Back to T3.5.1 - P1 - INFORMATION BACKUP
Adequate backup systems should be provided to ensure that all essential information and software can be recovered following a disaster or media failure.
The following items for information backup should be considered:
A. The necessary level of backup information should be defined;
B. Accurate and complete records of the backup copies and documented restoration procedures should be produced;
C. The extent (e.g. full or differential backup) and frequency of backups should reflect the business requirements of the entity, the security requirements of the information involved, and the criticality of the information to the continued operation of the entity;
D. Backups should be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site;
E. Backup information should be given an appropriate level of physical and environmental protection consistent with these Standards applied at the main site; the controls applied to media at the main site should be extended to cover the backup site;
F. Backup media should be regularly tested to ensure that they can be relied upon for emergency use when necessary;
G. Restoration procedures should be regularly checked and tested to ensure that they are effective and that they can be completed within the time allotted in the operational procedures for recovery;
H. In situations where confidentiality is of importance, backups should be protected by means of encryption.
Backup arrangements for individual systems should be regularly tested to ensure that they meet the requirements of business continuity plans (refer to T9.2.2). For critical systems, the backup arrangements should cover all systems information, applications, and data necessary to recover the complete system in the event of a disaster.
The retention period for essential business information, and also any requirement for archive copies to be permanently retained should be determined.
Once per quarter (or whenever new backup equipment is purchased), a testing team should evaluate a random sample of system backups by attempting to restore them on a test bed environment. The restored systems should be verified to ensure that the operating system, application, and data from the backup are all intact and functional.
Back to T3.5.1 - P1 - INFORMATION BACKUP
