It doesn’t take long for a college’s most valuable data assets to be at risk: a hurricane strikes, an employee accidentally deletes the wrong file, a malicious ransomware attack sneaks in. How well an institution can recover from such events depends on how thoroughly it has prepared beforehand.
One important step is to prioritize data, in advance, based on its intrinsic value and its importance to mission-critical operations. That will drive decisions about where to store data, how to protect it and what to restore first in the event of a crisis.
University Uses Tier System to Prioritize Backups
Columbia University in New York classifies its applications and data into four tiers, so the IT department can prioritize backups and determine which applications must be restored first during a disaster recovery scenario, says Director of Network and Computer Security Joel Rosenblatt.
Tier 0 (critical infrastructure) includes email, identity management and security systems, such as building access control and security cameras. Columbia runs these applications in a “hot” configuration, with a secondary data center ready to take over immediately if the main data center goes down.
Tier 1 is critical business applications, such as student management systems, while Tier 2 includes important business applications. IT replicates data from both tiers to the secondary site. The difference, Rosenblatt says, is that IT staff has up to 48 hours to restore Tier 1 apps and up to seven days to restore Tier 2 apps.
Tiers 3 and 4 are noncritical applications or test and development environments and have no recovery requirements, he says.
Data Classifications Can Identify Critical Data
The University of Houston relies on individual departments to classify their data, so that IT staff can ensure the most critical assets have proper backup.
- Level 1 data is sensitive, confidential or mission-critical, says CISO Mary Dickerson — for instance, a planning document on how a department can recruit students over the next year, says CISO Mary Dickerson.
- Level 2 information is publicly available, but needs to be temporarily restricted; for example, notes created for the next week’s class that the professor doesn’t want to publicize yet, Dickerson says.
- Level 3 is anything that is publicly available, such as website information.
The university requires Level 1 data to be stored on central servers and backed up, but individual departments can choose to back up Level 2 and 3 data as well.
“We are most concerned with Level 1 information, which according to policy must be stored on a critical information resource,” Dickerson says. “It has to be on a server located in a data center with proper environmental monitoring, and the policy specifies that it has to be backed up.”