Few things are more devastating to an organization, and those supporting it, than discovering—too late—that their critical data cannot be restored. In a recent incident, where a file server RAID array corrupted and no usable backups were available, highlights a painful truth: backups aren’t optional, they’re mission-critical.
Why Backups Matter
A RAID array, cloud system, or high-availability cluster may provide redundancy, but these are not backups. True backups are separate, restorable copies of data that protect against hardware failures, ransomware attacks, insider threats, and human error. The cost of backups is not only measured in licensing fees and hardware investments, but also in the ongoing expenses of secure data storage.
Factors such as the volume of data, retention requirements, redundancy, and compliance obligations all drive storage costs upward, but the investment is minimal compared to the potential financial loss, downtime, and reputational damage caused by data unavailibility or corruption.
Defining a Backup Program
The key components to a strong backup program should include:
- Frequency – How often are backups taken (hourly, daily, weekly, monthly)?
- Retention – How long are backups kept?
- Storage Locations – Are backups stored offsite, in the cloud, or across regions?
- Testing – How often are the backups tested for successful restoration?
Information System Owner Responsibility
The Information System Owner (ISO) must formally accept the backup strategy and acknowledge any risks. This acceptance is not only a technical or procedural responsibility but also a financial one. For example, if licensing or budget limitations prevent full backup coverage, the ISO must understand and approve the financial tradeoffs being made. Any uncovered systems or data must be explicitly documented, with associated risks—including potential cost of data loss, downtime, and recovery—accepted at the management level. By doing so, the ISO assumes accountability for both the operational and financial consequences of those decisions, ensuring that risks are transparent and not discovered only after a disaster.
Compliance and Control Alignment
Backups are not just best practice—they’re embedded in security frameworks:
- NIST 800-53 (Rev. 5)
- CP-9 (System Backup): Requires organizations to conduct and protect backups of user-level and system-level information.
- CP-10 (System Recovery and Restoration): Requires validation that backups can be successfully restored.
- ISO/IEC 27001
- A.12.3 (Backup): Requires regular backups, secure storage, and periodic testing.
- A.17 (Information Security Aspects of Business Continuity): Requires organizations to ensure continuity of security measures during disruptions.
Practice Backup Checklist
Here are five questions every System Administrator should ask about their backup program:
- When was the last time we tested a full restoration from backup?
- Are our backups stored in a least one physically separate location?
- Do we have clear retention and deletion policies that match compliance requirements?
- How often is our backup strategy reviewed and updated to reflect new risks, systems, or evolving business needs?
- Has the Information System Owner recently re-acknowledged the current backup program and any lingering risks?
Remember: Backups are not “set it and forget it.” They require ongoing review, testing, and executive acceptance.
[…] The Importance of Backups: Protecting Your Data Before It’s Too Late […]