System backup is performed on most systems regularly. Often, however, restore is tested for the first time when it is required because of a system corruption of hard-disk failure. Sound backup and restore procedures are critical for reconstructing systems after a disruptive event.
Typically, backup procedures come in the form of backup schedules, tape rotations, and an off-site storage process. Depending on the maximum tolerable downtime, system backup schedules could be as frequent as real time or as infrequent as monthly. If systems are backed up less frequently than required on critical systems, data will be lost in the event of a system failure.
When auditing backup procedures, the auditor first should verify that backup procedures are in alignment with organizational backup practices and then ensure that more critical systems are backed up more frequently. Backup schedules generally are 1 week in duration, with full backups normally occurring on weekends and incremental or differential backups at intervals during the week. Tape rotations generally are 6 to 10 weeks in duration. Therefore, the organization will have the opportunity to retrieve a 6- or 8-week-old version of a file that was corrupted more than a week prior. System backup procedures and logs can be obtained from data center staff. The auditor also should consider retrieving and reviewing a sample of backup system logs.
There is no reason to back up information unless restore is possible, but unfortunately, organization rarely test backup media to ensure that system restore works properly. Backup media failure rates are high, especially with magnetic tapes. If it is not possible to restore from backup media, data will be lost.
When testing the restore function, the auditor should ask a system administrator to order backup media from off-site storage facilities and observe the restoration of data from the media to a test server. The auditor then should review the restore logs to verify that all files were restored.
Often, backup media cannot be retrieved from off-site storage facilities. This is due to backup media being marked improperly or placed in the wrong location. This situation can cause either undue delay in restoring systems or a complete loss of data.
When performing this audit step, the auditor should verify that backup media can be retrieved within the time frames set forth in the service-level agreement with the off-site storage vendor. Longer retrieval times would constitute a finding.