Backup policy definition
A backup policy is a crucial component of an organization’s comprehensive backup strategy. Common backup policies identify critical data and systems to be protected, clarify the frequency of both full and incremental backups, delineate backup administrator responsibilities, and provide details for retention, offsite rotation, restoration procedures, storage of backups, and more.
A well-crafted backup and restore policy is essential as it is frequently a business’s last line of defense against data loss from data corruption, hardware failure, or a security breach.
Benefits of a data backup policy
A backup retention policy helps guide user expectations and provides the broader context for the data restoration and backup process. There are several benefits to developing a strong backup and recovery policy document:
Clarity. A backup policy clarifies specific procedures, policies, and responsibilities, including a well-defined schedule for performing backups, ensuring a more stable process. It also identifies any superseding procedures or policies that already exist, such as contingency plans.
Control. A well defined backup policy allows you to control what kind of backups are performed, how often data should be backed up, what software/hardware or cloud service should be used for performing backups, where backups are located, and who can access backups and how to contact them.
Accountability. The backup policy identifies primary and secondary contacts who are responsible for performing backups and provides their contact information. This piece of the data backup and recovery policy also identifies who is responsible for confirming that reliable backups are successfully performed, and sets forth how and when they will do this.
Reliability. Stronger backup policies are more likely to result in complete data restoration. They offer details on how to protect data, how to access backups, and how to train those responsible for performing backups. They also ensure multiple copies exist separate from the original data, and also make use of multiple forms of media with complementary strengths. Finally, the policy demands at least partial automation, further increasing reliability.
Key considerations for backup retention policies
Preserve essential data with a multi-pronged backup policy. Your backup policy should follow the 3-2-1 rule, creating at least three backup copies of all data in addition to the original file using two different backup media, with one copy in a remote location. This helps to ensure a full set of accessible backup data no matter what the circumstances leading to the need to recover data.
Storing at least one copy of backup data at a remote location is essential for disaster recovery, especially in the event of site-wide failures or geographical disasters. To protect against malware, remote backup data should be air-gapped (separated) from the original data set. Historically, third party vendors could store backup tapes offsite for a fee, but remote disk and cloud storage can be used as well.
It is important to periodically check the integrity of your backup files. Do this by restoring several files from the backup to confirm that you can, that the backup itself is uncorrupted, and that the media is still accessible.
Your backups should also contain versioning data—older versions of your data, not just the current version of files that were backed up most recently. This is important in case of accidental file corruption or ransomware that may be hiding in current data backups.
Determine what data is essential to your organization and establish backup strategies tailored to each type of data. At a minimum, backup mission critical data in real time, or at least daily. Backup less critical data at least once a week. Many businesses create exact mirrors of their systems annually, just to avoid the nightmare of having to start over again from scratch in case of a major failure.
Backup policy best practices
Follow these best practices to select an ideal backup solution that ensures your data remains recoverable and safe. The best backup policy solutions:
Include remote storage. Remote backups are a critical element in any backup solution. It is all but pointless to backup organizational data only to store it on the same disk as the original information. Off-server storage is a minimum requirement, with off-site backup storage being a better alternative. Should a central server become compromised during a disaster, off-site backups, whether on a cloud-based server or physical dedicated server, allow for complete data recovery—a key part of disaster recovery.
Take frequent, regular backups. Prevent critical data loss by creating a regular schedule of frequent backups. Obviously, the most critical data may demand a continuous backup solution, while daily backups or weekly backups may be enough for more static data.
Use automated backups. Avoid manual data backup solutions that rely on end users to back up their data. Your end user data backup policy should mandate a fully automatic backup solution. Manual data backup can easily be delayed and is a dull task—something that, in reality, never gets done.
Address retention span. After frequency, how long each backup should be kept is the next important question. Retaining every backup forever is neither desirable nor feasible, so any good data backup and storage policy and solution provides a series of retention schedules. This changing schedule will, for example, schedule more frequent backups at first—for example, hourly and daily backups for a week—and then pivot to less frequent backups less often.
The retention schedule will also keep some backups longer, or even indefinitely. Annual, bi-annual, or even monthly backups might be retained to provide ready benchmarks. Another reason to retain these scheduled backups is to ensure your organization remains compliant with data retention standards and requirements in your vertical. For example, healthcare organizations will need to craft backup policies that are HIPAA compliant. Businesses that are active in the EU may need a GDPR backup policy.
Encrypt backups. Even when backups are off-site, your data backup policy should always require encryption of backup files.
Use cloud storage for backup storage. Storing your backups in the cloud adds redundancy to your infrastructure and improves cost and scalability. In fact, leveraging the cloud for disaster recovery is one of the best ways to lower your risk of data loss after a disaster.
Find a comprehensive backup solution. Find a backup solution that fits the full needs of your business, including onsite as well as SaaS applications that host your data.
Data backup policy example
A typical data backup policy example might look something like this.
In this first section, the server backup policy will state how the procedures in the plan will help the organization ensure continuity of its operations, ensure reliable, timely backup of its IT assets, and meet its enterprise business objectives. This section of a backup and recovery policy template might also state other high-level business objectives and cite involved team members.
Next, the backup and restore policy will describe its purpose—the “why” behind the backup policy. Typically this sets out the way the organization will recover should there be a software failure, hardware failure, or both, and describes how the team will protect against data loss in case of disaster, human error, or other problem.
The scope of the backup policy will typically set forth the who, what, when, and how of the backup and restore process, to follow up with the “why” stated in the purpose section. A backup policy generally applies to all employees, contractors, and third party employees, and anyone who might be contractually bound to or have access to IT assets of the organization.
A backup policy will also describe the “what,” describing its scope as covering all IT assets and the entire organization’s IT infrastructure as well as data contained in SaaS applications. The scope statement will also describe documentation and how documentation will be controlled. For example, scope may touch upon the existence of a data retention policy for records.
A backup policy will spell out the “how” backups are to be taken, including the types of backups that will be taken and how long those backups will be stored. The policy will also explain the “when,” or how often and what time of day backups are to be taken.
Finally, a scope statement in a backup policy will cover maintenance and distribution of the documentation itself. This way, everyone who needs the backup policy in the organization should have access to it.
In the substantive data backup policy and procedure section, your backup management policy should identify mission critical data, and which user-level data and system-level data will be maintained. More details about backup frequency in accordance with the acceptable risk and importance of the data should all be here.
Other elements of a data backup and restore policy might include backup retention details, restoration procedures and documentation, restoration testing procedures, guidelines for how to proceed when backup media has expired, and a list of other applicable policies.
An IT data backup policy must also designate responsible personnel for proper policy implementation. Along these lines, it should set forth terms of enforcement, including disciplinary actions that will be taken against employees who violate the backup policy in line with existing HR policies, industry standards, and controlling law.
Finally, the backup and recovery policy and procedure should include all relevant definitions to ensure clarity and the ability to execute. It should also include revision history, and any changes to the document must be controlled. This ensures recoverability in the event of a catastrophe.
Remember, while you might begin with a backup and restore policy template, it is important to craft any backup policy to meet your organization’s specific needs.
CFS ISMS MANAGER