backup/restore audit

Posted on 2012-09-19
Last Modified: 2012-09-24
I cant find any sort of modern audit checklist/benchmark to use for auditing a companies data backup/restore process - anywhere.

Any pointers to such a guide or a list of controls to use?

I would also like to here what can (and does) go wrong with backup ops if admins micsonfigure or dont manage the process, thats often a good start,

Added to security area to as this seems to attract lots of audit type folk
Question by:pma111
    LVL 10

    Accepted Solution

    Please check below checklist.

    What SLAs are required for this server?

     What is the role of this server? The role will have a direct impact on the backup options and requirements for it, and will directly feed into the remaining questions to be considered for servers. Sample server roles might include production, development, test, and quality assurance (QA).

     Are there any special backup handling requirements for applications on the server?

     Are there any special backup handling requirements for data on the server?

     What times can the server be backed up?

     What times are backups not allowed to occur?

     What types of backups should this server receive? At minimum, most organizations will need to evaluate the necessity of the following:
     Daily: What rotation between fulls, differentials, and incrementals are required?
     Monthly: When should the monthly backup occur? If the daily full backups would occur on the same date as monthly full backups, what should be done? Should both backups be run concurrently, should the daily full be skipped, or should the daily full be run on an alternate day?

     Yearly: Are yearly backups required? (Typically “no” if monthly backups are kept indefinitely.)
    LVL 10

    Expert Comment

    Also have a look at this link for policy reference. Every company will adhere to a policy in retaining backup for months & years.
    LVL 16

    Assisted Solution


    oh,,,, where to start... :)
    Data Backup falls in BCP and each company will have different BUSINESS REQUIRMENT,  based on that they will make policy and stratagy planning (Backup, H/A)...

    in your case i would suggest you can do followings;

    1) Take IT Policy from company
    2) Take BCP Document
    3) Request Application information (Backend, frond end and Backup software)
    4) Undersatnd Business Requirment (By  Interview, Phoen call, website,,,,)

    once you have all above read and understand business requirment and based on that request logs and backup sets detail from company. you may also need to see

    MTD (Maximum Tolerable Downtime)
    RTO (Recovery Time Objective)
    WRT (Work Recovery Time)
    RPO (Recovery Point Objective)

    Without above you will not be able to point out what and where administrator doing mistake,,,,,

    Just to lets you know, if you are doing IT audit below services and serevrs are very important;

    Application Serevrs
    Email Servers,,,
    there may be other server like Anti Virus, Backup, H/A,,,,,,,,,,

    "I would also like to here what can (and does) go wrong with backup ops if admins micsonfigure or dont manage the process, thats often a good start"

    lets say A Financial Institue Admin shedule a job for Application server for daily Backup (6.00AM) ... you know that MTD of the company is 12 hours and RPO is 3 Hours.

    This may be wrong as if office finish at 4.00PM or 5.00PM and the server crash company will loss ONE BUSINESS DAY DATA means the target RPO was 3 hours but you are lossing 10-11 Hours data.

    you may also need to see Backup Stratagy, lets take example of same company but here administrator is taking backup twise 6.00AM and 5.00PM.... which look quite Good but this can also be wrong if the backup taken on tapes and Tape drive crash with server in a disaster????

    so finally you have to look in all aspects..

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
    This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now