Compliance and Backup Strategy: A Closer Look at the Connection

by Aug 23, 2023

The Intersection of Compliance and Digital Data

Organizations of all sizes and shapes must comply with government and industry regulations. Some regulations are limited to public companies, while others are relevant only to specific verticals. Many regulations cut across type, size, and industry in their impact. In addition to legally mandated requirements, many organizations voluntarily adopt quality and process standards (such as Six Sigma or ITIL) or establish performance guidelines that impact employees and customer agreements. Adhering to these standards brings with it additional (and not always overlapping) sets of rules. In compliance with these standards, regulations, and rules – or just to maintain best practices – most organizations are implementing some degree of business continuity or disaster recovery plan.

While most information can (at least in theory) be recorded on paper, virtually all organizations now keep personnel, customer, financial, transactional, and other records in digital format. Indeed, today, most organizations operate at the intersection of compliance and digital data. After all, compliance and digital data have become inextricably intermingled. Compliance is only manageable when information is digitized, and the proliferation of digital data makes compliance more essential. Organizations need to follow the rules about managing the growing stores of digital information they are accruing.

The bottom line: Whether legal requirements are in place, whether the rules and regulations are self-imposed, or whether there is a combination of factors in play, prudent business practice calls for backing up and securely housing digital data.

  • Sarbanes-Oxley Act (SOX)
  • Gramm-Leach-Bliley Act (GLBA) or Financial Services Modernization Act
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health Act (HITECH Act)
  • U.S. Securities and Exchange Commission (SEC)
  • Basel II
  • Red Flags Rule
  • Statement on Standards for Attestation Engagements (SSAE) 16

The Intersection of Compliance and Backup

Compliance-related requirements must drive the backup strategy, which needs to support whatever compliance-related requirements an organization has.

What does having and enforcing a backup strategy accomplish for an organization? For one, it demonstrates to regulators and auditors the capability of protecting and restoring critical data. It can also get databases quickly back in business after a disaster occurs – whether from a terrorist attack or hacker intrusion, hurricanes or a burst pipe, or just plain human error. Further, it can help protect and defend organizations when litigation arises from employees, customers, competitors, or regulators.

Why Any Old Backup Will Not Do

It is not just a matter of backing up. It is also essential to how databases are backed up. Technical requirements must be satisfied to use a backup solution for compliance purposes. These are:

  • Encryption in transit
  • Encryption at rest
  • Access controls
  • Audit trails
  • Where backed-up data is kept (for example, off-premises, in-country)
  • The ability to determine what types of data get backed up
  • The ability to set the frequency of backup
  • The ability to satisfy the restoration time requirement

Any company that maintains personally identifiable information on employees (for example, Social Security numbers and proof of citizenship) must maintain this data. The same holds for organizations holding confidential customer information (credit card numbers and banking information). These obligations revolve around keeping information private and confidential, data secure from unauthorized access, and maintaining information for the required retention period.

There is no need to delve into much (if any) detail on why these requirements make the list. They are all more or less self-explanatory. Two not-so-self-evident issues are worth pointing out here:

  1. Tape-based backup, which requires manual intervention, is an inherently insecure process and will fail to meet the compliance threshold for regulations regarding data privacy. A tape-based backup may further fail the test regarding satisfying time-to-restoration requirements.
  2. All automated software backup solutions are not created equal. When choosing an answer, do so with full awareness of an organization’s compliance needs.

Idera SQL Safe Backup

IDERA Safe Backup is well-suited to meet the compliance needs of so many organizations.

Separation from Actual Data
  • SOX financial reporting data
  • Basel II financial reporting data
  • GLBA nonpublic personal information
  • PCI personal account number

SQL Safe Backup does not look at any data within the database. Instead, it asks SQL Server to perform backup and restore operations. Consequently, SQL Server is the only application that interacts with the data.

Encryption at Rest
  • SOX financial reporting data
  • Basel II financial reporting data
  • GLBA nonpublic personal information
  • PCI personal account number

With SQL Safe Backup, encrypt using AES 256 encryption the data as it is written to disk.

Audit Trails
  • HIPAA for information systems containing protected health information
  • SOX
  • PCI

With SQL Safe Backup, each time a task (backup, restore, or merge) is performed, Iog information on (for example) what database and database files were involved and where data was backed up or restored.

Determine What Types of Data to Back Up
  • SOX financial reporting data
  • HIPAA electronic protected health information

With SQL Safe Backup, select any combination of files and folders to be excluded from the continuous data protection policy and add advanced rules using patterns to exclude only certain file types.

Set Backup Frequency and Retention Times
  • SOX sets a minimum number of periods for retaining data and audit trails
  • HIPAA sets varying length requirements for the health records of adults and children

With SQL Safe Backup, schedule server backups as frequently as every 15 minutes and set how many recovery points to retain. Also, configure how much history to have in the repository database. Moreover, configure the frequency at which backups created through policies are kept on disk (that is, automatically purge backup files).

Satisfy Restoration Time Requirements
  •  Regulations vary broadly by industry and individual organizational needs.

With SQL Safe Backup, perform restores as fast as possible and faster than virtually any competitive offering.

There’s a final way in which IDERA Safe Backup is compliant-ready. The best-intentioned compliance and backup strategy will only live on paper if it’s challenging to implement and time-consuming deployments. Unlike solutions that may take hours to install and configure, IDERA Safe Backup is built for download and go, with no professional services required. Once IDERA Safe Backup is up and running, tasks are automated.

Given the simultaneous explosion of digital information and compliance requirements, having a sound, workable backup and restore policy is essential. So is the ability to carry through on that policy. IDERA Safe Backup stands at the intersection of compliance and backup with a solution that lets organizations of all shapes and sizes put a submission into practice cost-efficiently and time-effectively.

Idera provides robust solutions for SQL Server, Azure SQL Database, and Amazon RDS for SQL Server:

  • SQL Compliance Manager protects your data by monitoring activity and changes with powerful alerting and tamper-proof audit tools
  • SQL Safe Backup backups, restores, and instant recovery of databases

Additional Resource:

To learn more about developing and implementing a disaster recovery plan with secure database backups, please take some time to check out our 11-page whitepaper, “How To Develop And Test A Disaster Recovery Plan.”