|
|
|
Features
< Back
Sarbanes Oxley : Technology : Security
Iron Mountain's CIO on Data Protection
By
Kevin Roden
|
|
Kevin Roden
Executive Vice President and Chief Information Officer
Iron Mountain
|
According to a number of recent surveys, data protection is a top priority in 2006. As the CIO of a company that's trusted for protecting and storing the world's data, I suggest 10 data protection resolutions for 2006. Many CIO's have taken several if not all of the first 5 resolutions. I encourage you to review all of these steps and - if any of them is missing from your checklist - make it a top priority.
1. Define the Recovery Time Objective (RTO) for all of your applications. The RTO for an application is simply the objective for how quickly you need to have that application's information restored and available after downtime has occurred. For example, for your e-mail system is it 4 hours, 8 hours or the next business day?
2. Define the Recovery Point Objective (RPO) for each application. The RPO for an application is the objective for how much data you can afford to lose since the last backup. Is it 2 minutes worth, 20 minutes or 2 hours? You then need to estimate the costs to achieve your RTO and RPO for each application.
3. Classify your data based on its mission criticality. Your business's data should be categorized into groupings of critical, vital, sensitive and non-critical. The critical grouping would include data that is used in key business processes or must be retained for compliance or legal reasons. Vital data includes information that would cripple the company if lost. Sensitive data is simply data that can be rebuilt easily and not a unique source of information. Non-critical is just that - data with low security requirements. Determine criticality by meeting with company executives and decide clearly what the priorities for the business. Then pick the appropriate backup strategy to meet that criticality. Also be sure to assess where all the data is - both centralized and distributed data residing on remote servers, laptops and PCs. Ensure the strategy addresses all the information.
4. Develop a detailed plan on how to restore your applications depending on the crisis that drives the need for recovery. Think about how to best respond to different kinds of scenarios from simple scenarios to the most complex. Of course you have to test your backup and recovery plans to make sure they actually work. Refine your plans based on your tests. Expect to do multiple tests before you get it right and remember this is a continuous process. Strive to constantly learn what works best - and then amend your plans accordingly.
5. Make sure you have adequate resources assigned to data protection at all levels of your organization. If you don't have the right resources and processes in place, than data at the edge of your network is probably at risk.
If you are an Iron Mountain customer, you probably have already done the steps above. So where do you go from here? What should you focus on in 2006? Here are 5 resolutions we recommend.
6. Take an inventory of all your backup data - both onsite and offsite. Do you have everything you expected to have? Do you have more backed up data than you should? Is all of the data in the right location? Do you have tapes that should be onsite that are offsite or vice versa? Taking a full inventory can be invaluable. You wouldn't want to discover inventory mishaps during a disruption.
7. Differentiate between backup data and archived data retention rules - and make sure they don't conflict with each other. For example, if your email retention policy is to delete all unclassified email after 90 days, but your hold policy for e-mail backup tapes is six months, then you could have a major e-discovery problem. Backup solutions cannot provide easy retrieval or an audit trail. The use of backed-up electronic records as official legal documents for compliance and litigation will lead to considerable time and money spent to restore backup tapes and search for legally relevant material. True digital archiving solutions today offer secure, compliant and cost-effective long term archiving of electronic records. These records are stored in an indexed, searchable format so the organization can access those records whenever they need.
8. Put the processes in place to encrypt all data that you determine needs an extra degree of protection. For example, given the risks of theft or loss of confidential data stored on transportable data sources such as backup tapes, Iron Mountain highly recommends that you encrypt transportable data such as backup tapes or optical platters.
9. Investigate new technologies to determine whether they may better address your data protection needs in certain areas. For example, electronic vaulting may be a better solution for your critical applications that demand short RTOs. And advances in tape virtualization technologies are now making the concept of online remote data replication much more affordable than it was the past.
10. Expand your disaster recovery planning to encompass business continuity. IT executives tend to focus on just disaster recovery. But disaster recovery planning that relies on another department for how the business processes recover may put your operations at risk. For example, if you had to execute your disaster recovery plan for your call center, you could have all the systems up in running in an alternative location and then discover that the alternative location is not outfitted for employees to go back to work. It makes sense for IT executives to take the lead. Always ensure enough desks and chairs
You may already have all of these resolutions covered, but if you don't I recommend that you address them this year to reduce your company's data protection risks.
Kevin Roden
Executive Vice President and Chief Information Officer
Iron Mountain
Kevin B. Roden joined Iron Mountain as executive vice president and chief information officer in 1999. Previously, Roden was CIO with Fleet Boston Financial, for the banking subsidiary. He has held numerous technology and management positions in a 20-year career at BankBoston, including executive director of U.S. technology.
|
|
|
|
|
