COBIT and Recovery
Database recovery needs to be tackled from a best practice approach to enable your organization to do the kind of up-front planning and routine monitoring and evaluation that COBIT advocates. An organization that has adopted COBIT as a best practice framework understands the critical value of information to the business, and the need to assure its integrity and availability.
It is important that you develop backup policies and procedures for all of your database objects that match your business availability requirements. Most DBAs have done this, at least to some degree. But what most have not done is implement regular systematic checks for the ongoing viability of their backup and recovery plans to match their recovery time objectives—or even to ensure that their existing backups are valid and could be used in a recovery situation.
Recoverability is addressed by the following 19 COBIT objectives across three process domains:
• PO9.4: Assess risks—During planning and organization, you must assess the risk of databases being unrecoverable from backups.
• DS1.3 and DS1.4: Define and manage service-levels—Metrics are required to defining service-level objectives for recovery. Do you know how long it would take to recover a specific database object (or series of objects)? If not, how can you assure that application service levels will be met or exceeded?
• DS3.2, DS3.3, DS3.4, DS3.5, and DS3.8: Manage performance and capacity—Regularly checking the health of your recovery aids capacity management by improving the availability of information and the IT resources that depend on it.
• DS 4.10, DS4.11, and DS4.12: Ensure continuous service—Again, ensuring service is impossible without being able to ensure recoverability (including that mirrored to backup IT sites and/or offsite backup data stores).
• DS11.9, DS11.19, DS11.20, DS11.21, DS11.23, and DS11.24: Manage data—Any number of issues may require recoverability as part of an ongoing data management effort. COBIT Objective DS11.24 specifically covers verifying the usability of backups.
• M1.1 and M1.2: Monitor the processes—Ongoing monitoring of recoverability is needed to verify every backup job and its effectiveness in your environment (logging, memory, system resources, etc.).
Organizations need to better acquire and implement tools and procedures that help to verify the integrity of backups, the system settings that could affect the ability to recover, and the processes associated with backup and recovery of databases. Analyzing your database system, data, and backups, and determining their health and usability should be a regular practice. If not undertaken, then a system failure, logical error, malicious destruction, or catastrophic event could render your databases unusable, impact your business, and maybe even threaten the ongoing viability of your business.