Printed on: 11/14/2018. Please go to http://policy.umn.edu for the most current version of the Policy or related document.
Appendix

Backup and Recovery of Software, System Configuration Standard

Appendix to Policy

Objective

Backup copies of software and system configurations must be taken and backup processes tested periodically to maintain integrity and availability of University information resources.

Security Controls

Multi-user systems (e.g., server, print server)

The following table defines baseline security controls for backup and recovery of software/applications on and system configurations for multi-user systems.

Control Security Level
ID Description High Medium Low
BRSC.A.01 Back up software and system configurations that can not be replicated Required Recommended Optional
BRSC.A.02 Periodically test backup media and restoration procedures (suggested: annual) Required Recommended Optional
BRSC.A.03 Document a backup and recovery plan including frequency, extent of backups, physical storage, access to backups, and backup testing Required Recommended Optional
BRSC.A.04 Document backup and restoration procedures Required Recommended Optional

Single-user systems (e.g., desktop, laptop)

The following table defines baseline security controls for backup and recovery of software/applications on and system configurations for single-user systems.

Control Security Level
ID Description High Medium Low
BRSC.B.01 Back up software and system configurations that can not be replicated Recommended Optional Optional
BRSC.B.02 Periodically test backup media and restoration procedures (suggested: annual) Recommended 1 Optional Optional
BRSC.B.03 Document a backup and recovery plan including frequency, extent of backups, physical storage, access to backups, and backup testing Recommended 1 Optional Optional
BRSC.B.04 Document backup and restoration procedures Recommended 1 Optional Optional

Network devices (e.g., firewall, switch, router, core node)

The following table defines baseline security controls for backup and recovery of software/applications on and system configurations for network devices.

Control Security Level
ID Description High Medium Low
BRSC.C.01 Back up software and system configurations that can not be replicated Required Recommended Optional
BRSC.C.02 Periodically test backup media and restoration procedures (suggested: annual) Required Recommended Optional
BRSC.C.03 Document a backup and recovery plan including frequency, extent of backups, physical storage, access to backups, and backup testing Required Recommended Optional
BRSC.C.04 Document backup and restoration procedures Required Recommended Optional

1 This is required for systems in scope for credit card processing environment per PCI-DSS. This includes systems that support or store, process or transmit cardholder data.

2 If a computer system is part of a Critical Operational Unit in accordance with Administrative Policy: Continuity of Operations (COOP) and the data is public, it must follow the Medium security level for Single-user systems.

Resources Covered

This standard applies to IT resources owned or contracted by the University.

Individuals Covered

This standard applies to University community members who use or manage University applications or systems.

Related Information

More information on Backup & Recovery of Software, System Configuration

Published Date

  • November 2014

Document Feedback