Data Backup Policy
A backup policy is similar to an insurance policy - it provides the last line of defense against data loss and is sometimes the only way to recover from a hardware failure, data corruption, or a security incident. A backup policy is related closely to a disaster recovery policy, but since it protects against events that are relatively likely to occur, in practice it will be used more frequently than a contingency planning document. A company's backup policy is among its most important policies.
The purpose of this policy is to provide a consistent framework to apply to the backup process. The policy will provide specific information to ensure backups are available and useful when needed - whether to simply recover a specific file or when a larger-scale recovery effort is needed.
This policy applies to all data stored on corporate systems. The policy covers such specifics as the type of data to be backed up, frequency of backups, storage of backups, retention of backups, and restoration procedures.
Identification of Critical Data
The company must identify what data is most critical to its organization. This can be done through a formal data classification process or through an informal review of information assets. Regardless of the method, critical data should be identified so that it can be given the highest priority during the backup process.
Data to be Backed Up
A backup policy must balance the importance of the data to be backed up with the burden such backups place on the users, network resources, and the backup administrator. Data to be backed up will include:
All data determined to be critical to company operation and/or employee job function.
Full copies (“images”) of all company servers. It is the user's responsibility to ensure any data of importance is moved to a suitable server.
A single backup set may satisfy both of these requirements.
Backup frequency is critical to successful data recovery. The company has determined that the following backup schedule will allow for sufficient data recovery in the event of an incident, while avoiding an undue burden on the users, network, and backup administrator.
A recoverable backup of all company servers must be taken at minimum once per day.
Geographic separation from the backups must be maintained, to some degree, in order to protect from fire, flood, or other regional or large-scale catastrophes. Offsite storage must be balanced with the time required to recover the data, which must meet the company's uptime requirements. The company has determined that all backups must be stored offsite, whether on physical media or when using an Internet-connected backup service.
Storage of backups is a serious issue and one that requires careful consideration. Since backups contain critical, and often confidential, company data, precautions must be taken that are commensurate to the type of data being stored. The company has set the following guidelines for backup storage.
When stored onsite, backup media must be stored in a fireproof container in an access-controlled area. When shipped offsite, a hardened facility (i.e., commercial backup service) that uses accepted methods of environmental controls, including fire suppression, and security processes must be used to ensure the integrity of the backup media. If a backup service is used, rigorous security procedures must be developed and maintained, which will include, at minimum, credential-verification and compiling regular audit reports from service providers associated with backups. Online backups are allowable if the service meets the criteria specified herein. Confidential data must be encrypted using industry-standard algorithms to protect the company against data loss.
When determining the time required for backup retention, the company must determine what number of stored copies of backup-up data is sufficient to effectively mitigate risk while preserving required data. The company has determined that the following will meet all requirements (note that the backup retention policy must confirm to the company's data retention policy and any industry regulations, if applicable):
A minimum of (1) full backup must always be present, and be preserved for no less than 14 days;
A minimum of (1) recovery point per day must always be present;
A minimum of (14) days’ worth of recovery points must always be present.
Restoration Procedures & Documentation
The data restoration procedures must be tested and documented. Documentation should include exactly who is responsible for the restore, how it is performed, under what circumstances it is to be performed, and how long it should take from request to restoration. It is extremely important that the procedures are clear and concise such that they are not A) misinterpreted by readers other than the backup administrator, and B) confusing during a time of crisis.
The company has determined that backup recovery testing must be conducted once per calendar year, at minimum. Time between recovery tests should not exceed 18 months.
Since a backup policy does no good if the restoration process fails it is important to periodically test the restore procedures to eliminate potential problems.
Backup restores must be tested when any change is made that may affect the backup system, and per the minimum requirement set forth in the previous section.
Expiration of Backup Media
Certain types of backup media, such as magnetic tapes, have a limited functional lifespan. After a certain time in service the media can no longer be considered dependable. When backup media is put into service the date must be recorded on the media. The media must then be retired from service after its time in use exceeds manufacturer specifications.
Applicability of Other Policies
This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.
This policy will be enforced by the Executive Team and designated IT personnel or partners. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment or relationship. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.
Backup To copy data to a second location, solely for the purpose of safe keeping of that data, in a format that can be recovered to a specific point in time.
Backup Media Any storage devices that are used to maintain data for backup purposes. These are often magnetic tapes, CDs, DVDs, or hard drives.
Full Backup A backup that makes a complete copy of the target data.
Incremental Backup A backup that only backs up files that have changed in a designated time period, typically since the last backup was run.
Recovery Point A specific point in past time when a backup is taken, and after which changes to that data are not preserved
Restoration Also called "recovery." The process of restoring the data from its backup-up state to its normal state so that it can be used and accessed in a regular manner.
Reverse Incremental Backup A newer type of backup in which the full backup is the most recent recovery point, and reverse incremental backups represent earlier points in time.