.

Frequency - List the type of backup and when will it occur. For example: full backups will be conducted every Saturday at 10 PM while incremental backups will take place every other day at 4 PM. Users will need to be made of the time by which any data they require to be backed up is copied to the appropriate machine ready for the backup.

Media Rotation - Define the types of media to be used and if any media is to be overwritten. The specifics of media rotation and overwriting will be detailed in the media rotation section of a backup policy.

Testing - Details of when testing to ensure that all goes according to plan are to take place. This must include both processes; the backups and their restores. Restoration policies can be developed separately or as a component of the backup policy.

Responsibility - Who is responsible for the confidentiality, integrity and accessibility of the backup regime? Who is to perform the backup procedures? All personal involved in the backup processes will need to have a clearly defined role. Use sign-off sheets and checklist to ensure that nothing is inadvertently overlooked.

Data - Here you will define precisely what data is to be backed up. This will include, workstations, servers, networking devices etc. Define whether or not that system state is to be backed up along with the data. What are the security implications? Will drive/partition imaging software be involved? Will full data encryption be required? List the roles of all computers, their location and roles.

Regulatory Requirements - Many new legislative acts require businesses to keep their backups for a set number of years. You will want to ensure all pertinent information pertaining to theses backups is stated in this policy. Where the tapes are stored? Personally identifiable information and its backup, storage and management will need to be detailed and all relevant legislation complied with.

Storage - Detail the data and backup storage locations, parameters and authorized accessibility. Detail also the procedures for retrieval of backed up data and backup media in storage. Ensure that all backups and data are stored in at least two separate locations. Ideally at least one location should be off-site.

Physical Security

From the IT, computer and networking perspectives physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media. It can be as simple as a locked door or as elaborate as multiple layers of armed guard both patrolling and stationary at predefined established sentry posts such as points of entry.

Familiarity

We are all too familiar and accustomed to these aspects of security and the multitude of other more recent and sophisticated measures such as metal detectors, x-ray scanners, electronic sensors and magnetic security features that are commonly used in retail stores.

Even sniffer dogs with their highly educated noses poised should the faintest whiff of explosives be carried their way on the prevailing winds as you finally proceed; all be it delayed as a direct result of implementing these security measures, in an ecstatic and gleefully euphoric state through the airport boarding processes and onto the jet that will whisk you away to some sunny tropical paradise.

Information Technology Related Security

Those of us involved in IT and IT related security are also well aware of the extremes that a perceived “need” for greater security has invaded our daily working lives and yet as we hear only all too often on the news it is not enough.

Some security related scandal or other seems to be occurring every other hour and yet if we are to believe many analysts this is but the froth on the tidal wave of incidents that actually occur. Business is only too well aware of the negative effects a security breach and any subsequent media publicity that ensues can bring.

So Where Do We Begin?

The answer to this is surprisingly simple and maybe so obvious that it is often overlooked and the answer to which I refer is the physical security of our systems and the data contained within or stored as a result of the activities of our systems (sales, backups, records etc.).

I will begin by discussing locks, keys and locking device authentication systems from both the human physical access perspective and the device(s) perspective.

Locks

Lock and key is one of the oldest security systems known to human-kind. The ancient Egyptians, Greeks, Romans, Chinese and many more civilizations have used various forms of the lock and key system to secure physical assets. One of the more notable and legendary of this class of security devices is the chastity belt which we will not be discussing any further; rather we will explore how the lock and key system is used today to secure IT assets.

The first set of lock and key systems pertains to access-ways such as doors by which humans gain access to restricted areas.

• Lock-Up

  Physically secure your Server Room(s) including the Network Communication(s) & the Administration Facility as well as the datacenter and on-site storage facilities.

• Quality

  Ensure that all locks; not just those to your server room are of high quality and reliability.

• Security In-Depth

  The principles of security-in-depth are of particular relevance here. Multiple layers of security are far harder to penetrate than those exhibiting a single-point-of-failure. This is why banks, armored security services (Chubb®, Wormalds®, Amourguard® and Brinks® etc.) use these strategies.

• Change Frequently

  Design, implement and maintain a system whereby all locks are changed-out frequently and regularly at irregular intervals. Pattern avoidance is one of the most crucial elements in maintaining the integrity of all locking systems. This includes the physical locks and their associated keys as well as the electronic varieties. For reasons of economy you may consider implementing a rotation policy to be appropriate here.

• Key Code Access Locks

  Many organisations have gone down the electronically keyed physical locks pathway. This type of mechanism teams a number of different technologies all targeting the regulation and flow of physical access.

• Lock Unattended/Vacant Facilities

  Always lock currently unoccupied offices. This is in fact considered by most organisations to be the responsibility of the regular occupant of that office. The usual occupant may be on vacation and so the network administration and security teams should know this and take the appropriate actions.

Keys to all locks in this situation should reside with the organisation's designated general key holder and not go on holiday with the worker. You never know it may become necessary to enter the office while its regular occupant is away.

The designated general key holder and no less than one other individual; preferably from a different department (security would be ideal). In this case both will be the other's witness concerning their actions inside this office.

Workstation Power-Down

If an employee is known to be away for a given period of time it is wise to power-down their workstations. We live in an ever greening world so do your part and save money to boot. Unattended workstations always pose a very real threat to the overall security of an organisation.

Lock Cases

We now move on to lock and key from the PC perspective. All of the above conditions relating to lock and key in general are also applicable here.

• Case Locks

  Case locks help to prevent unauthorised access to internal components

• Lock-Down Kits

  There are many specialty and general purpose computer lock-down kits available on the market today

• Lock-Down Anchors

  When it comes to mobile devices that are on display then some means of physical restraint to a permanent fixture is a good way to go as this permits you to use and demonstrate the device and its capabilities with a greater degree of freedom.

By using anchors which are longer than the bare minimum necessary to fix the device firmly you have the freedom; albeit limited, to adjust the device as you see fit. This is usually done for reasons of comfort.

Locking Device Authentication Systems

• Authentication Systems - can be built into the locking devices, so that a smart card, token, or biometric scan is required to unlock the doors, and a record is made of the identity of each person who enters.
• Automated Security -We are now beginning to move towards transitioning to more automated type of security systems
• Multiple Points - of authenticity can be implemented here. We may use physical electronic identification systems such as smart cards in conjunction with biometrics and standard authentications such as complex passphrases for entry rather than passwords or pass sequences.

Physical Lock and Key Policies

Developing policies that define how it should be done, where it should be done, when it should be done, by whom it should be done and why it should be done as well as policies that detail why it shouldn't be done are all very important elements in any comprehensive security regime and physical security policies are no different.

Here are some of the policies that should be developed, implemented and maintained with regards to locks. Note all of these sub-categories will generally in the real small business world be wrapped into a single expansive policy detailing all of these sub-policies and much more.

• Locks Policy

  Develop a Policy that ensures that all rooms are securely locked-down whenever the facility or the room is unattended

• Key Holder(s)

  Include in your policy provisions for a “key holder”. This is essential because in the event of some calamity such as fire outside access to open doors locked from the inside in order to facilitate the rescue of personal that may be trapped inside is a statutory regulation almost everywhere in the Western world.

• Secondary Key Holder(s)

  Provide for a secondary key holder in case the primary key holder is unavailable

• Rotate Responsibility

  Rotate key holder responsibilities

• Key Code Access Policies

  Define and implement additional Key and Key Code Access and Key Code Holder(s) Policies as required