How Compliant is your backup?

What to do if your CDO or Compliance Officer asks about your data backup operation?

Over the last decade, organisations have really struggled to deal with the multitude of contradictory requirements for data compliance. How do you ensure that data is retained long enough but not too long when dealing with sector, geographic and internal requirements?

Deciding which regulation trumps another is a complex process. In fact, it’s best left to compliance and risk officers.

There are 2 key factors in compliance:

  1. The IT department should be the facilitator for compliance not the decision maker
    • Let Risk/Compliance decide what needs to be kept, in what condition and for how long
    • IT provision a solution to meet the requirements
  2. ALL compliance policies should be audited
    • Retention Policy should be documented
    • Changes to Policy should be reviewed and approved
    • Audit trail of changes should be taken as evidence of compliance

Backup is not Archive

When you’re dealing with long term retention, many organisations choose backup rather than content archival because of its lower cost. But, too often, we forget about the auditing of changes within the backup solution that could impact compliance.

Typically, backup administrators have the power to make changes to data retention and even delete existing backups. However, this process isn’t as smooth sailing as we’d like to think. A simple typo could delete the wrong data accidently.

Users of IBM Spectrum Protect have the ability to place a “legal hold” on retention sets so that data doesn’t suddenly expire when it may be needed for subpoena.

IBM Spectrum Protect not only has an audit trail of changes, it also has the concept of authorisation. When this is configured effectively, it requires any disruptive change to be authorised by a second admin.

Although this is a great place to start towards ensuring compliance, if 2 admins are in cahoots, it could still be difficult to prevent malicious intent.

So, what can you do about it?

Predatar’s platform gathers meta data from Spectrum Protect and stores it offsite for analysis. It can be configured to not only audit the activities, but also raise alerts based on customised thresholds.

The Predatar platform can be made visible to key stakeholders and risk officers. This means that alerts relating to data destruction can be reviewed by non-IT personnel and appropriate action taken in light of a breach of compliance. Predatar’s audit trail helps compliance and risk officers demonstrate sustained control over data. It shows effectiveness and efficiency.

3 Quick Steps to Success

We recommend that Spectrum Protect users with compliance requirements take the following steps:

  1. Upgrade to version 8.1.9 or higher
  2. Create at least 2 admins with “cmdapprover=yes” set
  3. Set commandapproval to on

Predatar gives you the tools and control you need to keep your backup compliant.