Employing a third party to store and deliver assets critical to Disaster Recovery or Business Continuity Plans can be invaluable. But offsite storage should never be “dump it and forget it”. Despite everything your storage provider may promise, it’s what you don’t know that could become a problem when you need to retrieve your data backup, ‘go box’ or other essential recovery assets.
First, there’s the hand-off process. If your IT team ships physical backups offsite on a regular basis, that process can become routine. Over time, routine can slip into neglect. Neglect can result in outcomes that may a problem – or a disaster – when it’s time to recall those backups. And if you are using internal means to store vital assets, understanding the process and its security is just as critical – perhaps even greater.
What is the process? Is it documented? Is it verified with the vendor/provider periodically? Take the time to visit the provider (or even follow their pickup agent) to see exactly how the process works. Ask to see your stored materials, the vendor’s logs and their entry procedures in action.
Is the process secure? Are critical stored assets handled in a manner that assures they are properly accounted for, preserved, secured and retrievable?
An international distribution company used an offsite backup storage vendor who arrived every evening to pick up the latest backup tapes from the loading dock in a sealed plastic bin. A failed DR test revealed that every backup tape was blank: degaussed by the heavy-duty magnets in the tow-motors parked next to the backup tape bin each night!
Is the pickup process formalized, or just a guy driving his own car who throws your data into his backseat (or worse, stuffs it into a bag with other client’s backups)? You’d be surprise how often the latter is true. Are new or updated entries properly logged? Just because you labeled it properly doesn’t assure the vendor will too.
Most importantly, no matter whom you use, no matter what the pickup process – be sure you have tested the retrieval process! A crisis is not the time for surprises. Is the retrieval process documented? Are there security procedures (to assure someone else can’t retrieve your assets)? Is access to that information adequately available? You don’t want to find you can’t retrieve your ‘go box’ because the person who knows the access code is on vacation!
Your offsite vendor should be happy to cooperate with your tests. Don’t just do a ‘tabletop’ simulation test; contact the storage vendor just as you would in a real disruption. Instruct them where & when to send items; then see what happens. Check the results. You may be pleasantly surprised; or you may be disappointed. But that’s what tests are for. Don’t assume your offsite routine works until you test it; then test it again every time you test the related Business Continuity or Disaster Recovery Plan.