Use these nine questions to understand your cyber security needs better:
- Is the data important or sensitive?
- What do you need to recover?
- How often does the data change?
- Are shadow copies available?
- How quickly is recovery required?
- Do you have the equipment?
- Who is responsible?
- What’s the best time to schedule it?
- Is off-site storage required?
The Security of Data standard specifies that all personal information is sensitive. This is critical data. Critical data is always also sensitive data.
You need redundancy. This should not be a question! Redundancy is very important for critical data.
Physical security is specified for sensitive data — and encryption is a best practice. The Security of Data trustmark will be issued in the absence of encryption. Encryption is a superior claim noted on the trustmark.
An LPHQ community that conducts a lot of programming may want to recover lesson plans and similar data. Member service officers will need to help organisations assess whether this is wanted or needed.
Some data is going to change daily. Whether it needs daily backup depends on its criticality. Does the data impact on the lives of members, clients, or other people who rely on the community-based organisations LPHQ serves? If so, it needs a daily backup routine.
Are shadow copies available?
Datasec assumes that small office computing environments use Microsoft Server or Microsoft Windows, which include technology to take “snapshots” of data volumes. MS calls this a “point-in-time” copy. A snapshot facilitates backup, it may be used as the backup, but backup can occur absent a snapshot. The user without a point-in-time copy will need to cope with standard backup issues such as constantly changing data, which essentially makes the backup redundant.
Criticality requires recovery occur within a reasonable time of failure. Anything more than eight hours is probably not reasonable. The sidebar provides an ideal scenario. How close an organisation comes to the ideal depends on the amount of data it needs restored and the media used to store the data.
Do you have the equipment? Yes, you do. A 1 TB external hard drive is the minimum required by the datasec specification. LPHQ communities are free to use additional equipment. They may not use flash drives as a primary means of backup.
Yes, you do. A 1 TB external hard drive is the minimum required by the datasec specification. LPHQ communities are free to use additional equipment. They may not use flash drives as a primary means of backup.
Who is responsible?
The Security of Data standard requires every organisation to appoint a charge officer. It is not ideal for the charge officer to actually perform the backup.
What’s the best time to schedule it?
It’s not always practical to schedule backups during off-peak hours. LPHQ communities need to assess how they allocate computing resources during the workday and decide what the best backup schedule may be. Thinking generally, critical backups will occur daily during the workday and less critical backups daily or routinely during the week after normal business hours.
Yes. The Security of Data trustmark will not be issued in the absence of a trusted storage facility, which should also store licensed copies of the software the LPHQ community relies on to establish operations.
We’re researching questions all the time. Check back frequently to see if your questions are answered.