Wednesday, July 11, 2007

Information Security Policy 101 – Backup Policy

On the surface it may seem that data backups are mundane and simple tasks to carry out. Backups are often repetitive and change infrequently. Don’t believe it! Although there are SOME tasks that a backup administrator does that are simple and mundane, anyone who has spent any amount of time with or as a backup administrator knows how complex the job can be. There are a vast number of options and methods available to conduct and manage backups. Of these options and methods, some are more secure than others.

The Backup Policy is meant to address some of the grey area and provide direction to the development of more detailed procedural and standardization documentation.

General Policy Format

All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.



The purpose of the %ORGANIZATION% Backup Policy is to establish the rules for the backup and storage of electronic %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically Backup Policy applies to IT administrative personnel and those persons responsible for data backups specifically.



The %ORGANIZATION% Backup Policy applies to all individuals within the enterprise whom are responsible for the installation and support of %ORGANIZATION% Information Resources, individuals charged with %ORGANIZATION% Information Resource backups, security and data owners.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Backup Policy

A Backup Policy is written to provide rules and expectations around the treatment and management of data backups. It is a simple policy that rarely exceeds a page in length, but should/could be viewed as important in many organizations.

NOTE: A Backup Policy should not state backup settings requirements except in a general sense. The Backup Policy should not be confused with a Disaster Recovery Plan (DRP) which is much more extensive and outside of the scope of this article.

- The frequency and extent of backups must be in accordance with the importance of the information and the acceptable risk as determined by the data owner.
- The %ORGANIZATION% Information Resource backup and recovery process for each system must be documented and periodically reviewed.

Do not assume that backups are simple tasks with limited options and flexibility. Backups are often a critical process for many organizations so it would only make sense to develop some policy around them.


Next in the series: “Information Security Policy 101 – Data Classification Policy”

Previous: Information Security Policy 101 – "Administrative and Special Access Policy"

No comments: