There are several steps entities can take to improve their ability to quickly restore electronic data.

Adopt a Data Backup Policy – Organizations should have a written policy describing their backup procedures. It should include the frequency and scope of backups, the location of stored backup data, the specific method for backing up and any other important details relating to the process (e.g., file-naming conventions, method of transporting data offsite). The policy should also address how the organization will periodically verify that the data has been backed up and how it will test its ability to restore backup data.

Back Up Data at Regular Intervals – The frequency (e.g., daily, weekly) and scope of backups (e.g., incremental or full) will be based on various factors such as the volume and frequency at which new electronic information enters the computer system and the criticality of the data.

Verifying Data Has Been Backed Up and Can Be Restored – While many organizations perform some type of backup procedure(s), far fewer periodically attempt to restore a backup to ensure the process is functioning as intended and that data would be available in the event of an emergency.

Store Backups in an Offsite Location – Backups should be secured in an offsite location that meets the organization’s data security requirements and other conditions of storage (e.g., temperature control, fire prevention). It is important to maintain offline copies of backups in case a cyberattack renders online files unusable. Some organizations contract with a third party for backing up data, applications and/or operating systems. If that is the case, the organization should have a written agreement with the vendor that clearly describes the expectations for safeguarding the data, especially if it contains personal, private or sensitive information (e.g., names and Social Security numbers). In addition, local governments should check with New York State Archives personnel to gain an understanding of the laws and regulations pertaining to offsite data storage. NYS Archives issued a Records Advisory entitled Using a Data Storage Vendor¹ that describes what should be included in a data storage contract.

¹ http://www.archives.nysed.gov/records/mr_data_storage.shtml