- Should be stored offsite within reasonable distance allowing for both protection from a wide area disaster and timely media recall.
- Must be stored in a secure location and under controlled environmental conditions (heat, humidity, dust, etc.) as per the media manufacturer's specifications and industry standards.
- Must be a duplicate of the onsite backup media (no single copies) and sent offsite daily shortly after creation.
- Must be inventoried via backup software or manually if the software does not provide this functionality.
- Long-term retention media should be tested periodically and migrated to new media as technology evolves to ensure recoverability of data.
- As with backup media, software installation media should have a copy available offsite.
- A copy of the software installation license keys should also be kept offsite along with system specific unique identifier information if required (some applications require it).
- Software installation media should be inventoried, subject to version control and maintained via a configuration management database.
- Software media should be stored with a copy of the system configuration and recovery documentation for disaster recovery (DR) purposes.
- Change management must also take into consideration the impact on offsite stored software media and documentation when authorizing a change such as a version upgrade.
The above are probably some of the most common best practices around backup and software media storage. Other good sources of information include the Information Technology Infrastructure Library (ITIL) and the Business Continuity Generally Accepted Practices (GAP).
This was first published in December 2006