Business Impact Analysis

Off-Site Location

List the off-site location here, as well as a list of all authorized parties and their various capacities, such as retrieval of media and changing of permissions. The following procedure is used by the authorized personnel to contact the off-site data storage vendor and arrange for the media to be transported to the appropriate recovery location(s).

• Define 'off-site' for your organization. Off-site can mean several things to different organizations. Some are completely secure with the data being 6 miles away in another data center that sits on a completely separate power grid, while others consider off-site to be more than 50 miles away from the primary location. Still others will not consider media to be off-site unless it is in a completely secured location sufficiently distanced from railways, large cities, or power facilities. Once again, 'sufficiently distanced' should be defined here. An off-site vendor must restrict access to their facilities to only authorized personnel, yet make the data available anytime, day or night. The following is an example of a definition for an off-site location:

  An off-site location is any location sufficiently distanced from any railways, large cities, or power facilities that offers a secure building and storage area that is restricted to authorized personnel only, but will allow immediate access to data anytime day or night in the event of a disaster. The off-site vendor will provide a contact list of individuals to be contacted in the event we declare a disaster. This off-site facility must be, at minimum, 45 miles from the primary data location(s). There are four data locations: Redmond, Washington; Chicago, Illinois; Minneapolis, Minnesota; and Rochester, New York. The locations of the off-site vendor's data vaults should be non-descript, low-key buildings, as should the transportation vehicles, in order to maintain security of the data during transport and storage.

• A documented procedure must be in place that outlines the off-site rotation process. At a minimum, this must include a list of who is authorized to send data off-site, who is authorized to recall data, and who is authorized to make changes in access levels of the company employees.

• A process must be in place for reviewing who has access to off-site processes. This review must be done at a minimum annually, or whenever there is a change in responsibilities that warrants it.