Data Backup Policy

Template

This template is part of ISACA’s Policy Template Library Toolkit. The policy
template should be modified to ensure it conforms to the control posture and
reflects the risk tolerance of the specific enterprise environment.

FOR INTERNAL USE ONLY 1

POLICY NAME Data Backup Policy
Ensure company data is backed up, recovered, and restored in the event of an
DESCRIPTION
intentional or unintentional system failure, disruption, or outage.

OWNER Chief information officer (CIO)

EFFECTIVE DATE Immediately

REVIEW FREQUENCY At least annually

INTRODUCTION

Purpose for Policy

The purpose of this policy is to define procedures to safeguard one or multiple copies of data (which can
be used for recovery in the event of an attack) and to minimize the impact of business interruption. It
also sets out principles for ensuring that Company LLC’s data backups reduce the risk of data loss and
that appropriate disciplinary actions are taken against those who violate this policy.

Scope of Policy
This policy applies to:
a) All employees, contractors, consultants, temporary staff, interns, visitors, and other workers at
Company LLC, including all personnel affiliated with third parties
b) All Company LLC locations where IT resources are located or used
c) All Company LLC IT resources
d) Any information not specifically identified as the property of other parties that is transmitted or
stored on Company LLC IT resources (including email, text and chat messages, and files)
e) All devices connected to a Company LLC network or used to access Company LLC IT resources

Exceptions
Any exceptions to this policy require submission and approval of appropriate documentation in
accordance with the established policy exception process “xxxxx.” Exceptions deemed high risk will be
escalated to and reviewed by the “xxxxx Risk Forum” and recorded in the risk register.

FOR INTERNAL USE ONLY 2

GUIDELINES AND REQUIREMENTS

1. Information Inventory
• An inventory must be created and maintained that includes all data that will be backed up (e.g.,
critical business data, database and application data, system and application logs, operating
system and software configurations, etc.).

2. Information Classification
• Backups must be prioritized based on Company LLC’s Information Classification and Protection
Policy.

3. Backup Frequency
• Backups must be performed in accordance with an established schedule, frequency, and
window.
• The time between backups must not be larger than the time spent on the recovery of lost data.

4. Backup Retention Period

• Backups must be retained in accordance with the backup retention policy, the company’s
internal retention requirements, and any applicable compliance requirements.

5. Backup Methods
• The most effective data backup method must be implemented based on the recovery time
objective (RTO) and recovery point objective (RPO) (e.g., full, incremental, differential, cloud,
hybrid, etc.).

6. Backup Storage Location

• Data backups must be stored at a secured offsite (i.e., outside where normal business is
conducted) location.

7. Encryption
• All stored data (data at rest) or data transferred during backup (data in transit) must be
encrypted in accordance with best practices and applicable legal and regulatory guidance.
• Backup services performed by cloud service providers must use the encryption services on their
platform.

8. Access Control
• Backup and recovery tools must be kept up to date and regularly controlled, ensuring that only
authorized personnel (e.g., system administrators, backup administrators, and the IT operations
team) have access.

9. Testing Procedures
• Data backups must be tested by authorized personnel on a regular schedule, after a significant
change (configuration, system update, etc.), or during disaster recovery exercises.
• Restoration checks must be performed to test the backup at least quarterly.

FOR INTERNAL USE ONLY 3

 10. Recovery and Restoration Procedures
• Periodic data backup recovery and restoration testing must be performed by authorized
personnel for systems, databases, etc.
• Only authorized personnel (e.g., system administrators, backup administrators, and the IT
operations team) are responsible for initiating the recovery process.

11. Monitoring and Alerts

• Backup logs and catalog information must be reviewed periodically for any issues by authorized
personnel only (e.g., system administrators, backup administrators, and the IT operations
team).
• Effective data backup management must be demonstrated and measured as RTOs, RPOs, and
recovery service level agreements (SLAs).

12. Documentation
• A comprehensive data backup plan must be developed and maintained for data based on
information classification, databases, virtual machines (VMs), networks, software perimeters,
hardware such as servers, and system switches.
• Data backup and recovery SLAs, RTOs, and RPOs must be documented, communicated to all
stakeholders, and monitored for compliance.

13. Training and Awareness

• Backup and recovery personnel must attend annual training on backup operations and incident
recovery processes.
• End-user training and awareness training must promote an understanding of data backups and
how to ensure data is backed up properly (i.e., how to save data in correct locations, how to
properly classify data, how to report issues or concerns).

14. Compliance Requirements

• Backup procedures must comply with Company LLC policy and applicable regulatory guidance
(e.g., GDPR, HIPPA, SOX, etc.).

15. Disaster Recovery Plan Integration

• Disaster recovery procedures must be invoked in the event of data backup failures for the
prompt recovery of critical data.

FOR INTERNAL USE ONLY 4

ROLES AND RESPONSIBILITIES

1. The Company LLC board and IT committee are ultimately accountable for the management of
backup risk associated with computer systems and are supported by the senior leadership team
(SLT) and chief operating officer (COO), who oversee backup strategy, funding, and resourcing.

2. The chief information officer (CIO) has the authority to:

a. Establish backup policies, standards, and guidelines.
b. Assign management responsibilities for system backup.

3. The chief information security officer (CISO) is accountable for:

a. Management of overall Company LLC system backup risk
b. Providing system backup advice and user awareness
c. Designing and implementing the Company LLC system backup strategy and methods
d. Managing system backup incidents

4. Company LLC senior management is accountable for the management of system backups within
their area of responsibility.

5. Information resource owners are responsible for:

a. Assessing, reporting, and escalating system backup risk associated with their IT resources
b. Assessing and managing system backup risk associated with their system backup service
providers
c. Overseeing all access to their IT resources
d. Management assurance over their system backup controls

CONSEQUENCES OF POLICY VIOLATIONS

Breaches of this policy and/or the Code of Conduct shall be considered grounds for disciplinary action up
to and including dismissal.

QUESTIONS/CONTACT INFORMATION

For questions about the Data Backup Policy or any material addressed herein, please email the CIO Policy
group (or Information Security or CISO group) at xxxxxxx@CompanyLLC.com.

FOR INTERNAL USE ONLY 5

DOCUMENT INFORMATION
Document
Z:\Policies & Procedures\Policies\IT Policies
Location

VERSION HISTORY
Version Date Author Additional Information

V1.0 xx/xx/xx

DOCUMENT REVIEW
Version Date Reviewed By Additional Information
V1.0 Approved

FOR INTERNAL USE ONLY 6