Preview only show first 10 pages with watermark. For full document please download

It Security Standard – Data Backup

Rating
Date

September 2018
Size

105KB
Views

9,747
Categories

Computers & electronics Software Computer utilities Backup recovery software

Transcript

ITSS_01 IT Security Standard – Data Backup Version Approved by Approval date Effective date Next review date 1.0 Vice-President, Finance and Operations 7 June 2016 7 June 2016 7 June 2017 Standard Statement The backup of important information is often the last line of defence in the event of either accidental or malicious loss or modification of UNSW information, applications and infrastructure configurations. The purpose of this standard is to set out the baseline requirements for the backup of UNSW information systems and data. Purpose UNSW information must be backed up on a regular basis, protected from unauthorised access or modification during storage, and available for recovery in a timely manner. As backup media may contain sensitive information in high-volumes, (i.e., UNSW financial transactions, Personal Identifiable Information etc.) the backup media must be protected, during the entire information lifecycle. This standard applies to all UNSW Information Communication Technology systems and end-user computing devices, including non-production systems that contain information that would impact UNSW in the event data was lost. This standard does not cover data availability using replication techniques, such as database synchronisation between production and disaster recovery facilities or data deduplication. Scope Are Local Documents on this subject permitted? ☐ Yes ☐ Yes, subject to any areas specifically restricted within this Document ☐ No Standard 1. 2. 3. 4. Controls ..................................................................................................................................... 1 1.1 Backup schedule considerations .................................................................................. 1 1.2 Verification of backup processes and investigating failures .........................................2 1.3 Validation of backup media and recovery processes ...................................................2 1.4 Protection of backups and backup media ..................................................................... 2 1.5 Retention and disposal of backups and backup media ................................................2 1.6 Backup media locations and off-site transportation of backup media ..........................2 Control Exceptions .................................................................................................................... 2 ISMS Mapping with Industry Standards ................................................................................... 3 Document Review, Approval & History ..................................................................................... 3 4.1 Quality Assurance ......................................................................................................... 3 4.2 Sign Off ......................................................................................................................... 3 1. Controls 1.1 Backup schedule considerations 1.1.1 What Backups must be scheduled according to the availability requirements of the information that is being backed up. A backup schedule must be documented and maintained for all UNSW systems. Table 1 documents the minimum backup schedules for the identified UNSW data types. Backup Schedule How Often How Infrastructure configuration (network, server, appliance) According to Solution Design Documentation According to Solution Design Documentation Software (O/S, applications, utilities) or or Full Incremental Differential Magnetic tape Hard disk Optical storage Solid state storage Data (files, databases) Note: Data Classification Standard and Data Handling Guidelines should be consulted to ensure appropriate treatment of sensitive data. Data Backup Standard – ITSS_01 Page 1 of 3 1.1.2 1.2 1.3 1.4 1.5 1.6 The backup requirements for information systems and data must be documented and communicated to implementation and support teams for inclusion within operational procedures before systems entering production. Verification of backup processes and investigating failures 1.2.1 A sample of jobs must be verified as part of the process to maintain the integrity of the information being backed up, in a manner commensurate with the reliability of the backup media. 1.2.2 Backup failure reports must be produced, reviewed and acted upon within a reasonable timeframe to ensure successful completion. Validation of backup media and recovery processes There is a risk that tape and optical media may degrade over time, corrupting or destroying any information that has been backed-up onto this media. 1.3.1 To protect against data corruption, optical and tape media should not exceed the manufacturer’s usage recommendations. 1.3.2 The validation and recovery process must be documented in an auditable manner and tested on a regular basis to be determined by the IT Recovery Plan. Protection of backups and backup media 1.4.1 Backup media must be treated as being of an equivalent classification level as the source information system. For example, sensitive data such as regulated Personal Identifiable Information must be appropriately encrypted (e.g., at the database or file level) when stored on backup media. 1.4.2 Access to backup media must be restricted to authorised personnel only. Retention and disposal of backups and backup media 1.5.1 Backup media must be retained in line with the IT recovery, data retention and record management requirements where applicable. 1.5.2 Backup media must be disposed of in line with appropriate disposal requirements described in the Data Classification Standard and Data Handling Guidelines, for example by overwriting media or physical destruction using a verified, auditable process. Backup media locations and off-site transportation of backup media 1.6.1 Backup media containing sensitive information must only be transported offsite with appropriate physical protection, in a secure container, within a secure vehicle, following an auditable and verifiable process. 1.6.2 The frequency of sending backup media off-site must be documented and justified in the backup schedule. Consideration of the frequency should take into account the importance and recovery requirements of the data. 1.6.3 Backup media must be stored in a safe and secure physical location to ensure that media is protected from unauthorised access, modification or destruction. This includes: a) Off-site in relation to UNSW and stored at a location with strict physical security in place. b) In a temperature controlled environment employing fire prevention suppression mechanisms. c) In designated fire-safes within the UNSW campus, for local storage of backup media. 2. Control Exceptions All exemption requests must be reviewed, assessed and approved by the relevant business stakeholder. Please refer to the ISMS Base Document for more detail. Data Backup Standard – ITSS_01 Version 1.0 Effective 7 June 2016 Page 2 of 3 3. ISMS Mapping with Industry Standards The table below maps the Data Backup Standard with the security domains of ISO27001:2013 Security Standard and the Principles of Australian Government Information Security Manual. ISO27001:2013 12 Operations security (12.3 backup) 4. Information Security Manual Information Security Documentation Document Review, Approval & History This section details the initial review, approval and ongoing revision history of the standard. Post initial review the standard will be presented to the ISSG recommending the formal UNSW policy consultation and approval process commence. A review of this standard will be managed by the Chief Digital Officer on an annual basis. 4.1 Quality Assurance This document was designed and created by external and internal consultants in consultation with internal key technical subject matter experts, business and academic stakeholders. 4.2 Sign Off Endorsed by: ISSG - Information Security Steering Group ITC - Information Technology Committee CDO – Chief Digital Officer Date th 30 July 2015 th 27 August 2015 th 7 June 2016 Accountabilities Responsible Officer Chief Digital Officer Contact Officer [email protected] Supporting Information Parent Document (Policy) IT Security Policy Supporting Documents Nil Related Documents Data Classification Standard Data Handling Guidelines ISMS Base Document Superseded Documents IT Security Standard – Data Backup, version 1.5 approved by ITC Information Technology Committee on 27 August 2015 UNSW Statute and / or Regulation Nil Relevant State / Federal Legislation Nil File Number 2016/16925 [IT file number ITSS_01] Definitions and Acronyms No terms have been defined Revision History Version Approved by Approval date Effective date Sections modified 1.0 Vice-President, Finance and Operations 7 June 2016 7 June 2016 This is a new document Data Backup Standard – ITSS_01 Version 1.0 Effective 7 June 2016 Page 3 of 3

It Security Standard – Data Backup

Rating

Date

Size

Views

Categories

Share

Transcript

Forgot your password?.