Printed on: 06/14/2021. Please go to http://policy.umn.edu for the most current version of the Policy or related document.
University of Minnisota  Appendix

Data Storage and Backup & Recovery Standard

Appendix to Policy

Objective

Identify appropriate data storage, backup and recovery, and data exchange to comply with legal, regulatory, or contractual agreements and to maintain the confidentiality, integrity and availability of University owned/generated data and the data for which the University has contracted.

Security Controls

Stored Data

The following table defines the baseline security controls for stored data.

ControlSecurity Level
ID Description High Medium Low
DSBR.A.01 Store data on University approved location for the type of data Required Required Recommended
DSBR.A.02 Multi-user system (e.g., servers): Encrypt the data stored on the system Recommended1 Recommended Recommended
DSBR.A.03 Single-user system: Encrypt the data stored on the device or system Required Required
Effective July 2019
Recommended
DSBR.A.04 Encrypt removable media (e.g., USB) Required Recommended Recommended
DSBR.A.05 Periodically review procedures for storing and handling information to protect its confidentiality, integrity and availability (suggest: annual) Required Required
Effective July 2019
Recommended

1Required for:

  • Health information, HIPAA or ePHI data
  • Credit card information as defined by PCI DSS
  • Controlled Unclassified Information (CUI) that falls under NIST 800-171

Data Exchange or Transfer of Stored Data

The following table defines the baseline security controls for data exchange or transfer of stored data.

ControlSecurity Level
ID Description High Medium Low
DSBR.B.01 Encrypt Private-Highly Restricted data Required
Effective July 2019
Required
Effective July 2019
Required
Effective July 2019
DSBR.B.02 Encrypt Private Restricted data Recommended Recommended Recommended
DSBR.B.03 Periodically review agreements for the exchange of and security protections of the information between the University and external entities (suggest: annual) Required Required Recommended

Backup & Recovery

Backup copies of data must be created on a regular basis, physically secured and backup processes tested periodically to maintain protect against loss of University data and to maintain business continuity.

The following table defines the baseline security controls for backup and recovery of data.

Control Security Level
ID Description High Medium Low
DSBR.C.01 Back up data where needed for continuity Required Required Required
DSBR.C.02 Store backups in a secure location that has limited access based on need (e.g., University or vendor secure site) Required Recommended Optional
DSBR.C.03 Use backup location that is not in the same building and some distance from where the original data or system is stored Required Recommended Optional
DSBR.C.04 For multi-user systems: Periodically review a backup and recovery plan and procedures including frequency, extent of backups, monitoring for successful completion, physical storage, access to backups, and backup testing (suggest: annual) Required Required Recommended
DSBR.C.04 For single-user systems: Periodically review a backup and recovery plan and procedures including frequency, extent of backups, monitoring for successful completion of the backup, physical storage, access to backups, and backup testing (suggest: annual) Required
Effective July 2019
Required
Effective July 2019
Recommended
DSBR.C.05 Maintain records / inventory of backups Required
Effective July 2019
Recommended Optional
DSBR.C.06 Categorize the media so sensitivity of the data can be determined Recommended 1 Recommended Recommended
DSBR.C.07 Encrypt data backup if the original data requires encryption Required Required Required
DSBR.C.08 Encrypt the data during network transmission to/from the backup media/storage location Required
Effective July 2019
Required
Effective July 2019
Recommended
DSBR.C.09 For multi-user system: Test for a successful backup and restoration by following documented procedures (suggest: annual) Required Recommended Recommended
DSBR.C.09 For single-user systems: Test for a successful backup and restoration by following documented procedures (suggest: annual) Required
Effective July 2019
Recommended Recommended

1 Required for:

  • Health information, HIPAA or ePHI compliance on in-scope systems and applications;
  • PCI DSS on all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment;
  • where specified in a contractual agreement.

Resources Covered

This applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted.

Individuals Covered

This applies to University community members who use or manage University IT resources.

Related Information

Published Date

November 2014

Last Reviewed

April 2019

Document Feedback

Information Technology