Backup Policy Template
Posted by Peter Bassill on 05/01/2021STATEMENT
The aim of this Policy is to enable the business to operate effectively and efficiently, to comply with legislation, regulations, information standards (ISO/IEC27001, PCI-DSS, CE & CE Plus) and good practice, and to safeguard information and data against potential loss by theft, malicious or accidental damage, or breach of privacy or confidentiality.
The purpose of this Policy is to set out a common set of considerations and requirements to be reflected upon when devising a backup plan for the Firm’s information assets, ensuring that the confidentiality, integrity of the information stored and the availability of the Firm’s computer systems are maintained at all times, and that in a time of difficulty it supports the Firm’s business continuity efforts.
This policy applies to employees, contractors, consultants, temporaries, and other workers at (company_name}, including all personnel affiliated with third parties.
At this time, (company_name} uses real time replication of data.
To provide resilience to the firm backing up the operating systems, applications and data hosted on our computer systems are vital activities for ensuring that we can recover from situations affecting the smooth operation of the business.
These routine backup procedures and controls are there to maintain the integrity and availability of our services, and protect the confidentiality of data both in the both the production and test environments, as well as on backup media.
This is important because servers are often some of the most exposed and vital hosts on the network. These need backups on a regular basis for several reasons. A server could fail as a result of a malicious or unintentional act, or a hardware or software failure. In addition we are governed by regulations on the matter of backup and archiving of server data. There are also legal and financial reasons for doing this.
Server Data Backup Policies
Three main factors influence the contents of this policy and impact on how backing up will be conducted:
Applicable laws and regulations
Criticality of data to organization
Organizational guidelines and policies.
In establishing the backup procedures for different parts of the firm to reflect their particular environment, they should address the following issues:
Purpose of the procedure
Parties affected by the procedure
Servers covered by the procedure
Definitions of relevant key terms, especially legal and technical
Detailed requirements from the legal, business, and organization’s perspective
Required frequency of backups
Procedures for ensuring data is properly retained and protected in accordance with its classification
Procedures for ensuring data is properly archived or destroyed when no longer required
Procedures for preserving information for Data Protection Act (DPA) and Freedom of Information Act (FOIA) requests, legal investigations, and other such requests
Responsibilities of those involved in data retention, protection, and destruction activities
Retention period for each type of information logged
Specific duties of a central/organisational data backup team, if one exists.
Server Backup Types
Three primary types of backup exist:
Full backups – These include the OS, applications, and data stored on the server (ie. an image of all data stored on the server hard drives). The advantage of a full backup is that it is easy to restore the entire server to the state (ie. configuration, patch level, data) it was in when the backup was performed. The disadvantage of full backups is that they take considerable time and resources to perform.
Incremental backups - These reduce the impact of backups by backing up only data that has changed since the previous backup (either full or incremental).
Differential backups – These reduce the number of backup sets that must be accessed to restore a configuration by backing up all changed data since the last full backup.
However, each differential backup increases as time lapses from the last full backup, requiring more processing time and storage than would an incremental backup.
Generally, full backups are performed less frequently (weekly to monthly or when a significant change occurs), and incremental or differential backups are performed more frequently (daily to weekly).
The frequency of backups will be determined by several factors, including:
Volatility of information on the site will determine the frequency that a backup is taken:
Static content (less frequent backups)
Dynamic content (more frequent backups)
E-commerce (very frequent backups)
Type of data to be backed up (e.g., system, application, log, or user data)
Amount of data to be backed up
Backup device and media available
Time available for dumping backup data
Criticality of data
Threat level faced by the server
Effort required for data reconstruction without data backup
Other data backup or redundancy features of the server (e.g., Redundant Array of inexpensive Disks [RAID]).
For servers with highly dynamic data, standard backups may be insufficient to ensure the availability of the server data. Some servers offer replication services that allow data changes from one server to be duplicated on another server, either for individual changes or small batches of changes. Replication does place additional load on servers and networks and this needs to be weighed up with the costs of replication against the costs of lost availability should a server failure occur. Replication is not intended to take the place of standard backups, only to provide a capability to duplicate recent changes to data.
Off-line backup copies of essential business information and software must be taken regularly and they must be sufficient to enable essential business information and software to be recovered efficiently following a disaster or media failure affecting the primary data or systems.
Backup Schedules must be specifically designed and documented for each system in order to meet legitimate business, legal or regulatory requirements for retention and restoration of data as defined by the IAOs on the basis of risk assessment. Suitable types of backups must be taken (ie: full ‘image copy’ weekly backups plus either incremental or differential daily backups) and sufficient generations or cycles of backups must be retained to satisfy the minimum backup retention periods. It should be remembered that backups are unlikely to satisfy the requirements for long-term archiving of data.
Backup equipment and processes must be suitably tested prior to any backup procedure occurring, and where possible the processes should be automated.
Backup equipment, media and processes must be regularly tested in production to ensure that they can be relied upon for emergency use when necessary. Testing must include periodic ‘trial’ restores of data from backups to test systems, avoiding any possibility of overwriting live data in case the backups prove inadequate. Testing must also confirm that backups can be retrieved and restored within agreed service levels for IT data/service recovery.
Off-site backups, together with accurate and complete records of the backup copies and documented restoration procedures, must be stored in a remote location chosen to minimize the chances of it being affected by a physical disaster affecting the main location (ie. a major fire, earthquake, flood, chemical spill etc.). This requirement is distinct from, and in addition to, any local/on-site copies kept in fire safes for rapid restoration of systems or data following less dramatic incidents.
The portability and amount of data stored in backups makes them inherently more vulnerable to theft, loss or damage than the primary storage media. Backups must therefore be physically and logically protected to at least the same degree as the original data.
Backup and archive data must be protected according to its level of classification.
Physical security measures must provide equivalent physical protection at the main site and backup sites against unauthorized access, theft, fire or other physical damage.
Backups and archives should be encrypted by default where technically feasible. Where the original data has been classified CONFIDENTIAL and encrypted, the corresponding backups must be similarly encrypted.
The (company_name} Team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exceptions to the policy must be approved by the CEO in advance.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.