110 3.3 Other Preventative Controls
3.2.6 Archiving Electronic Files
There are a couple of significant issues to consider when archiving elec-
tronic data files. Legacy documents may not be able to be located or
retrieved due to inappropriate deletion or premature archiving. This can be
as a result of an unsuitable or unenforced retention policy. Also, confiden-
tial data can be lost or stolen while stored offsite, and due diligence must be
performed when choosing the vendor and method by which the data will
be stored offsite.
3.2.7 Recovery and Restoring of Data Files
As discussed previously, saving data on a backup tape or disk should be a
core element of your information security program. There are, however, a
few security issues that should be addressed when managing the security of
the backup process. It is possible for unauthorized parties that use similar
backup software to access and restore your backup data. If the restored data
are not on the designated backup tape or disk, this can result in confusion
and potential loss when the data are restored. It is possible for data to be
lost or overwritten if the restoration from the backup media is incorrect.
There is also a procedural handling issue if the data are found to be corrupt
after being located and restored.
BCP/DRP planning is meant to prepare for all plausible scenarios for
the location of your company’s facilities. If there is a credible risk of natural
disaster, terrorist activity, effects of war, and so on in your area, then your
proprietary/intellectual property and other sensitive or mission-critical data
should be protected accordingly. In this case, if unsecured digital data are
left on desks or other nonsecure areas in areas or times of high risk, then the
data should be encrypted. Better yet, unattended sensitive media in high-
risk areas should be stored in locked safes, when at all possible.
3.3 Other Preventative Controls
A wide variety of preventive controls are available, depending on your orga-
nization’s unique type and configuration. Some common measures applica-
ble to most organizations are listed below:
Appropriately sized uninterruptible power supply (UPS) systems pro-
vide short-term backup power to all system components (including
environmental and safety controls), and should be required for 24/7
3.3 Other Preventative Controls 111
Chapter 3
operations. UPS systems provide continuous battery uptime for IT
and communications equipment through relatively short power out-
ages, and provide ride-through support for transfer to backup genera-
tors for long-term outages. UPS systems range from the most basic
single-phase units installed in communication closets to sophisti-
cated, scalable, redundant, three-phase, installations in large Internet
data centers.
Gasoline- or diesel-powered generators to provide long-term backup
power. Effective power distribution is key to a highly available data
center. Conditioning can be in the form of isolation and K-rated
transformers (to address harmonic loads), surge suppression, and
other protection features. Various techniques are used to provide
redundant power feeds to create highly available systems for dual and
single cord loads. Methods employed include stationary static
switches, power distribution units (PDUs), transient voltage surge
suppressors (TVSSs), automatic transfer switches (ATSs), rack-based
transfer switches, and more. The nature of today’s 24/7 business envi-
ronments requires a continuous and reliable power supply. An emer-
gency backup generator can provide you with a secondary power
source when the primary power is interrupted. Backup generators can
be fully automatic systems that monitor the incoming electricity and
provide an extended secondary power source on loss of primary
power. Backup generator power systems should be designed for your
specific needs, considering the voltages and kilowatt requirements.
Your backup generator system can be customized with larger fuel
tanks for longer run times, bypass options on ATSs for easy mainte-
nance, and sound attenuation enclosures for environmentally sensi-
tive areas.
Air-conditioning systems with adequate excess capacity to permit fail-
ure of certain components, such as a compressor, are required. IT
environment equipment requires rigid environmental conditions for
reliable operation. Precision air conditioning systems and rack-based
air handling systems are specifically designed for the concentrated
vertical heat loads of today’s data centers. Data center/computer
room air conditioners provide efficient heat removal, humidity con-
trol, greater airflow, better air filtration, greater flexibility and
expandability, and numerous alarm and redundancy options. You
should not jeopardize your data center by installing comfort cooling
air conditioners. You must calculate the proper tonnage, top dis-
charge, bottom discharge, ceiling-hung, floor-mounted, water-
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
