Skip to main content

Backup Policy

Version 1.1

Purpose

The purpose of this policy is to maintain data integrity and availability of the University's IT Resources to prevent loss of data and to facilitate the restoration of the IT Resources and business processes.

Scope 

This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • Backups must be performed in a manner to support the information Recovery Point Objective (RPO).
  • An inventory of backups must be maintained.
  • A backup restore must be performed periodically to validate the defined RPO and RTO.
  • Backup retention should be per the University’s Records Retention and Disposal Policy.

Definitions

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Backup is saving or copying information onto digital storage media.

Restore is performed to return data that has been lost, stolen, or damaged to its original condition or to move data to a new location.

Recovery Point Objective (RPO) is the maximum acceptable amount of data loss measured in time. It is the age of the files or data in backup storage required to resume normal operations if a computer system or network failure occurs.

Recovery Time Objective (RTO) is the maximum desired length of time allowed between an unexpected failure or disaster and the resumption of normal operations and service levels. The RTO defines the point in time after a failure or disaster at which the consequences of the interruption become unacceptable.

Related Policies and Procedures

Records Retention and Disposal Policy

Implementation Information

Review Frequency: Annual
Responsible Person: Director, IT Risk and Data Integrity
Approved By: CISO
Approval Date: May 16, 2017

Revision History

Version: Date: Description:
1.0 05/16/2017 Initial document
1.0.1 05/22/2018 Updated scope, disclaimer, and definitions
1.1 08/17/2020 Updated policy statement, added definitions

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to UISO written policies may be met with University sanctions.