What does Cybersecurity AICPA SOC 2 ® say about Data Backup Maturity for Financial Services?

Published On: March 9, 2022Categories: Performance Management, Tips & Best Practices, Blog

This post was contributed by Josh Bruyning, Solutions Analyst at TrustMAPP

Maturity is not just a goal; it is a set of activities that continually improve business objectives in a meaningful way. You can measure each step to fill the gaps in your ineffectiveness, graduating from absent functionality to fully integrated and optimized systems. Mature systems stand on solid foundations of policy, team building, stakeholder support, vendor relationships, and, yes, technology. In this article, I will not specify tools, nor will I claim a comprehensive roadmap. You will need to find solutions that apply to your organization according to its business objectives and risk tolerance. However, I hope that you will take away a sense of progression from one level of maturity to another and apply applicable actives where you see fit. You might be surprised to find that you’ve skipped steps, and although your data system appears mature, you might have gaps that could lead to problems later. Let us discuss data backup requirements, implementation, offsite storage, constituent parts of SOC 2 ® Additional Criteria for Availability, and how small, medium, and large businesses can achieve full maturity over time.

SOC 2 ®, Data Requiring Backup

Let’s talk backups. The first step in a data backup maturity initiative is to learn what data in your system requires backing up. You might say, “let’s back it all up,” because more is better, right? Sort of. There is underlying economics that restricts resources, leading to prioritization requirements, beginning with taking an inventory of data types across your organization.

When starting from zero maturity, first draft a document with defined data environments and corresponding data requiring backup. Examples of environments requiring backup include servers, clients, document repositories, data centers, third-party vendors, and on-prem storage devices. We will consider offsite backup environments in a later section, but for now, let’s focus on purpose-built and integrated data appliances that serve your organization and overall business strategy.

Ad-hoc is better than nothing, so to increase maturity from absent to ad-hoc, define the conditions under which the organization will skip backups. Draft a policy that defines centralized, decentralized, hybrid/modular or embedded backup topology for your stakeholders and peers. Organize a team to select topology, each topology carrying its own maintenance requirements and various personnel skillsets. Consider solution costs and assets value, storage requirements, media handling, configuration complexity, recovery flexibility, ease of configuration, and virtualization.

A repeatable process where team members can communicate accomplished tasks and can perform duties via planned processes will elevate your maturity and scope. Organize a group, ideally taken from data backup team, and decide whether each prioritized environment requires full or partial backup.  Consider manual backups versus automated backups and apply automation where necessary. Train team involves in manual backups and, where necessary, limit access via access control policies. Organize menu of tools and solutions in accordance with drafted process policies for data backups and assign custodians to data environments.

Now that we have a repeatable process for selecting data requiring backup, the next step is to connect your policy and processes to other policing and tools. If you have achieved significant maturity, you can boast a robust data identification procedure for backing up data, monitoring backup failures, and initiating corrective measures when things go sideways. All your procedures are approved by your peers, stakeholders, and executive managers. Your data backup team is available, and a policy that clearly outlines duties when you require redundancy.

Congrats! You have achieved full maturity for identifying data requiring backup. Work is optimized where possible, the performance of all tooling, processes, or policies is self-improving via regular cadence and/mechanism. You can now look toward achieving full maturity when implementing data backup.


SOC 2 ®, Data Backup Maturity

We have prioritized our data, but how does maturity enable data backup implementation? Much like the beginning of prioritizing data backups, we start at zero maturity where data backup capabilities are absent, and work up to full maturity. First, documentation! I know, I know, we don’t love this step, but without a sound policy to govern data backup plans, there is no organization – you work for an organization, not a disorganization. In this case, documentation is simple, refer to policies governing data requiring backups and add implantation standards while considering solutions, custodians, and offsite backups. Select a team and assign duties that enable on-the-fly implementation of data backups. This team monitors existing tools to perform backup activities in accordance with policies (as best as they can, given limited resources). Get approval from stakeholders and move to the next step.

Something is better than nothing, yes, but ad-hoc is not as good as repeatable. To get from ad-hoc to repeatable, your organization must commit to implementing and enforcing policies, tools, processes, and personnel. For example, at a minimum, tools which facilitate snapshots will allow visibility of data environments and inform decision-making. Fulfill compliance requirements according to your organization’s legal policies concerning data backups and be sure to include your legal advisor in policy and implementation activities. Test technological solutions that fit your organization’s budget and strategic vision. Tools that optimize multiple areas, the primary being data backups, will allow higher integration and cost savings.

