Cloud Storage is a crucial business service which ensures data security and data protection and recovery in the event of a disaster.

Data Protection Audit Planning

In part one of “How to plan and execute a data protection audit,” we discussed the importance of user participation in the design process of your data audit plan. In this installment, we go into more detail about the questions you need to ask about your business processes to determine what you need to secure.

When initiating a data protection audit, the starting point is mapping out the systems that make your company work.

The highly respected author of “Faster, Cheaper, Better,” and “Reengineering the Corporation: A manifesto for Business Revolution” Michael Hammer, identified the following key areas of IT systems that likely impact your data and how it travels within your company:

▪ Shared databases, making information available at many places

▪ Expert systems, allowing generalists to perform specialist tasks

▪ Telecommunication networks, allowing organizations to be centralized and decentralized at the same time

▪ Decision-support tools, allowing decision-making to be a part of everybody’s job

▪ Wireless data communication and portable computers, allowing field personnel to work office independent

▪ Interactive videodisk, to get in immediate contact with potential buyers

▪ Automatic identification and tracking, allowing things to tell where they are, instead of requiring to be found

▪ High performance computing, allowing on-the-fly planning and revisioning

Michael Hammer’s definitions allowed him to develop the “Business Process Reengineering Cycle”

which now provides an excellent framework to develop a thorough data protection audit plan.

We’ve detailed the four main steps of every audit below:

Data Protection Audit Step One: 

Identify the processes – which business systems would you need to recover after a complete loss?

A couple of examples:

A service business is not selling widgets, so they charge for their time. A key business process will be defining how they capture their time spent per client and the billing system that works from that data.  The audit should define how the company generates invoices. Some invoices may be built with more automated systems like an app on employee smartphones or a cloud based storage system, but some inputs may still be the traditional time slips and people entering the information into the system for payroll. The key is that you look at all the applications that get touched, identify what makes it run and ensure they’re part of the data protection plan.

On the other hand, an oil refiner has a process that tracks raw materials coming in and finished goods going out through pipelines/freightliners. This type of company is required by law to trace material points of origin from producers to its logistics system. The oil refinery would need to include the systems and the data capture devices in the field that sit behind these tracking mechanisms.

If you’re a retailer, you’ll need to asses all your process from inventory systems, to time and attendance systems, to scheduling to couponing.

In all industries, the audit team must ask what processes does the business rely on to function and where does the data live?

Data Protection Audit Step Two: Analyze these on an “as-is” basis.

  • How would you recover today from a complete loss?
  • How long would it take?
  • In what condition and how current would the recovered data and systems be?

These questions must be posed:

  • How would you recover your data and systems now if everything was gone?
  • What would your first step be to build those data and systems back?
  • In what condition would the current recovered data be?
  • How well would you recover in the event of a significant data loss?

Remember to consider outsourced information. If your company is using smartphone apps, ask who is holding the data and where are the interfaces? You might even have to contact vendors to confirm where your data resides and what protections they have for your information.

As you identify the business processes bit by bit, map out the connections and interfaces that connect with the internal systems.

Data Protection Audit Step Three:

Design the new process. What SHOULD this look like?

At the end of this whole discovery, you will have a list of all your business processes and what your recovery would look like, and the requirements to recovery.  Stand back and compare what it would look like and what it should look like. There will be obvious gaps and opportunity for improvement. Those opportunities are where you need to focus your efforts to ensure a sensible recovery.

Data Protection Audit Step Four: Test & Implement

Once you’re comfortable with the outcomes of steps 1 – 3 and chosen your data protection provider or technology, you absolutely must test it. And test it on a regular basis. As companies add new roles, new products, new services, the systems that touch those must be adapted and sometimes those adaptations can alter your data protection program. Regular testing is critical to the success of any data protection plan.

We see many companies and even service providers that do not do these tests. They are not easy! But they are essential – exactly because they are not easy.

In the concluding part of this series, we’ll examine the organization in a different perspective by looking at it from a device and system perspective.



Leave a Reply