Answer:
I believe this is an area left to the institution's discretion to some degree. I do not know of any specific requirements for timeframes. (For example, in OCC 2001-35, OCC simply directs examiners to "Assess processes and procedures to prevent destruction of electronic files and other storage media. Consider: Frequency of file backup; Access to backup files and storage media (disks, tapes, etc.)" Also, examiners are to "Review the annual validation of the contingency plan, including backup/alternate site test findings. Determine whether the board and senior management were apprised of the scope and results of the backup test."
You want to consider what is appropriate for your system. There are lots of ways of setting up a backup system policy. Ideally, you should do a full backup every day. In institutions with particularly high volume, more often may be necessary.
If full daily backups are not practical, you want to have a daily an incremental backup, which is a backup of all the changes to files that were made on the server during the day. An incremental backup is faster than a full backup, but is only useful to supplement a full backup. An incremental backup can be used between full backups as a means to shorten the time it take to do full backups.
Having full daily backups is preferable because they make the process of restoring a server quicker. When incremental backups are used and restoration of the server is needed, you first install the most recent full backup, then separately reinstall each incremental backup that has been made since the last full backup. Therefore, you could end up needing to restore a full backup followed by 4 or more or more incremental backups depending on how many have been done since the last full backup.
One example in policy form of what I consider to be the absolute minimum a backup policy should require may help to clarify this matter.
"All servers shall have a backup made of all files at least once a week. Every day the institution is open an incremental backup shall be made at the end of the day. All incremental backups shall be retained until the next full backup is made. All full backups shall be retained until there is a subsequent backups made."
Notes:
- Ideally, the incremental backup should be made every day there are any changes made to any files on the server. If this were not practical, the above would represent the minimum requirements I would want to see.
- Having an extensive backup library is really not a significant expense at all. You are only looking at the cost of your backup media. Therefore, without adding much expense and in order to greatly increase the restoration possibilities to turn back the server into its historical condition on any given day, it would be much better if the policy would call for retention of all incremental backups for three weeks, and longer is better. It would also be much better to retain all full backups for a minimum of four weeks, and 60 or 90 days would be even better.
The backup policy should also call for the reuse of all backup media for a set number of times (something less that what the media it is really expected to last) and after that the media must be wiped clean or destroyed before being disposed of. You don't want a dumpster diver to find a copy of an old backup of your server.
First published on BankersOnline.com 3/4/02
print
share