APPENDIX TO POLICY

Backup and Recovery of Data Standard

Objective

Backup copies of data must be created on a regular basis, physically secured and backup processes tested periodically to maintain integrity and availability of University information resources.

Physical security of the backups must be managed to maintain integrity and availability of University information resources.

Security Controls

Data stored on Multi-user systems (e.g., server, SAN, NAS)

The following table defines the baseline security controls for backup and recovery of data stored on multi-user systems.

Control Security Level
ID Description High Medium Low
BRD.A.01 Back up data when the data cannot be replicated Required Required Required
BRD.A.02 Test backup media and restoration procedures (suggested: annual) Required Recommended Recommended
BRD.A.03 Encrypt backup media if the original data requires encryption Required Required Required
BRD.A.04 Store backup media in a secure location that has limited access based on business need (e.g., University or vendor secure site) Required Recommended Optional
BRD.A.05 Use backup location that is not in the same building and some distance from where the original data or system is stored (e.g., across campus) Required Recommended Optional
BRD.A.06 Document a backup and recovery plan including frequency, extent of backups, physical storage, access to backups, and backup testing Required Required Recommended
BRD.A.07 Document data backup and restoration procedures Required Recommended Optional
BRD.A.08 Mark backup media containing private-highly restricted University data as confidential Recommended 1 Recommended Recommended
BRD.A.09 Conduct a periodic on-site review of the backup location/facility (suggested: annual) Recommended 1 Recommended Optional
BRD.A.10 Track/log all access to the backup location/facility Recommended 1 Recommended Optional
BRD.A.11 Maintain records / inventory of backup media handled by other IT units or services Recommended 1 Optional Optional
Data stored on Single-user systems (e.g., desktop, laptop)

The following table defines the baseline security controls for backup and recovery of data stored on single-user systems.

Control Security Level
ID Description High Medium Low 2
BRD.B.01 Back up data when the data cannot be replicated Required Required Required
BRD.B.02 Test backup media and restoration procedures  (suggested: annual) Recommended 1 Recommended Optional
BRD.B.03 Encrypt backup media if the original data requires encryption Required Required Required
BRD.B.04 Store backup media in a secure location that has limited access based on business need (e.g., University or vendor secure site) Required Recommended Optional
BRD.B.05 Use backup location that is not in the same building and some distance from where the original data or system is stored (e.g., across campus) Required Recommended Optional
BRD.B.06 Document a backup and recovery plan including frequency, extent of backups, physical storage, access to backups, and backup testing Required Optional Optional
BRD.B.07 Document data backup and restoration procedures Recommended 1 Optional Optional
BRD.B.08 Mark backup media containing private-highly restricted University data as confidential Recommended 1 Recommended Recommended
BRD.B.09 Maintain records / inventory of backup media handled by other IT units or services Recommended 1 Optional Optional

1 This is required for systems in scope for credit card processing environment per PCI-DSS. This includes systems that support or store, process or transmit cardholder data.

2 If a computer system is part of a Critical Operational Unit an accordance with Administrative Policy: Continuity of Operations (COOP) and the data is public, it must follow the Medium security level for Single-user systems.

Resources Covered

This standard applies to IT resources owned or contracted by the University. This also applies to personally owned devices authorized to store University data designated as private-highly restricted or private-restricted .

Individuals Covered

This standard applies to University community members who use or manage University IT resources.

Related Information

More information on Backup & Recovery of Data

Published Date

  • November 2014

Document Feedback