Backup Policy
Version 1.2
Purpose
The purpose of this policy is to maintain data integrity and availability of the University's IT Resources to prevent loss of data and to facilitate the restoration of the IT Resources and business processes.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Backups must be performed to support the information Recovery Point Objective (RPO).
- An inventory of backups must be maintained.
- A backup restore must be performed annually to validate the defined RPO and RTO.
- Backup retention should be per the University’s Records Retention and Disposal Policy.
Definitions
IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Backup is saving or copying information onto digital storage media.
Restore is performed to return data that has been lost, stolen, or damaged to its original condition or to move data to a new location.
Recovery Point Objective (RPO) is the maximum acceptable amount of data loss measured in time. The age of the files or data in backup storage is required to resume normal operations if a computer system or network failure occurs.
Recovery Time Objective (RTO) is the maximum desired length of time allowed between an unexpected failure or disaster and the resumption of normal operations and service levels. In addition, the RTO defines the point in time after a failure or disaster at which the consequences of the interruption become unacceptable.
Related Policies and Procedures
Records Retention and Disposal Policy
Implementation Information
| Review Frequency: | Triennial |
|---|---|
| Responsible Person: | Senior Director, IT Security Operations and Assurance |
| Approved By: | CISO and CIO |
| Approval Date: | May 16, 2017 |
Revision History
| Version: | Date: | Description: |
| 1.0 | 05/16/2017 | Initial document |
| 1.0.1 | 05/22/2018 | Updated scope, disclaimer, and definitions |
| 1.1 | 08/17/2020 | Updated policy statement, added definitions |
| 1.2 | 04/27/2022 | Updated policy statement |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions.