This document establishes the controls required to ensure availability, confidentiality and integrity of electronic information and software. The scope of this standard includes all IT systems and applications including those provided by third party vendors.
Objective: To maintain the confidentiality, integrity and availability of information backups
Information backup must be made to provide for recovery of the information. To ensure the availability of information required to resume normal operations in the event where data is lost, e.g., through natural disaster. Storage of these backups must comply to strict security controls to ensure the integrity and confidentiality of the stored data.
- Backup processes must be established and approved by business owners as well as comply with the backup and archival policy. The backup processes should take into consideration:
a) Business continuity plans
b) Legal, regulatory, statutory and contractual obligations
c) Manufacturers’ recommendations for reliable storage, such as maximum ‘shelf-life’.
Procedures must exist to ensure that backup of information and software is successfully completed. There should be procedures to address incomplete or unsuccessful backup operations.
Backup media should be verified immediately after the process to ensure that the backup was properly done.
Backup frequency and retention must be specified by the owner and implemented appropriately by the backup administrators or operations group.
Backup copies of essential information and software must be taken regularly.
Encrypted data stored on the servers shall be kept encrypted in the backup media.
Backups should be scheduled and performed in a manner that does not affect the overall performance of network and business applications.
Requirements for Encryption Keys
To ensure that encryption keys are backed up.
Encryption keys should be backed up and securely kept so that they can be retrieved if the original keys in use are lost, destroyed or tampered with.
- All encryption keys and certificates shall be omitted from the backup media.
- Backup keys should be labeled for retrieval where necessary.
- All encryption keys must be backed up in a separate location from the primary keys. Where software key is deployed, the key must be backup on removable disk and stored in a secured location. This disk must only be accessible by the owner or custodian.
- Use of backup keys must be authorized by the owner.
- For symmetric keys, the keys will be backed up on
a) Removable media and stored securely
b) Under dual control
c) Access and usage will be recorded
Media Handling and Storage
To protect information media from unauthorized disclosure, modification, removal or destruction
Backup media contains a snapshot and exact replica of the information stored on servers and systems. Such information can be highly sensitive to operations and handling and storage of backup media to ensure security to the media.
- A list of backup media must be maintained and kept up-to-date.
- An independent inventory check must be carried out at least annually.
- Where applicable, a physical expiry date should be defined for the backup media based on manufacturer’s recommendations, usage and environmental conditions, to ensure that a permanent backup is not done on an old backup media that is nearing its expiry.
- Integrity of backup must be tested periodically.
- External labels must be used on all media for identification purposes except when an automated media (e.g., tape) management system is used. Information such as file identification, creation date, last back-up date, and security classification should be denoted on the label.
- Internal labels should be used to include at least the file identification, creation date, purge date, security level and record count.
- Procedures should be established to require the secure erasing of the content of reusable storage media when no longer required.
- At the end of all outsourced projects (Contractual Agreement), all information stored on all types of backup media (hard-disks, tapes, floppy, etc.) shall be returned, or otherwise deleted and purged from the systems. Archival of information must be considered for business or legal requirements.
- Physical access to backup media must be restricted to authorized personnel.
- Backup media stored temporarily on site must be stored in a fireproof safe.
- Backup media must be physically secured and should be stored in an offsite location.
- All backup media must be sent to the off-site location in a timely manner. The offsite location must be far enough not to be susceptible to the same threats as the primary site.
- A media management system shall be in place to account for all onsite and offsite backup media such as tapes, removable disks, cassettes, etc.
- Procedures to manage and authorize media movements must be established. A record of all incoming/outgoing media or files that are transferred/ returned, and the personnel who are authorized to do so must be maintained and authorized.
- Security controls must be adopted to protect media in transit. Controls include:
a) Use of locked security containers
b) Use of reliable transport/courier
c) Use of tamper-evident packaging
Procedures for the media disposal must be established and followed. Media containing sensitive information must be disposed securely and safely.
Backup media must meet the standards of archival, offsite storage and protection as set forth by the applicable business continuity plan.
To ensure that information can be recovered when needed
Proper procedures for Information recovery is important to ensure that, in the event of an emergency, essential information and software required can be restored within critical timescales.
- An Information Restoration procedure must be established to define the [Baseline | CIA] controls over the restoration of programs and information from backup media.
- Random tests of back-up tapes, etc., should be conducted regularly to [Baseline | CIA] ensure that they are functional and working properly as most magnetic media have limited life span.
To enable the recovery of IT services in the event of an IT disaster.
Disaster recovery plans and process should be implemented to minimize the impact of an IT disaster to the business.
- Information and software must be appropriately backed up and stored remotely to facilitate recovery in the event of a system malfunction or disaster. Appropriate hardware must be put in place and maintained for availability, compatibility and readiness.
- Hot-site facilities or high availability systems should be in place.
- Where the Business Unit requires high system availability for the project/service, these should be specified as part of the detailed requirements.
- Where specified as business requirements, such backup and recovery procedures and equipment must be tested regularly.