Backup Policy

Cybernance Backup Policy and Procedures

Policy Statement

Cybernance employs daily offsite backups, continuous replication, and point-in-time recovery.

Cybernance utilizes Amazon Web Service as their hosting platform. Amazon’s service is best in class, and guarantees the “five 9’s” of uptime (99.999%), triple-redundant backups daily, and a multitude of security audit certifications for their data centers.

All Cybernance Platform code is stored in GitHub in a minimum of three redundant server farms, with at least one of them in a different physical location than the other two. It would take a catastrophe of epic proportions to destroy all three sites simultaneously (in which case, our local backups would be used to recover).

The Cybernance Platform runs on a database server, three application servers, two redistribution (“redis”) servers, and load balancers. The servers are designed to replicate data or fail over to a secondary database to enable uninterrupted service in the event of a technical or other issue.

An Amazon service called RDS with synchronous replication enabled is used. This means that every piece of data written to the database is synchronously replicated to another data center. In the event that the primary database, or even the entire datacenter that holds the primary database, fails in some way, the secondary database will pick up and respond to queries without manual intervention.

In the event that both the primary and secondary databases, or the datacenters that hold them, fail in some way, Cybernance can make use of backups and the point-in-time restore capabilities of those backups. These backups are up-to-date within 5 minutes.

The Cybernance Platform application servers are stateless, meaning that no information other than the code of the application is stored on the servers. If a server goes down, the load balancers will automatically redirect requests to the remaining application servers in other datacenters, and users will not even be logged out or know that anything has occurred. Currently, three datacenters are used. In the event that all three datacenters fail, a new server with the code can be provisioned, since distributed backups of both the servers themselves, the code, and the deployment mechanisms have been continuously maintained. The two redis servers are managed by Amazon and are set up in a failover configuration that holds information about background asynchronous jobs (e.g., generating reports, emails, and so on). If one fails, the other one will take the load as they are provisioned to be large enough for that possibility. If both fail, then some reports and emails will not go out until they have been restored to service by Amazon.

Database Servers

An Amazon service called RDS with synchronous replication enabled is used. This means that every piece of data written to the database is synchronously replicated to another data center. Should the primary database, or even the entire datacenter that holds the primary database, fail in some way, the secondary database will pick up and respond to queries without any manual intervention. If both the primary and secondary databases, or the datacenters that hold them, fail in some way, Cybernance can make use of backups, and the point-in-time restore capabilities of those backups. These backups are generally up to date within 5 minutes.

Application Servers

Application servers are stateless, meaning that no information other than the code of the application is stored on the servers. If a server goes down, the load balancers will automatically redirect requests to the remaining application servers in other datacenters, and users will not even be logged out or know that anything has gone wrong. Currently, three datacenters are used. If all three datacenters fail, a new server with the code can be provisioned, since distributed backups of both the servers themselves, the code, and the deployment mechanisms have been continuously maintained.

Upon Termination

A customer who elects to terminate a paid license, either through cancelation or expiration of the license term, may request a data file containing the most current information associated with their accounts.

[icon name=”download” class=”” unprefixed_class=””] Download Policy as PDF

Sponsoring Office: Product Management
Effective Date: January 27, 2018
Last Reviewed: January 27, 2018
Next Scheduled Review: January 1, 2019

Medical

Another heavily regulated industry with compounded risks, medical services providers have to worry about not only compliance and financial risks, but the risk posed human health and safety. Business managers in this industry need some way to reduce complexity so that they can create effective strategies with prioritized risks.

Cybernance helps medical institutions understand the HIPAA security rule in terms of NIST standards. The two standards are composed of the same fundamental priorities, but have been difficult to cross-translate. With Cybernance, CISOs and Counsel can address the common points of their specific concerns about security and compliance.

Energy & Utility

The risk of a cyber attack on critical infrastructure – electricity, water, gas – is mounting. Energy and utility providers are under increasing pressure to comply with regulations, and to ensure the robustness of their systems. Leaders need ways to engage with their subordinates and their peers to ensure the resilience of our tightly linked infrastructure.

The Department of Energy uses Cybernance to assess and remediate cybersecurity risks at electric, wastewater, and gas utilities across the US. Our model and workflow give a quick assessment of a complex environment that mixes IT and OT, and helps leaders make decisions about where to focus remediation efforts.

Non-profit

Mission-driven organizations are often overweight on risk and underweight on resources. Limited resources tend to go toward executing on the core mission and maintaining a minimum of staff. Technology investment is a nice-to-have; security is a far-off consideration. Non-profit leaders need to understand their risks relative to cyber threats, and work to prioritize them based on their capabilities.

Cybernance offers these organizations and their boards a quick and affordable way to quantify and report these risks, which are often addressable with adjustments to policy or procedure – not technology investment. Many small victories can be achieved by only investing a little bit of time, sparing financial resources for the core mission.

Education

Colleges and Universities have a unique challenge not replicated in most business environments: users (student and faculty) are distributed and difficult to compel. Access controls are intentionally relaxed, and the default for information sharing is “unrestricted”. Within these cultural constraints, administrators must ensure the safety and privacy of users and the integrity of the system as a whole. They need to understand how to assess and prioritize risks and controls, so that they can create the desired balance of openness and resilience.

Cybernance helps to create a bridge between the CISO and the administrative functions within the institution. By enabling each to understand their institution’s capabilities relative to national standards, the Platform creates a forum where they can have productive conversations about how to handle their specific risks.