Once your data backup processes have matured beyond ad-hoc to repeatable and reliable functionalities, is time to define, integrate, monitor, and measure. After applying due care, implement processes. Ensure that the system not only performs minimum functions but produces valuable data. Data produced by previous actives lead to actions that further enforce data backups as well as related organizational functions. For example, a snapshot of data environments can also indicate storage limits, thus informing budgetary requirements. When failures occur, you should already have policies in place to address, remediate, and restore data in the interest of business continuity. Continually test the redundancy of your system, schedule regular maintenance, and always find ways to enable the organization beyond the basic functions of IT.

You did it! You’ve achieved full data backup maturity!

SOC 2 ®, Offsite Storage Maturity

After you have successfully driven your organization to data backup prioritization and data backup implementation maturity, it is time to consider offsite storage. You will achieve full maturity when you have implemented a repeatable process while fully automating, optimizing, and integrating off-site storage. Consider the distance between your principal storage location and backup location such that the likelihood of realized environmental threats would be reasonably negligible. Backups can include physical hardware such as tapes or hard drives, but also cloud backups for either physical or cloud storage.  And VM’s have snapshot capabilities, which are also non-physical.

Once again, we start from scratch. At this stage of zero maturity, our goal is to achieve an ad-hoc level of operations that would provide minimum required off-site storage capacities. And if you guessed that the first step is documentation, you’re correct! Documenting policies and processes will allow your organization to repeat all processes, people, and technologies that make up your system. Without documentation, the bottom of your boat will eventually fall out. Let’s get a team of reliable experts, stakeholders, and advisors to help create a policy to govern offsite backups. The document must specify the need for data loss and data accessibility scenarios as they relate to offsite storage. The policy must also specify a multi-datacenter approach primary enables effective disaster recovery and business continuity when one data center goes down.

To move beyond the ad-hoc stage to a level of repeatability, consider physical server failure, storage system failure, power outages, loss of internet access, network failure, site destruction, and inaccessibility. To be functional and repeatable, your offsite data storage must facilitate data recovery and business continuity at a bare minimum in any foreseeable destructive event and/or failure.

Let’s not stop there. What would it take to implement a defined off-site backup system where process, people, and technology work in tandem to ensure maximum availability, disaster recovery, and business continuity? First, activate a team to implement backup and seek expert advice when performing vendor acquisition and due diligence. All considerations affection datacenter and vendor options must apply to cloud solutions as well. Most cloud storage providers have tiered storage access that includes live/hot storage, but also more affordable cold/archival storage. Outline and document (you’ll need to rope the legal team into this) clear objectives and agreements between your organization and vendors. Consider the difference between an SLA and SLO. Implement storage protocols and operate according to predetermined automated services, contracts, and agreements. Phew – that’s a lot of work, but we’ve defined and implemented a robust off-site solution according to policy. Good job!

Now, we integrate our off-site solution, process, and policies into existing workflows and overall business strategy. Revise backup vendor for legal and regulatory obligations in accordance with existing standards. Review insights from the ad-hoc stage and find a low-cost process that would scale and integrate into a fully defined operation. When considering a long-term solution, revise, automate, and integrate processes that align with overall business objectives. Find complementary systems throughout the organization and unify them with offsite storage, such as employee training in the form of visits to a data center, cloud file storage systems, and intranet functionalities.

We’re almost there! It’s time to optimize. Your offsite storage system will have achieved full maturity when your organization effectively stores data in a location at a distance from its principal storage facility such that the risk of catastrophic impact to business continuity is acceptable. Double-check and test systems regularly. Feed lessons learned to future team members and remember to bake redundancy into your system, from tools to personnel. Continually optimize and find new ways to reduce inefficiencies.

You rock! You have achieved full maturity across three major areas of data management. You identified and prioritized data requiring backup, implemented effective data backup solutions, and successfully designed an offsite storage system that makes IT the envy of the organization (keep dreaming). Full maturity enables the organization to operate an efficient entity, combing people, tools, and processes to optimal standards based on solid governance policies. Although a mature system withstands the test of time, people and technologies will change. Maturity is not only a goal but an attitude toward your business goals. Keep it moving, and graduate beyond zero findings.