Administration and Data Retention. Best Practices for Systems Management

Transcription

1 Administration and Data Retention Best Practices for Systems Management

2 Agenda Understanding the Context for IT Management Concepts for Managing Key IT Objectives Aptify and IT Management Best Practices Best Practices for Administration Data Quality Projects Data Retention and Archiving

3 UNDERSTANDING THE CONTEXT FOR IT MANAGEMENT

4 Overview: IT Management Factors Internal Factors Management Directives Organizational Policies Service Level Agreements System Availability External Factors Audit Regulatory/Compliance Vendor/Partner Contracts

5 Management Directives Business Continuity and Disaster Recovery Approximately 8,000 Intel-based servers and approximately 5,000 UNIX servers were lost at an approximate replacement cost of $370 million. It has also been estimated that 30,000 securities positions (defined as trading, sales, research, and operations positions) were lost in the seven WTC buildings and another 15,000 to 20,000 positions in the adjacent buildings. Data Retention Policies Capacity Planning and Backup Management Availability and Service Level Agreements Information Lifecycle Management (ILM) Initiatives Tower Group, a research and advisory firm, estimates that it will cost $3.2 billion to replace technology at the affected securities firms. Of this estimate, $1.7 billion will be spent on hardware from trading stations, sales stations, workstations, PCs, servers, printers, mini-computers, storage devices, cabling, and communications hubs to routers and switches. The remaining $1.5 billion will cover services and software to install and connect the necessary networks, operating systems, and applications infrastructures. Digital Asset Management --Tech Republic, 5/17/2002

6 Regulatory Requirements Sarbanes Oxley Act (SOX) Security of financial data for public companies and related Health Insurance Portability and Accountability Act (HIPAA) Privacy of healthcare related information USA PATRIOT Act Impacts the ability for companies to utilize cloud-based resources across international borders EU Data Protection Directive Impacts data retention schedules

7 PCI Payment Card Industry Compliance Account Management Policies Backup Policies Acceptable Use Policies Incident Reporting Plans Card Storage Guidelines and Related Requirements Encryption and Network Policy Requirements Application/Environment Change Control Physical Security Policies

8 Overall Impacts Stricter Requirements on HW and SW Purchases Tighter Management Controls Additional Time and Effort by Team Members Ongoing Policy Upkeep and Compliance Efforts Higher Costs associated with Audits Potential Non-Compliance Sanctions

9 Policy Development Frameworks COBIT - Control Objectives for Information and Related Technologies ITIL Information Technology Infrastructure Library ISO/IEC ISO Standard for IT Governance

10 IT Governance Model Resource Framework Applications Systems Resources Formally documented Change Management Management Guidelines Policies and Procedures are in place, approved by management, and reviewed Monitoring annually. Audit Vendors Policy 1.1 Change Control A. Record of all changes made to all systems require a case to be created. B. All changes must be tested in prior to deployment to production by the business owner. Approval by the business owner is required for changes to be placed into production. Control Objectives C. For high-risk changes, case information must be entered prior to deployment. Measurement D. Policies Procedures

11 Management Recap IT decisions are impacted by internal and external factors Impacts include tighter management controls and higher operating costs Policy Development Frameworks, such as COBIT, are designed to help organizations manage Information Resources

12 APTIFY AND IT MANAGEMENT BEST PRACTICES

13 Common Management Objectives Affecting Aptify Security Administration Availability Data Quality/Integrity/Activity Logging Change Control Disaster Recovery Security Incident Response System Monitoring Data Retention Patch/Update Scheduling

14 Change Control Best Practices Simplify the process as much as possible Maintain record history on all Framework and Types/Codes entities Utilize Aptify Framework for all DB objects Test every component prior to deployment Test deployment process Ensure proper authorization by management and business unit is in place Record authorization Utilize Case Management to Log Related System Changes (OS, IIS, Supporting Systems, etc) Ensure a back-out plan

15 Backup/Recovery Best Practices Ensure recovery requirements are supported by DB backups Retain cyclical backups (ie. grandfather-father-son scheme) Consider using frequent incremental backups Backup transaction logs according to recovery requirements Store backups to tape or external device (ie. Barracuda Backup Service) Test recovery from backup frequently and determine the time required for recovery

