Information Technology Reference
In-Depth Information
n
−
Full/cumulative backup policy
For servers with low data volatility, reduce full backup schedule (once per
month for example) and execute cumulative (differential) nightly backups.
Server restoration requires applying full backup and then last cumulative
only.
Operating system backup policy
Treat the application server as an appliance and implement operating sys-
tem functions such as <platform-speciic software>.
Implement the backup and recovery of operating system executables and
configuration data outside the backup process.
Implement a policy of backing up data, not servers.
−
n
−
−
−
8.16.6
IA
2
Perspective
From an IA architectural perspective, focus on the end game, that is, what are the
potential scenarios and requirements for data recovery. Recovery needs may include
corrupt data, wrong data, hard drive or other system failure, system destruction,
site destruction, or site/system inaccessibility. All these cases require the restoration
of the latest data available. The business impact assessment determines recovery
time objectives (RTOs), which may be seconds, minutes, hours, or days. Business
continuity plan and disaster recovery plan specify high-availability requirements
through to resumption, recovery, and restoration. All of these factors drive the ser-
vices and mechanisms for backup and recovery.
Information assurance architecture (IA
2
) addresses the need for secure backup
creation, transport, storage, access, and disposal, as well as secure recovery proce-
dures that maintain confidentiality and integrity of the data.
8.16.7
Commentary
The IA architect focus is on business drivers first, and services and mechanisms in
support of business drivers. Begin with an eye on the recovery end game to deter-
mine front-end backup services and mechanisms that will satisfy organizational
requirements for continuity and recovery.
8.17
Security Controls
There are many industry standards that provide insight into security controls.
Appendix D provides a security management program framework based on NIST
SP 800-53:
Recommended Security Controls for Federal Information Systems
. he
SMP framework provides an outline within which to define organizational-spe-
cific security controls. The SMP framework itself provides guidance for determin-
