Covered entities must regularly back up critical systems and data, store backups securely offsite, and regularly test backup and restoration processes. They must also develop and document backup policies and procedures, including the scope of data to be backed up, the minimum frequency of backups, recovery time objectives and procedures for activating backup systems. The goal is to ensure operational continuity in the event of a cyberattack or other disruptive incident.
Many other regulations also mandate data protection. For example, HIPAA requires covered entities to have a contingency plan in case of emergency, which includes the ability to recover patients’ personal health information. PCI DSS requires organizations that take debit or credit cards to document a backup and disaster recovery plan and store data backups securely.
Why Backup Is Critical to Resilience
DORA offers a good example of the role of backups in regulatory compliance . The ability to recover critical data quickly helps organizations become more resilient and ensure business continuity. Backups also reduce the risk that lost data will hinder investigations and audits. Under DORA, backup is a governance issue, not an IT issue, requiring executive oversight.
Financial entities must also protect backup systems from cyberattacks and failures. They must use access controls, encryption and redundancy to ensure data integrity. Backups should be “air gapped” from the rest of the IT environment) or immutable storage should be used.
Risk assessment is another key element of DORA. Covered entities must test backups regularly to ensure that they can restore data in the event of ransomware, corruption or accidental deletion. Because third-party risk can cause operational disruption, financial entities must ensure that vendors throughout the supply chain have robust data protection. Notably, third-party vendors that work with financial entities must be DORA-compliant.
The Growing Backup Challenge
Regulatory compliance requires more than just installing a backup system. Organizations must develop a backup and disaster recovery strategy with documented policies and procedures. IT staff should have a framework for effectively managing backups according to the organization’s data retention policies. Organizations should also put effective security controls in place and regularly assess backup systems to identify vulnerabilities.
To develop an effective backup strategy, organizations must first identify all the critical data in their environment. This is increasingly difficult given that data may be stored on endpoint devices, in email and collaboration apps, and many other repositories.
Another challenge is that organizations often don’t know how much data they have. Data stores are growing by as much as 65 percent annually, but studies suggest that more than half of all global data is “dark” data of unknown value. One study estimates that as much as 85 percent of all data being processed and stored by organizations around the world is functionally useless.
Many organizations are also struggling with outdated backup systems. Legacy systems are often unable to handle growing data volumes, shrinking or nonexistent backup windows, and diverse data sources and platforms.
How Technologent Can Help
Technologent can help you modernize your backup systems and finetune your backup strategies to meet regulatory requirements and ensure performance and reliability. Technologent also has compliance and risk-management expertise, and a comprehensive framework to ensure the availability, accuracy, integrity and security of your information assets.
Regulations such as DORA, HIPAA and PCI DSS provide assurance that organizations are committed to protecting their critical data. However, the sheer quantity of data distributed across the IT environment makes compliance a challenge. Let the storage and data protection specialists at Technologent help you develop a framework for making it more manageable.
Comments