Backup Policy
Version 1.0.1
Purpose
The purpose of this policy is to maintain data integrity and availability of the University's IT Resources to prevent loss of data due to deletion, modification, corruption, systems failure, and to facilitate the timely restoration of the IT Resources and business processes[1].
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Backup activities must provide secure storage for IT Resources critical to the workflow of official University business.
- Backup media must be secured.
- Backups must be performed to prevent loss of data due to deletion, modification, corruption, systems failure, or disaster.
- Backups must be retrievable as defined in the Recovery Time Objective (RTO) of the Information.
- Backups must be taken in a manner to support the Information Recovery Point Objective (RPO).
- Inventory of backup media must be maintained.
- Backup retention should be in accordance with the University’s Records Retention and Disposal Policy.
[1] Policy scenario example: Backups of Information (data) support our business transactions (e.g., course registration, bursar payment transactions). Backups need to be done on a regular (i.e., daily, weekly) basis and stored securely. If our business systems are compromised (hacked), damaged (e.g., fire, flood), or incapacitated in any way, backups can be restored.
Definitions
Backup is saving or copying Information onto digital storage media.
IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Related Policies and Procedures
Implementation Information
Review Frequency: | Annual |
---|---|
Responsible Person: | Director, IT Risk and Data Integrity |
Approved By: | CISO |
Approval Date: | May 16, 2017 |
Revision History
Version: | Date: | Description: |
1.0 | 05/16/2017 | Initial document |
1.0.1 | 05/22/2018 | Updated scope, disclaimer, and definitions |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Willful failure to adhere to UISO written policies may be met with University sanctions.