DATA-12

Are you performing off-site backups (i.e., digitally moved off site)?

Explanation

This question is asking whether your organization creates backup copies of data and stores them at a different physical location than your primary systems. 'Off-site backups' means that backup data is transferred (usually digitally) to a separate geographical location from where your primary systems operate. This is being asked in a security assessment because off-site backups are a critical component of disaster recovery and business continuity planning. If a catastrophic event (fire, flood, physical attack, etc.) affects your primary location, having backups stored elsewhere ensures you can recover your data and resume operations. Off-site backups also provide protection against certain types of ransomware attacks that might target both primary systems and local backups. When answering this question, you should be clear about: 1. Whether you perform off-site backups at all 2. How the data is transferred to the off-site location (encrypted transmission, physical transport, etc.) 3. Where the off-site backups are stored (cloud provider, secondary data center, etc.) 4. How frequently backups are performed and transferred off-site 5. What security controls protect the backups during transfer and storage Even if you don't have a formal security background, understanding your organization's backup strategy is important for answering this question accurately.

Example Responses

Example Response 1

Yes, we perform off-site backups daily Our critical production data is backed up incrementally throughout the day and a full backup is performed nightly These backups are encrypted using AES-256 encryption and transferred via secure TLS connections to our secondary data center located 200 miles from our primary facility Additionally, we maintain cloud-based backups with AWS S3 in a different geographic region from our primary systems All backup data is encrypted both in transit and at rest, and access to backup systems requires multi-factor authentication We test our backup restoration process quarterly to ensure recoverability.

Example Response 2

Yes, we utilize a hybrid approach for off-site backups Our database and application servers are backed up daily to an encrypted cloud storage service (Microsoft Azure Backup) in a different geographic region from our primary data center The data is encrypted before transmission using AES-256 encryption and transmitted over secure channels For our most sensitive customer data, we also maintain weekly backups that are stored on encrypted hard drives and physically transported to a secure facility operated by Iron Mountain, located approximately 50 miles from our primary data center All backup media is inventoried and tracked, and we perform restoration testing monthly.

Example Response 3

No, we currently do not perform off-site backups Our backup strategy involves daily backups to a separate storage system within our primary data center While these backups are on separate hardware from our production systems, they are located in the same physical facility We recognize this as a gap in our disaster recovery capabilities and are in the process of implementing an off-site backup solution using a cloud storage provider We expect this implementation to be completed within the next 90 days, at which point we will begin transferring encrypted backups to geographically dispersed data centers operated by our cloud provider.

Context

Tab
Product
Category
Data

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron