If you are not auditing your backups on a regular basis you may not realize how much your backup data has grown or where vulnerabilities may be. Most backup operators monitor that their jobs run smoothly and successfully, but often do not have time to do an in-depth review of their entire backup environment. An audit forces a big picture review of the environment from a backup perspective.
Some of the benefits that could come from an audit
Many of the items and actions you would gather for a backup audit may already be required by auditing or regulatory organizations or could be used for department documentation or planning. Benefits of doing a backup audit include:
- A document that can be passed directly to business auditors.
- Justification for upgrades to backup applications, infrastructure, bandwidth or storage.
- Justification for a redesign of the backup solution (i.e. change to cloud based, adding Disk to Disk replication or de-duplication).
In addition, a backup audit is one of the items that would likely be a basis for a DR plan.
Some of the issues that could be caught by an audit
An overview of the backup environment can often catch issues that may not be noticed by monitoring backup logs and receiving email alerts from the backup software, and can help you answer the following questions:
- Are there any resources that were added without adjusting backups to accommodate them?
- Are there any resources that are backed up more than once, wasting time and/or storage?
- Are the backups handled in a rotation that would ensure being able to return to business if the main site was lost?
Also, you may find data that is being backed up frequently that does not change often and vice-versa.
Considerations that should be included in your audit data collection
The entire backup environment should be reviewed, from the data sources to the off-site location and media retention and rotation, and should include:
- A list of resources, backed up with retention period and frequency of each
- A list of resources that are not backed up
- Information about the offsite rotation plan
- When was the last restore run? Successfully? If not recent, that should be tested as part of it.
An audit should be primarily done by someone who is not involved in the day-to-day backups. A different individual (with input from the primary operator) provides a check. And don’t forget to encrypt your backups that will go offsite!
Backups are usually an organization’s go-to last resort in case of disaster. Are yours up to the task?
Need more information or want to schedule a backup assessment? Email firstname.lastname@example.org. We are happy to help.