Far too many organisations are guilty of overlooking critical measures needed to safeguard IT and core corporate information. This is particularly true during busy or growth periods when implementation of the required measures are put off until 'things calm down', as it is during tough times when downsizing, cost cutting and other measures result in the loss of good practice.
Guy Kimble, IT and operations director at Metrofile
Questions you need to ask yourself.
* Do you have a backup plan?
* Is it clear whose responsibility it is?
* Are you sure that you know what needs to be backed up?
* Where is your backup stored? Is that storage secure, environmentally controlled?
* Do you have a disaster recovery plan?
If you answered no to any of the above, then your organisation is vulnerable and could be faced with significant loss of data and potentially financial ruin. Whilst IT equipment is generally more reliable there is always the danger of drive failure, but perhaps likely attack from viruses, hackers, data thieves and more recently power outages. Backing up is not an option; it is an essential business practice.
The first step in protecting your data is the development of recovery plan, a document that should form a key part of both the organisation's business and risk management strategies. It is important that the plan is not just something developed and implemented by IT, but rather that there is buy-in and adherence across the organisation as a whole. Please bear in mind when developing the plan that this is not about building a power base or creating a gate keeper situation but rather about developing a plan that is very much part of and supportive of core business activity - that means you need to involve your users in developing the plan.
So what should the plan include?
* The strategy
- What is your information protection and recovery strategy?
- What tools are you going to use?
- The objective.
- What do you hope to achieve by implementing the plan?
- How is the plan going to contribute to core business operations?
* What information needs to be protected and backed up?
- MS Office documents.
- Financial systems.
- Customer databases or related information.
- Websites and intranets.
* Where does the information reside?
- Desktop computers.
- File or data servers.
- Flash Disks (Memory Stick).
* Who has and should have access to and control of how information is kept?
- Shared folders.
- Mapped drives.
- Organisational defined structure or unstructured.
* Action plans
- What actions will you take to protect the information?
- What backups will be made, how frequently, what rotation period is sensible?
- Where will backups be stored - internally or outsourced?
- What communication is needed to make staff aware?
- Perhaps most importantly who is responsible for what and by when?
* A disaster recovery plan
- What actions need to be taken in the event of a disaster?
- How will you restore the organisation to normal trading?
- What controls are needed to ensure compliance?
- How will you know the strategy is successful?
- Contingency plan.
* What are the alternatives should it not be possible to implement the plan?
This list is by no means exhaustive but designed to illustrate the need for a formal recovery plan, one that fully takes into account the needs of the organisation and the potential risks. Do not think this will not happen to me, do not think that your office is a safe environment, one that is free from the risk of theft, hacking or natural disaster - these are issues every business faces daily. The time to take action is now!