It is essential to ensure that backup copies are created at defined intervals and regularly tested. This part of the policy is an Information Security Management System (ISMS) policy, and it applies to all personal data processing activities.
The main goals of this policy are:
-
To define and apply a clear backup and restore standard for all corporate information systems;
-
To define backup and recovery standards per data prioritization;
-
To prevent the loss of data in the case of an accidental deletion or corruption of data, system failure, or disaster;
-
To permit timely restoration of information and business processes, should such events occur;
-
To manage secure backup and restoration processes and the media employed in the process;
-
To set the retention periods of information contained within system level backups designed for recoverability and provide a point-in-time snapshot of information as it existed during the time-period defined by system backup policies.
The scope of this policy necessarily includes, but is not limited to, the following information.
-
The Company’s sensitive corporate data;
-
The Company’s sensitive customer data;
-
The Company’s intellectual property data;
-
Network device configuration files (e.g.: WiFi Router, WiFi Access Points, Corporate Firewall, Managed Switches, Routers);
-
Critical services configurations;
-
Critical resources OS System states;
-
The Company’s hosted application production deployments serving customers’ needs and storing customer’s data.
The following principles guide this policy.
-
Performing proper backup, storage, and retrieval of data is high-priority for the Company;
-
When accurately followed by each stakeholder, this policy protects the availability, confidentiality, and integrity of data.
Data must be protected by regular backups, as under.
-
The Business Assistance Group must perform backups in association with the concerned team, as under:
-
All backup data must be stored in an encrypted and access-controlled format;
-
Backup copies must be stored in an environmentally-protected and access-controlled secure location offsite from the location of the originating asset;
-
Stored copies must be stored with a short description that includes: backup date, resource name, type of backup method (full/incremental);
-
Stored copies of data must be made available upon authorized request;
-
The request for stored data must be approved by an authorized person nominated by the Company in the appropriate department.
Requests for stored data must include:
-
A completed form that outlines the specifics of the request, including what copy is being requested, where and when the requester would like it delivered, and why they are requesting the copy;
-
Acknowledgement that the backup copy will be returned or destroyed promptly upon completion of its use;
-
Submission of a return receipt as evidence that the backup copy has been returned;
A record of physical and logical movements of backup media must be maintained, which shall include the following information.
-
All identification information relating to the requested copies;
-
Purpose of the request;
-
Information about person requesting the copy;
-
Authorisation for the request;
-
Location where the copy will be held while it is out of storage;
-
Date when was the copy released from storage;
-
Date when will the copy be returned to storage; and
-
Any special controls must be used to protect sensitive or critical information.
All backup media must be appropriately disposed of. Prior to retirement and disposal, IT will ensure:
-
That the media no longer contains active backup images;
-
That the media’s current or former contents cannot be read or recovered by an unauthorised party;
-
That the media is physically irretrievably destroyed prior to its disposal.
Backup copies should periodically be tested for recovery capability
-
All backups should be verified periodically by the Business Assistance Group, and a report created on its ability to recover data (relevant for logical/cloud-based backup procedure);
-
Log information generated from each backup job will be reviewed once every 90 days by the Business Assistance Group for the following purposes:
-
The Business Assistance Group and the Operations team will identify problems and take corrective action to reduce any risks associated with failed backups;
-
Random test restores will be done once every 6 months in order to verify that backups have been successful;
-
The Business Assistance Group will maintain records demonstrating the review of logs and test restores so as to demonstrate compliance with this policy for auditing purposes;
-
The Business Assistance Group shall report on its ability to recover data (relevant for physical storage media) once every 90 days. The ability to recover data shall be measured by:
-
The Business Assistance Group is responsible for backing up internally-hosted corporate information systems. The department shall maintain the following backup schedule:
Network file shares:
-
Weekly Full backup
-
Daily Incremental backup
Source control:
-
Weekly Full backup
-
Daily Incremental backup
Configuration files:
Internal services and data (license server, etc.):
-
Weekly Full backup
-
Daily Incremental backup
-
The Operations team is responsible for backing up all customer production environments. The Operations team shall maintain an automated backup schedule that ensures that the backup occurs on a daily basis and that backup retention period is no lesser than 30 days.