Why Don't We Do It in the Road Ahead?
Part 3, Security Enhancement
> Business continuity planning
> Page 3, Backing up is hard to do
Although many AEC businesses claim to have "taken care of" backup, I rarely see firms that actually follow adequate backup procedures (dentists likely observe a comparable discrepancy between patients' claimed versus actual flossing behavior). Typically, no policy is in place for periodic testing of “restore” capabilities from backup media. Short-term storage of backup tapes often is on-site in "fire-rated" media safesa flawed technique that was tragically exposed for some firms in the aftermath of September 11, 2001. Even in those cases where weekly or monthly backups are rotated off-site, the off-site location often is a warehouse a few blocks awayaffording little or no protection in the event of fire, flood or earthquake impacting more than those few blocks. For every US$1-million of firm billings per year, the risk of losing a weekly backup represents an ongoing US$20,000 exposure if a general system loss or unavailability of the firm’s premises were to occur at the most vulnerable time in the backup rotation cycle (for a monthly off-site rotation, the exposure is nearly US$90,000 per million of billingswhich implies that firms with only a monthly off-site backup rotation are risking roughly the same amount of money as their annual profit).
The cost of rotating daily backup media off-site to secure premises in another geographic region might be as little as US$50 per business day, including shipping. Thus, an annual expenditure less than $15,000 would limit the data-loss risk exposure of even a small US$1-million/year firm to just one day's worth of billingsa net 133 to 600 percent savings versus the loss of a weekly or monthly backup (the cost of off-site backup rotation/storage is essentially constant regardless of firm size, making the percentage risk reduction even more favorable for mid-size and larger AEC businesses). This is surely a prudent investment (multi-office firms, with sufficient geographic diversity and plentiful wide area network or WAN bandwidth between offices, may choose to back up each office by replicating files to one or more of the other offices). It should be noted, however, that backup media are now considered discoverable in legal proceedings; therefore, the firm may wish to consult with counsel and its insurers regarding the contents, frequency, and duration of long-term data backup.
While necessary, the capability to properly backup and restore data is not sufficient. Some program files may not run properly from a restored backup, yet I rarely see AEC businesses maintaining formal procedures for preserving the original program media in secure off-site locations. Absent the original program media, software vendors typically require clear proof of purchase before furnishing replacement media, yet I rarely see any consistent procedures for organizing such records and storing true copies in secure off-site locations. Similarly, passwords, encryption keys, and other access controlswhich should be stored separately from data and programswould be necessary for a total system restoration, yet I rarely encounter AEC businesses with documented procedures for securing and preserving these records.
> Page 1, Business continuity planning
> Page 2, Computus interruptus
> Page 3, Backing up is hard to do
> Page 4, The road to recovery