Off-site data storage: How far away is far enough?
Our off-site storage is located a block from the data center, which is across the street from the Gulf coastline. Tapes are stored in fire and waterproof media safes. What are your thoughts on the sufficiency of this option?
It's not a simple process to determine how far away your off-site data storage
should be. There are many considerations and approaches to addressing disaster recovery (DR) as well as business continuance (BC) requirements that depend upon your specific threat risk issues, type of business, location and service objectives -- among other factors. For example, what regulatory (government or industry) regulations or mandates are you or your customers subject to complying with in terms of data and business survivability and availability? Another question is, do all of your business applications and functions need to be available in order to function and how long can the business operate with limited IT capabilities? Has a business impact analysis (BIA) been conducted or updated recently to determine the value of applications and data as well as how far away is sufficient to meet different threat risks?
Speaking of threat risks, what is most likely to have an impact on both your primary business and IT location as well as the location of where your alternate data is stored? If your data is very important, do you need to have a tertiary site with either on-line or off-line copies of your data? In addition to making sure that your data is protected at an alternate location or locations, as part of a BIA, determine what your processing needs will be and where those need to be located to actually use (e.g. restore and recover) off-site tapes or disk-based backups. Think of it this way: What good is having your data protected somewhere else if you are not able to actually use it other than knowing the data is safe?
There are many other items and factors to consider and the above is far from a comprehensive list. However, it should help with some considerations with regards to protecting your data in the face of various threat risks.
This was first published in September 2007