Backup Policy

Version 2.0

For Students, Faculty, Staff, Guests, Alumni


The purpose of this policy is to maintain data integrity and availability of the University's IT Resources, to prevent data loss within the limits of record retention requirements, and to facilitate the restoration of the IT Resources and business processes.


This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the "User(s)" or "you") who use, access, or otherwise employ, locally or remotely, the University's IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • System Owners must perform system state backups1 to support the Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
  • System state backups must be retained for no less than 90 days and no more than one year unless otherwise stated in the Records Retention and Disposal Policy
  • Annually, System Owner(s) must test restore system state backups.
    • No less than 1% of IT Resources must be validated by the defined RPO and RTO.
    • Audited IT Resources are selected randomly.
  • Application Owner(s) or Business Analyst(s) with specific knowledge of the IT Resource should request all other types of backups (i.e., pertaining to business requirements) per the Backup Requests Procedure.
  • Application Owner(s) or Business Analyst(s) must ensure backups meet the Records Retention and Disposal Policy, business, and research requirements.
  • Backup inventories must be maintained by the System Owner(s).

1 System state backups save or copy information onto digital storage media to restore the server or system to a functioning state.


Application Owner is the individual or group responsible for ensuring all the services that comprise an application accomplish the specified objective or set of user requirements. If a third party provides these services, the Application Owner is responsible for maintaining the relationships with the third party providing the service.

Backup is saving or copying information onto digital storage media.

IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.

Recovery Point Objective (RPO) is the maximum acceptable amount of data loss measured in time. It is the age of the files or data in backup storage required to resume normal operations if a computer system or network failure occurs.

Recovery Time Objective (RTO) is the maximum desired length of time allowed between an unexpected failure or disaster and the resumption of normal operations and service levels. The RTO defines the point in time after a failure or disaster at which the consequences of the interruption become unacceptable.

Restore/restoration is performed to return data that has been lost, stolen, or damaged to its original condition or to move data to a new location.

System Owner is the individual or group responsible for the procurement, development, integration, modification, operation, maintenance, and retirement of the server, operating system, or other elements that support an Application Owner providing services. The System Owner provides the technical infrastructure for system state and data retention backups. If a third party provides these services, the System Owner is responsible for maintaining the relationship with the third party providing the service.

Related Policies and Procedures

Implementation Information

Review Frequency: Triennial
Responsible Person: Senior Director of IT Security and Assurance
Approved By: CISO and CIO
Approval Date: May 16, 2017

Revision History

Version Date Description
1.0 05/16/2017 Initial document
1.0.1 05/22/2018 Updated scope, disclaimer, and definitions
1.1 08/17/2020 Updated policy statement, added definitions
1.2 04/27/2022 Updated policy statement
2.0 08/30/2023 Updated purpose, scope, policy statement, and policy disclaimer

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.

 Need Help?

Walk-In Centers

McShane Center 266 | RH
Leon Lowenstein SL18 | LC

View Our Walk-In Hours