Backup Policy
Version 1.1
Purpose
The purpose of this policy is to maintain data integrity and availability of the University's IT Resources to prevent loss of data and to facilitate the restoration of the IT Resources and business processes.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Backups must be performed in a manner to support the information Recovery Point Objective (RPO).
- An inventory of backups must be maintained.
- A backup restore must be performed periodically to validate the defined RPO and RTO.
- Backup retention should be per the University’s Records Retention and Disposal Policy.
Definitions
IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Backup is saving or copying information onto digital storage media.
Restore is performed to return data that has been lost, stolen, or damaged to its original condition or to move data to a new location.
Recovery Point Objective (RPO) is the maximum acceptable amount of data loss measured in time. It is the age of the files or data in backup storage required to resume normal operations if a computer system or network failure occurs.
Recovery Time Objective (RTO) is the maximum desired length of time allowed between an unexpected failure or disaster and the resumption of normal operations and service levels. The RTO defines the point in time after a failure or disaster at which the consequences of the interruption become unacceptable.
Related Policies and Procedures
Records Retention and Disposal Policy
Implementation Information
| Review Frequency: | Triennial |
|---|---|
| Responsible Person: | Director, IT Risk and Data Integrity |
| Approved By: | CISO |
| Approval Date: | May 16, 2017 |
Revision History
| Version: | Date: | Description: |
| 1.0 | 05/16/2017 | Initial document |
| 1.0.1 | 05/22/2018 | Updated scope, disclaimer, and definitions |
| 1.1 | 08/17/2020 | Updated policy statement, added definitions |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to UISO written policies may be met with University sanctions.