CP-9: System Backup
NIST Baseline: Low
DIR Required By: 07/20/2023
Review Date: 07/10/2024
- Tarleton State University (Tarleton) conducts backups of system-level information and critical user-level information for High Impact information resources contained in the information system and protects backup information at the alternate storage and processing sites, as follows:
- Data stored or processed on information resources shall be backed up on a scheduled basis periodically.
- Backups for data stored on information resources shall be stored off-site in a secure, environmentally safe facility accessible only to authorized Tarleton representatives.
- Backups for data stored on information resources shall contain at least one immutable copy which may not be deleted unless the retention period has expired.
- The frequency and extent of backups shall be determined by the potential impact of data loss or corruption and, risk management decisions by the information resource owner
- Physical access controls implemented at off-site backup storage locations shall meet or exceed the physical access controls of the original site. In addition, backup information resources must be protected in accordance with the most restrictive classification of data that is being transmitted or stored. (For example, if data classified as confidential is combined with data classified at a lower-level then the protection for all the backed-up files must be at the confidential level.).
- Where the original data source is required to be encrypted, the backup shall also be similarly encrypted.
- Processes must be in place to maintain the confidentiality, integrity, and availability of information resource backups.
- The backup process should ensure that the entire volume(s) or system of data stored from the originating information resource(s) is recoverable (i.e., ensure that an entire volume or system can be restored and not just one file). Backup and recovery procedures shall be tested at least annually to ensure that they are viable.
- All electronically backed up information resources shall be sufficiently identified and inventoried to enable staff to retrieve and protect data as needed.
- Data stored or processed on information resources shall be backed up on a scheduled basis periodically.