19
Backup and Recovery Security Standards
Intro
This document establishes the controls required to ensure availability, confidentiality and integrity of electronic information and software. The scope of this standard includes all IT systems and applications including those provided by third party vendors.
Information Backup
Objective: To maintain the confidentiality, integrity and availability of information backups
Overview:
Information backup must be made to provide for recovery of the information. To ensure the availability of information required to resume normal operations in the event where data is lost, e.g., through natural disaster. Storage of these backups must comply to strict security controls to ensure the integrity and confidentiality of the stored data.
Information backup must be made to provide for recovery of the information. To ensure the availability of information required to resume normal operations in the event where data is lost, e.g., through natural disaster. Storage of these backups must comply to strict security controls to ensure the integrity and confidentiality of the stored data.
Standards:
a) Business continuity plans
b) Legal, regulatory, statutory and contractual obligations
c) Manufacturers’ recommendations for reliable storage, such as maximum ‘shelf-life’.
Procedures must exist to ensure that backup of information and software is successfully completed. There should be procedures to address incomplete or unsuccessful backup operations.
Backup media should be verified immediately after the process to ensure that the backup was properly done.
Backup frequency and retention must be specified by the owner and implemented appropriately by the backup administrators or operations group.
Backup copies of essential information and software must be taken regularly.
Encrypted data stored on the servers shall be kept encrypted in the backup media.
Backups should be scheduled and performed in a manner that does not affect the overall performance of network and business applications.
Requirements for Encryption Keys
Objective:
To ensure that encryption keys are backed up.
To ensure that encryption keys are backed up.
Overview:
Encryption keys should be backed up and securely kept so that they can be retrieved if the original keys in use are lost, destroyed or tampered with.
Encryption keys should be backed up and securely kept so that they can be retrieved if the original keys in use are lost, destroyed or tampered with.
Standards:
a) Removable media and stored securely
b) Under dual control
c) Access and usage will be recorded
Media Handling and Storage
Objective:
To protect information media from unauthorized disclosure, modification, removal or destruction
To protect information media from unauthorized disclosure, modification, removal or destruction
Overview:
Backup media contains a snapshot and exact replica of the information stored on servers and systems. Such information can be highly sensitive to operations and handling and storage of backup media to ensure security to the media.
Backup media contains a snapshot and exact replica of the information stored on servers and systems. Such information can be highly sensitive to operations and handling and storage of backup media to ensure security to the media.
Standards:
a) Use of locked security containers
b) Use of reliable transport/courier
c) Use of tamper-evident packaging
Procedures for the media disposal must be established and followed. Media containing sensitive information must be disposed securely and safely.
Backup media must meet the standards of archival, offsite storage and protection as set forth by the applicable business continuity plan.
Information Recovery
Objective:
To ensure that information can be recovered when needed
To ensure that information can be recovered when needed
Overview:
Proper procedures for Information recovery is important to ensure that, in the event of an emergency, essential information and software required can be restored within critical timescales.
Proper procedures for Information recovery is important to ensure that, in the event of an emergency, essential information and software required can be restored within critical timescales.
Standards:
Disaster Recovery
Objective:
To enable the recovery of IT services in the event of an IT disaster.
To enable the recovery of IT services in the event of an IT disaster.
Overview:
Disaster recovery plans and process should be implemented to minimize the impact of an IT disaster to the business.
Disaster recovery plans and process should be implemented to minimize the impact of an IT disaster to the business.
Standards:
19