April 3, 2017

If you’re a veteran of backup and disaster recovery, you know how complicated it can get. Keeping your data protected and recoverable can be a major endeavor as your apps and systems keep growing. So it’s not surprising that many IT teams don’t like to think about compliance – which can be a headache even in the best of times.

But if you’re in a regulated industry like finance, healthcare, academia or retail, the success or failure of your audit can have brand and financial repercussions. And because your BDR ecosystem may include the storage and transfer of data in numerous ways, from failing over to migrating to the cloud, you’ll need to make sure you’re handling your data according to the compliance requirements of institutions like:

• HIPAA (Health Insurance Portability and Accountability Act)
• PCI-DSS (Payment Card Industry Data Security Standard) FERPA (Family Educational Rights and Privacy Act)
• SOX (Sarbanes–Oxley Act of 2002)

One common compliance issue is that some regulations are prescriptive and detailed while others can be vague. Compliance blunders are common when it comes to BDR, such as:

The team isn’t including BDR in its compliance scope. Is your disaster recovery process architected with the right controls? Even distant archived data you rarely need is in scope, and so is every appliance, component and process that touches your data.

The team is duplicating its compliance efforts. Every enterprise team should look at how their regulatory needs intersect. It’s common enough for a BDR team to manage data that falls into multiple regulatory categories; yet too often one department handles PCI and another handles HIPAA, treating them as separate initiatives. Often they check the same controls and create the same documentation already created by someone else. Because most compliance institutions share commonalities, a unified program is the most effective approach.

The organization is using an insecure BDR vendor. Some vendors conflate security and compliance and assume that their minimal controls will keep you compliant; others try to apply a one-size-fits-all approach and provide scant detailed information about their security program. Unless you’re working with vendors and providers who take the time to learn your risks and unique needs, you’ll be at risk for a failed audit.

Compliance is a nuanced business and any effective program will be tailored to your BDR configurations. But there are a few standards that can help every team. The first: encryption. Not only can this help mitigate your notification responsibilities in event of a breach, it’s a critical compliance measure. Make sure all backup data is encrypted before it leaves your data center or device.

Building compliance into your SLA is just as important. Is your vendor or provider going to strengthen your compliance posture or will they leave you with a gap that costs you come audit time? When evaluating solutions, look for one that already meets the main regulations from PCI, HIPAA and other organizations to save your team considerable work.

Another important tip: make sure your DR plan is compliant. Plans are actually required by several compliance institutions, and you’ll want to make sure yours is thorough enough to satisfy every requirement. You’ll need to include a comprehensive risk assessment, details of your secondary sites, security controls and failover processes and clarity on how you’re protecting personal, financial and medical data.

It’s never too late to start practicing smart and simplified compliance. With the right approach and the right solution, you can lighten your compliance burden – and strengthen your security posture at the same time.