Data backup IT baseline protection: How to do it right.

Data backup is an important part of basic IT protection.

In its IT baseline protection catalogs, the German Federal Office for Information Security (BSI) has developed general guidelines to support companies in setting up a secure IT environment. The focus here is on generalized dangers that can be identified by laypersons using the guidelines and, if necessary, remedied with the help of experts. This should also enable companies with no specialist knowledge to develop adequate basic IT protection with comparatively little effort. Naturally, this basic protection does not cover all eventualities and is not sufficient for companies with extremely high security requirements.

Data backup is vital for companies

Those responsible in companies are often completely unaware of what security requirements exist. In addition to other areas, this applies above all to the topic of data backup, which is mandatory for commercial IT systems (also for fiscal reasons). In order to better assess the risks of possible data loss, the BSI recommends that all companies clarify a few basic questions.

Is there a backup strategy?

Given the complexity of today's IT systems, it is no longer sufficient to simply back up certain data to any data carriers. Rather, it must be ensured that a regular and, above all, comprehensive data backup is carried out in order to guarantee the recovery of all important components in an emergency. To this end, it is advisable to develop a backup strategy that defines which data is to be backed up and at what intervals. The storage location also plays a role here; for example, the physical backup can also be outsourced to appropriately certified cloud systems.

Has it been determined which data is backed up and for how long?

Not all data is equally important. Just as in a normal paper office, some data can be disposed of after a certain period of time, while other data must or should be kept for a longer period of time as evidence. As this can lead to extremely large collections of data for some companies, it should be defined when data can be deleted (if at all). Particular attention should also be paid to personal customer data, the deletion of which may be subject to data protection regulations.

Does the backup also include portable computers and non-networked systems?

Few companies today are still focused purely on desktop systems. Employees in the field or in certain areas of the company (e.g. warehouse) often access mobile devices and portable computers, which do not always have to be networked. These devices must not be forgotten when backing up data. Regular synchronization is strongly recommended so that no important processes are lost.

Are the backup tapes checked regularly?

In many companies, backups are still carried out on backup tapes. Regardless of the storage medium (tapes, hard disks, optical data carriers, etc.), regular checks should be carried out to ensure that the media are still working properly. After all, the best backup is useless if the data carriers can no longer be read. A redundant design can also be helpful here, i.e. making additional copies on other media or suitable cloud storage.

Are the backup and restore procedures documented?

All backup and restore procedures should be adequately documented so that backups can be traced at any time. This not only improves the organizational structure of the backup strategy, but also serves as proof of the coherent implementation of data backup measures. This can be advantageous in the event of insurance claims or unclear questions from financial and other supervisory authorities. Last but not least, good documentation also makes it easier to rectify any technical problems.