Professional Documents
Culture Documents
Back Up and Recovery Policy v1 2013
Back Up and Recovery Policy v1 2013
ISMS-POL-
Back-up and Recovery Policy
INTERNAL
ISMS–POL–
ORG LOGO Org Name - Information Security Team
Version 1.0
Backup and Recovery Policy
Document Details
Document ID
Document Name Backup and recovery Policy
Version Number 1.0
Document Release Date
Next Review Date
Document Author
Document Approver
Document Classification Level
Page 2|7
INTERNAL
ISMS–POL–
ORG LOGO Org Name - Information Security Team
Version 1.0
Backup and Recovery Policy
Table of Contents
1. Objective.......................................................................................................................................................4
2. Scope.............................................................................................................................................................4
3. Roles and Responsibilities.............................................................................................................................4
4 Policy Statement...........................................................................................................................................4
4.1 Identification of Critical Data.................................................................................................................4
4.2 Data to be Backed Up............................................................................................................................4
4.3 Backup Frequency.................................................................................................................................4
4.4 Off-Site Rotation....................................................................................................................................5
4.5 Backup Storage......................................................................................................................................5
4.6 Backup Retention..................................................................................................................................5
4.7 Restoration Procedures & Documentation............................................................................................6
4.8 Restoration Testing................................................................................................................................6
4.9 Expiration of Backup Media...................................................................................................................6
5 Equipment Retirement..................................................................................................................................6
6 Transport.......................................................................................................................................................6
7 Enforcement..................................................................................................................................................6
8 Maintenance of the Policy.............................................................................................................................7
9 References.....................................................................................................................................................7
Page 3|7
INTERNAL
ISMS–POL–
ORG LOGO Org Name - Information Security Team
Version 1.0
Backup and Recovery Policy
1. Objective
The objective of this policy is to provide a consistent framework to apply to the backup process. The policy will
provide specific information to ensure backups are available and useful when needed - whether to simply
recover a specific file or when a larger-scale recovery effort is needed.
2. Scope
This policy applies to all data stored on corporate systems. The policy covers such specifics as the type of data
to be backed up, frequency of backups, storage of backups, retention of backups, and restoration procedures.
4 Policy Statement
4.1Identification of Critical Data
The company must identify what data is most critical to its organization. This can be done through a formal data
classification process or an informal review of information assets. Regardless of the method, critical data should
be identified so that it can be given the highest priority during the backup process.
All data determined to be critical to company operation and/or employee job function.
All information is stored on the corporate file server(s) and email server(s). It is the user’s responsibility to
ensure any data of importance is moved to the file server.
All information is stored on network servers, which may include web servers, database servers, domain
controllers, firewalls, remote access servers, etc.
4.3Backup Frequency
Backup frequency is critical to successful data recovery. The company has determined that the following backup
schedule will allow for sufficient data recovery in the event of an incident while avoiding an undue burden on
the users, network, and backup administrator.
Page 4|7
INTERNAL
ISMS–POL–
ORG LOGO Org Name - Information Security Team
Version 1.0
Backup and Recovery Policy
4.4Off-Site Rotation
Geographic separation from the backups must be maintained, to some degree, to protect from fire, flood, or
other regional or large-scale catastrophes.
Offsite storage must be balanced with the time required to recover the data, which must meet the company’s
uptime requirements. The company has determined that backup media must be rotated off-site at least once
per month.
4.5Backup Storage
The storage of backups is a serious issue and one that requires careful consideration. Since backups contain
critical, and often confidential, company data, precautions must be taken that are commensurate to the type of
data being stored.
The company has set the following guidelines for backup storage.
When stored onsite, backup media must store in a fireproof container in an access-controlled area.
When shipped offsite, a hardened facility (i.e., commercial backup service) that uses accepted methods of
environmental controls, including fire suppression, and security processes must be used to ensure the
integrity of the backup media.
If a backup service is used, rigorous security procedures must be developed and maintained, which will
include, at minimum, credential verification, and the signature of the backup service courier.
Online backups are allowable if the service meets the criteria specified herein.
Confidential data must be encrypted using industry-standard algorithms to protect the company against
data loss.
4.6Backup Retention
When determining the time required for backup retention, the company must determine what number of
stored copies of backup-up data is sufficient to effectively mitigate risk while preserving required data.
The company has determined that the following will meet all requirements (note that the backup retention
policy must conform to the company’s data retention policy and any industry regulations, if applicable):
4.8Restoration Testing
Since a backup policy does no good if the restoration process fails, it is important to periodically test the
restoration procedures to eliminate potential problems.
Backup restores must be tested when any change is made that may affect the backup system, as well as twice
per year.
5 Equipment Retirement
Given the virtual nature of the enterprise, hardware devices, disks, etc will be reused for a variety of purposes.
When repurposing data devices care should be taken to "zero" out the device. On Linux, this is achieved with
commands similar to sudo dd if=/dev/zero of=/dev/XXXX.
For more information see the Media Sanitization and Destruction Policy
6 Transport
Before transportation from a secure location, all media will either be;
Physically destroyed on site.
Zeroed out (all data securely expunged).
Encrypted such that the key is transported independently of the media.
7 Enforcement
This policy will be enforced by the IT Manager and/or Information Security manager. Violations may result in
disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and
including termination of employment. Where illegal activities or theft of company property (physical or
intellectual) are suspected, the company may report such activities to the applicable authorities.
Page 6|7
INTERNAL
ISMS–POL–
ORG LOGO Org Name - Information Security Team
Version 1.0
Backup and Recovery Policy
9 References
ISO 27001:2013
ISO 27001: 2013 – A.12.3.1 Information Backup
Page 7|7