Appendix
Sidebar
Table of Contents
Governing Policy
Questions?
Please use the contact section in the governing policy.
Objective
Identify appropriate data storage, backup and recovery, and data exchange to comply with legal, regulatory, or contractual agreements and to maintain the confidentiality, integrity and availability of University owned/generated data and the data for which the University has contracted.
Security Controls
Stored Data
The following table defines the baseline security controls for stored data.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| DSBR.A.01 | Store data on University approved location for the type of data | Required | Required | Recommended |
| DSBR.A.02 | Multi-user system (e.g., servers): Encrypt the data stored on the system | Recommended1 | Recommended | Recommended |
| DSBR.A.03 | Single-user system: Encrypt the data stored on the device or system | Required | Required Effective July 2019 |
Recommended |
| DSBR.A.04 | Encrypt removable media (e.g., USB) | Required | Recommended | Recommended |
| DSBR.A.05 | Periodically review procedures for storing and handling information to protect its confidentiality, integrity and availability (suggest: annual) | Required | Required Effective July 2019 |
Recommended |
1Required for:
- Health information, HIPAA or ePHI data
- Credit card information as defined by PCI DSS
- Controlled Unclassified Information (CUI) that falls under NIST 800-171
Data Exchange or Transfer of Stored Data
The following table defines the baseline security controls for data exchange or transfer of stored data.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| DSBR.B.01 | Encrypt Private-Highly Restricted data | Required Effective July 2019 |
Required Effective July 2019 |
Required Effective July 2019 |
| DSBR.B.02 | Encrypt Private Restricted data | Recommended | Recommended | Recommended |
| DSBR.B.03 | Periodically review agreements for the exchange of and security protections of the information between the University and external entities (suggest: annual) | Required | Required | Recommended |
Backup & Recovery
Backup copies of data must be created on a regular basis, physically secured and backup processes tested periodically to maintain protect against loss of University data and to maintain business continuity.
The following table defines the baseline security controls for backup and recovery of data.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| DSBR.C.01 | Back up data where needed for continuity | Required | Required | Required |
| DSBR.C.02 | Store backups in a secure location that has limited access based on need (e.g., University or vendor secure site) | Required | Recommended | Optional |
| DSBR.C.03 | Use backup location that is not in the same building and some distance from where the original data or system is stored | Required | Recommended | Optional |
| DSBR.C.04 | For multi-user systems: Periodically review a backup and recovery plan and procedures including frequency, extent of backups, monitoring for successful completion, physical storage, access to backups, and backup testing (suggest: annual) | Required | Required | Recommended |
| DSBR.C.04 | For single-user systems: Periodically review a backup and recovery plan and procedures including frequency, extent of backups, monitoring for successful completion of the backup, physical storage, access to backups, and backup testing (suggest: annual) | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
| DSBR.C.05 | Maintain records / inventory of backups | Required Effective July 2019 |
Recommended | Optional |
| DSBR.C.06 | Categorize the media so sensitivity of the data can be determined | Recommended 1 | Recommended | Recommended |
| DSBR.C.07 | Encrypt data backup if the original data requires encryption | Required | Required | Required |
| DSBR.C.08 | Encrypt the data during network transmission to/from the backup media/storage location | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
| DSBR.C.09 | For multi-user system: Test for a successful backup and restoration by following documented procedures (suggest: annual) | Required | Recommended | Recommended |
| DSBR.C.09 | For single-user systems: Test for a successful backup and restoration by following documented procedures (suggest: annual) | Required Effective July 2019 |
Recommended | Recommended |
1 Required for:
- Health information, HIPAA or ePHI compliance on in-scope systems and applications;
- PCI DSS on all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment;
- where specified in a contractual agreement.
Resources Covered
This applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted.
Individuals Covered
This applies to University community members who use or manage University IT resources.
Related Information
- More information on Data Storage and Backup & Recovery
- How to use the information security standards
- See the Information Security policy appendices for additional information security standards that also apply to data storage and backup & recovery.
Published Date
November 2014
Last Reviewed
April 2019