Information Backup and Recovery Standard

Scope

This Standard applies to all Information Asset and System Owners.

This Standard applies throughout the Corporate Group as part of the Information Security Management System framework.

General

All Mission Critical Information Assets and Systems must have a Backup and Recovery Plan with the backup and recovery procedures in place to ensure information restoration capability in case of a disaster.

Other Information Assets and Systems may have a Backup and Recovery Plan. Information Asset or System Owner is responsible to decide if a Backup and Recovery Plan is needed.

Recovery from backup of each Mission Critical Information Asset or System must be regularly tested at a minimum on an annual basis to ensure that the information held in the electronic data can be restored in case of a catastrophic event.

Protection mechanisms and access controls for backup media must be commensurate with the security requirements and criticality of the information stored in the backup.

Backup media must be stored and transported in an appropriate, safe and secure manner and access to backup media must be restricted to authorized personnel only.

An audit trail of all backup activities must be maintained.

Backup Planning

Information Asset or System Owner is responsible for preparing and updating the Backup and Recovery Plan.

To prepare an appropriate Backup and Recovery Plan, it must be dependent on the:

• Importance of the data and information to the function of the Corporate Group

• Acceptable information loss (business areas must determine what level of potential information loss would not be acceptable or would be too difficult to recover). This can be determined in terms of a timeframe, or the amount of effort and period of time required re-entering data

• The maximum acceptable outage of the system while performing backups

• The maximum acceptable outage of the system while recovering data.

Backup and Recovery Plan must be located in the Information Systems & Assets Register.

Every Backup and Recovery Plan must contain:

• A description of the system to be backed up

• Employee responsible for ensuring that the backup and recovery occurs

• Backup and recovery requirements

• Backup media storage locations, including off-site storage

• Required backup frequency: hourly incremental, daily full, or weekly full

• Backup cycles required

• Backup retention period

• Testing process

• Recovery schedule and plan

• Locations of relevant software and licenses

• Off-site storage

Backup media Disposal

Obsolete backup media must be disposed of in a safe and secure manner, in accordance with the Information Asset Management Standard.

Backup media to be disposed of must be rendered unreadable through appropriate means and an audit trail of disposal of backup media must be maintained according to the Information Asset Management Standard.

Standard Review and Update

This Standard must be maintained in accordance with the Information Security Policy.

Revision History