Backup Policy

Version 1.2

For Students, Faculty, Staff, Guests, Alumni


The purpose of this policy is to maintain data integrity and availability of the University's IT Resources to prevent loss of data and to facilitate the restoration of the IT Resources and business processes.


This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the "User(s)" or "you") who use, access, or otherwise employ, locally or remotely, the University's IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • Backups must be performed to support the information Recovery Point Objective (RPO).
  • An inventory of backups must be maintained.
  • A backup restore must be performed annually to validate the defined RPO and RTO.
  • Backup retention should be per the University's Records Retention and Disposal Policy.


IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.

Backup is saving or copying information onto digital storage media.

Restore is performed to return data that has been lost, stolen, or damaged to its original condition or to move data to a new location.

Recovery Point Objective (RPO) is the maximum acceptable amount of data loss measured in time. It is the age of the files or data in backup storage required to resume normal operations if a computer system or network failure occurs.

Recovery Time Objective (RTO) is the maximum desired length of time allowed between an unexpected failure or disaster and the resumption of normal operations and service levels. The RTO defines the point in time after a failure or disaster at which the consequences of the interruption become unacceptable.

Related Policies and Procedures

Records Retention and Disposal Policy

Implementation Information

Review Frequency: Triennial
Responsible Person: Senior Director of IT Security and Assurance
Approved By: CISO and CIO
Approval Date: May 16, 2017

Revision History

Version: Date: Description:
1.0 05/16/2017 Initial document
1.0.1 05/22/2018 Updated scope, disclaimer, and definitions
1.1 08/17/2020 Updated policy statement, added definitions
1.2 04/27/2022 Updated policy statement

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions.

 Need Help?

Walk-In Centers

McShane Center 229 | RH
Leon Lowenstein SL18 | LC

View Our Walk-In Hours