Business Practices

Uh-Oh What Should We Do?

• By Dave LeClair
• 05/01/15

The amount of data that today’s school districts generate is increasing exponentially and so is the need to protect it. School business officials and IT professionals should approach data protection with a documented disaster recovery (DR) plan that ensures the organization’s readiness for any kind of disaster, downtime or outage and its ability to get things back on track quickly if something goes wrong.

Here are some tips to help you develop an ironclad data recovery strategy.

1. Determine recovery time objectives and recovery point objectives. The recovery time objective (RTO) is the maximum amount of time your district can afford to be without its data and systems. The recovery point objective (RPO) is the maximum amount of data that you can afford to lose without severe consequences.

Visualize a time line. The RPO is the point at which all your data have been backed up and are secure. Disaster strikes, and the system crashes. The data created between the RPO and the disaster will likely be lost, as they were not backed up. The RTO is the point in the future when the organization will be up and running again, so the gap between the disaster and the RTO is the time during which the system isn’t functioning.

Those metrics serve as the foundation on which your DR plan is built. Every strategy you put in place should help you meet your RTO and RPO goals. Everyone within your organization should agree on which applications, functions, and data are critical, and what the loss of each could mean in terms of financial costs, brand damage, and regulatory compliance.

2. Secure a backup copy of your data off-site. Store a copy of your data off-site every day to ensure the data and applications remain accessible and you can continue to operate regardless what occurs.

Don’t confuse backup data with archived data. Backup data include critical applications, information, files, and systems currently in use that are backed up and replicated on a secondary site, such as a physical location or a public or private cloud. Automated systems back up data according to your RPOs and move the data off-site.

Archived data are collected and retained for longer periods to meet regulatory and compliance requirements and to provide rollback should your backups become corrupted. If your DR facility fails or becomes corrupted, you have the ability to rebuild your systems using your archived data. If your archived data are lost, they may be lost permanently.

Most educational institutions should have a backup window of at least once per working day for all critical data. Other important best practices to consider include providing at least one additional level of backup to cover a failure of the primary backup medium and auditing backup media at least once every six months.

3. Encrypt your replicated and archived data. Throughout the replication and archiving processes, company data are transferred across your wide area network, so it’s important to ensure they are encrypted in flight and at rest. A military-grade Advanced Encryption Standard with 256-bit keys is preferable, but you should encrypt to the highest level possible to prevent data breaches and other malicious activity — a common cause of downtime.

Look beyond IT

Data recovery should be an integral component of your organization’s DR plan, but it’s also important to look beyond IT to ensure true business continuity.

Examine all business and educational functions, identify those that are critical to maintaining business continuity, and develop a DR strategy for each. Determine the steps required to get those essential departments and employees online and communicating with each other, and make sure they can quickly and easily access the systems and servers they need to keep the establishment running. Communication and training are key here. Everyone who has a role in the DR process must be made aware of the plan and trained on their specific responsibilities. Consider cross-training personnel, so someone can always pick up a task in the event the primary person for that task cannot fulfill his or her responsibilities.

Don’t take disaster recovery lightly. Create a comprehensive, institution-wide plan, familiarize all the appropriate parties with it, and test it continuously to ensure flawless execution. That is the key to true recovery.

— Excerpted from the April 2015 issue of School Business Affairs magazine, published by the Association of School Business Officials International. asboint.org

This article originally appeared in the issue of .