16 Test Environment Setup Best Practices Maintain at least one test environment separate from production dev-test-production dev-test-staging-production Make sure all sensitive data is cleansed from test systems prior to release to staff (also includes disabling certain features) Remove financial information Disable merchant accounts Update all addresses to test address Create non-production environments to the same rigor and network topology as production to ensure adequate testing

17 Disaster Recovery Best Practices Build a disaster recovery plan that meets business objectives Test the disaster recovery plan Ensure that backups (part of every DR plan) are readily available, etc. Retain information on each environment to enable proper rebuilding if necessary Processor and memory configuration Drive mappings SAN/RAID Array Layout (physical and virtual) Maintain a backup DR site, as per availability requirements

18 Security Best Practices Utilize trusted connections for SQL Server Set the sa password to difficult password Ensure only named logins are used to reach the server and individually assigned for audit purposes Grant only required authorization levels to staff members Change the encryption keys frequently or per related policies (i.e. PCI requirements) Ensure only native (Aptify-driven) permissions are present on the SQL Server; evaluate on a cyclical basis Write and test an incident response plan

19 Privacy Best Practices Determine the Internal and External factors present Customer Privacy (ie. SSN) Management Objectives (competitive advantage, proprietary data) Regulatory Business Relationships (ie. PCI) Define business rules around private data Identify key data for encryption and utilize multiple keys to segment unrelated data Restrict columns through Field Level Security Restrict rows through Row Set Security Implement policies and procedures Ensure management objectives are followed Follow Incident Response plan in event of a breach

20 Monitoring Best Practices Utilize SQL Server logs to record login attempts to SQL Monitor use of non-trusted logins (server side trace) Monitor common set of applications (server side trace) Employ external monitoring tools to manage uptime and performance issues For attached storage, utilize windows performance counters to ensure high disk availability for SQL Server For SANs, utilize 3 rd party tools to manage disk availability to the SQL Server; ensure no network collisions

21 Data Retention Factors Basic Decision: balance between two factors Business benefits of data ownership Storage costs for data retention Consider what regulatory requirements are in place (ie. EU Data Protection Act) Business rules governing data retention: does your organization view paper files equally to electronic ones? What is the impact of privacy and security factors?

22 Data Retention and Archive Best Practices Conduct a data retention audit: what is the current state of data in my organization? Create or update your data retention policy Categorization of data processed / managed Purpose of retaining the data Maximum retention period Storage location Archival or destruction process Security method Who is responsible for data retention?

23 Sample Data Retention Schedule Type Purpose Value Risk Storage Costs Live Retention Period Backup Retention Period Archive Location Archive / Destroy Security Method Data Owner Historical Backup Med High High 3 years 5 years Offsite Destroy Encrypted Backup IT Committee History Historical Backup High Low Low unlimited unlimited Onsite Archive Backup Membership Customer Information Ongoing engagement High Mediu m Low 10 years unlimited Onsite Archive Encrypted Backup Membership Non-Customer Mediu Encrypted Information Historical Backup Med m Low 3 years 3 years Offsite Destroy Backup Membership Encrypted Purchase History Financial Med High Low 5 years unlimited Offsite Archive Backup Finance Record History Mediu (Change) Historical Backup High Record History (Rollback) Historical Backup Low m Medium 10 years n/a n/a Destroy n/a IT Mediu m High 6 mo n/a n/a Destroy n/a IT Encrypted Backup IT Lists Historical Backup Med Low Low 10 years 10 years Offsite Archive

24 Data Retention and Archive Methodology Create the Data Retention Schedule Evaluate storage costs important types of data Run queries to determine composition of your data What data costs the most for you to own? Match record history settings to your needs on an Entity by Entity basis Track Versions: defines if record history is stored OmitObjectData entity attribute: defines if the data is stored to allow restore Use the Archive Runs functionality frequently Create a process flow which handles archiving for you!

25 Data Quality Best Practices Implement manageable duplicate processing rules within duplicate check objects Create views which highlight potential duplicates and assign cleanup to team member (merge permissions) Create processes for finding common org-specific duplicates Develop and schedule reports highlighting data growth by entity and other factors important to the business

26 Management Reporting Common Reporting Requirements Monthly database file size growth Top 10 table growth by size Top 10 table growth by rows Activity by users Activity by tables

27 Sample Managed Services Monthly Report

28 Q & A

29 Thank You! Please let us know if you have any questions.