DATA-13

Are physical backups taken off-site (i.e., physically moved off site)?

Explanation

This question is asking whether your organization physically transports backup media (like tapes, hard drives, or other storage devices containing backup data) to a different location than where your primary systems operate. Why this matters for security: 1. Disaster recovery: If your primary data center experiences a catastrophic event (fire, flood, etc.), having backups stored at a different physical location ensures you can still recover your data. 2. Geographic separation: Physical distance between primary systems and backups protects against regional disasters affecting both locations simultaneously. 3. Defense in depth: Off-site backups provide an additional layer of protection against both physical threats and certain types of cyber attacks (like ransomware that might spread through your network). This question is asked because organizations with mature security practices typically implement a backup strategy that includes geographic separation of backup media. It's a fundamental disaster recovery control and helps ensure business continuity. When answering this question: - Be specific about whether physical backups exist and if they're transported off-site - If applicable, mention the frequency of off-site transport (daily, weekly, etc.) - You might describe the security controls for the transport process and storage location - If you don't use physical backups but instead use cloud backups with geographic redundancy, explain this alternative approach

Example Responses

Example Response 1

Yes, our organization takes physical backups off-site on a weekly rotation schedule We use encrypted backup tapes that are transported via a secure courier service to a commercial data vault facility located approximately 30 miles from our primary data center The facility maintains 24/7 security, climate control, and fire suppression systems Access to our backup media at the facility requires dual authentication and all access events are logged The chain of custody for backup media is documented during transport and verified upon arrival at the storage facility.

Example Response 2

No, we do not transport physical backups off-site Instead, we implement a cloud-based backup strategy where all production data is backed up to two geographically separated cloud regions (US-East and US-West) with different availability zones Our backup data is encrypted both in transit and at rest using AES-256 encryption The cloud provider maintains physical security of these facilities, and we maintain logical access controls to the backup systems This approach provides geographic redundancy without the need to physically transport media.

Example Response 3

No, currently all our backup tapes are stored in a secure room within our primary data center While the backup media is encrypted and the storage room has restricted access controls, we recognize this represents a single point of failure in our disaster recovery strategy We are in the process of implementing an off-site backup solution and have contracted with a secure storage vendor We expect to begin transporting weekly full backups off-site within the next 60 days as part of our security program enhancement initiatives.

Context

Tab
Product
Category
Data

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron