Skip to content

Page275

Backup Verification Data

Backups are a critical operational control, and their impact has been heightened by the rise of ransomware. There’s an old operational saying: you don’t have a backup until you’ve restored it. Performing a gap analysis of backups and identifying critical systems and data that are not backed up is critical. That alone is not enough: the ability to restore backups in an operationally timely manner is paramount.

We will discuss three critical metrics in Chapter 8, Domain 7: Security Operations—Recovery Point Objective (RPO), Recovery Time Objective (RTO), and Work Recovery Time (WRT). Here’s a preview: RPO is the amount of data loss or system inaccessibility (measured in time) that an organization can withstand. RTO describes the maximum time allowed to recover business or IT systems. WRT describes the time required to configure a recovered system.

Many organizations focus on the ability to recover data, without calculating the time required to do so. Assume an organization has full backups of all critical data: if ransomware has infected hundreds of critical systems and encrypted the data, how long will it take to recover? If the answer is weeks or months, can the business survive that long? This illustrates why complete backups themselves are not enough: properly calculating RPO, RTO, and WRT are paramount. One part of that process is performing proactive restores of critical data, and measuring the time required to restore critical systems.

Tracking Training and Awareness

As discussed in Chapter 2, Domain 1: Security and Risk Management, security awareness and training are often confused. Awareness changes user behavior; training provides a skill set. Both need to be formally tracked.

Organizations should perform a gap analysis to determine that employees have been trained for roles that may require it (such as cloud engineers). Failure to do can result in significant issues: informally learning specialized skills such as cloud engineering “on the job” can lead to significant gaps in knowledge that can lead to mistakes, outages, and compromises. This process requires a formal budgeted program to be in place, providing training either in-house or third party (or a combination of the two).

Every employee needs to undergo routine mandatory user security awareness, with attendance tracked. Some organizations tied annual cost-of-living increases to a variety of factors, including having completed awareness. This ensures near 100% attendance.