Skip to main content

Backup Policy

Version 1.0.1

Purpose

The purpose of this policy is to maintain data integrity and availability of the University's IT Resources to prevent loss of data due to deletion, modification, corruption, systems failure, and to facilitate the timely restoration of the IT Resources and business processes[1].

Scope 

This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • Backup activities must provide secure storage for IT Resources critical to the workflow of official University business.
  • Backup media must be secured.
  • Backups must be performed to prevent loss of data due to deletion, modification, corruption, systems failure, or disaster.
  • Backups must be retrievable as defined in the Recovery Time Objective (RTO) of the Information.
  • Backups must be taken in a manner to support the Information Recovery Point Objective (RPO).
  • Inventory of backup media must be maintained.
  • Backup retention should be in accordance with the University’s Records Retention and Disposal Policy.

[1] Policy scenario example: Backups of Information (data) support our business transactions (e.g., course registration, bursar payment transactions). Backups need to be done on a regular (i.e., daily, weekly) basis and stored securely. If our business systems are compromised (hacked), damaged (e.g., fire, flood), or incapacitated in any way, backups can be restored.

Definitions

Backup is saving or copying Information onto digital storage media.

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Related Policies and Procedures

Implementation Information

Review Frequency: Annual
Responsible Person: Director, IT Risk and Data Integrity
Approved By: CISO
Approval Date: May 16, 2017

Revision History

Version: Date: Description:
1.0 05/16/2017 Initial document
1.0.1 05/22/2018 Updated scope, disclaimer, and definitions

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Willful failure to adhere to UISO written policies may be met with University sanctions.