backup/restore audit

I cant find any sort of modern audit checklist/benchmark to use for auditing a companies data backup/restore process - anywhere.

Any pointers to such a guide or a list of controls to use?

I would also like to here what can (and does) go wrong with backup ops if admins micsonfigure or dont manage the process, thats often a good start,

Added to security area to as this seems to attract lots of audit type folk
Who is Participating?
prashant9885Connect With a Mentor Commented:
Please check below checklist.

What SLAs are required for this server?

 What is the role of this server? The role will have a direct impact on the backup options and requirements for it, and will directly feed into the remaining questions to be considered for servers. Sample server roles might include production, development, test, and quality assurance (QA).

 Are there any special backup handling requirements for applications on the server?

 Are there any special backup handling requirements for data on the server?

 What times can the server be backed up?

 What times are backups not allowed to occur?

 What types of backups should this server receive? At minimum, most organizations will need to evaluate the necessity of the following:
 Daily: What rotation between fulls, differentials, and incrementals are required?
 Monthly: When should the monthly backup occur? If the daily full backups would occur on the same date as monthly full backups, what should be done? Should both backups be run concurrently, should the daily full be skipped, or should the daily full be run on an alternate day?

 Yearly: Are yearly backups required? (Typically “no” if monthly backups are kept indefinitely.)
Also have a look at this link for policy reference. Every company will adhere to a policy in retaining backup for months & years.
Syed_M_UsmanConnect With a Mentor System AdministratorCommented:

oh,,,, where to start... :)
Data Backup falls in BCP and each company will have different BUSINESS REQUIRMENT,  based on that they will make policy and stratagy planning (Backup, H/A)...

in your case i would suggest you can do followings;

1) Take IT Policy from company
2) Take BCP Document
3) Request Application information (Backend, frond end and Backup software)
4) Undersatnd Business Requirment (By  Interview, Phoen call, website,,,,)

once you have all above read and understand business requirment and based on that request logs and backup sets detail from company. you may also need to see

MTD (Maximum Tolerable Downtime)
RTO (Recovery Time Objective)
WRT (Work Recovery Time)
RPO (Recovery Point Objective)

Without above you will not be able to point out what and where administrator doing mistake,,,,,

Just to lets you know, if you are doing IT audit below services and serevrs are very important;

Application Serevrs
Email Servers,,,
there may be other server like Anti Virus, Backup, H/A,,,,,,,,,,

"I would also like to here what can (and does) go wrong with backup ops if admins micsonfigure or dont manage the process, thats often a good start"

lets say A Financial Institue Admin shedule a job for Application server for daily Backup (6.00AM) ... you know that MTD of the company is 12 hours and RPO is 3 Hours.

This may be wrong as if office finish at 4.00PM or 5.00PM and the server crash company will loss ONE BUSINESS DAY DATA means the target RPO was 3 hours but you are lossing 10-11 Hours data.

you may also need to see Backup Stratagy, lets take example of same company but here administrator is taking backup twise 6.00AM and 5.00PM.... which look quite Good but this can also be wrong if the backup taken on tapes and Tape drive crash with server in a disaster????

so finally you have to look in all aspects..
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.