DATA-22

Are involatile backup copies made according to predefined schedules and securely stored and protected?

Explanation

This question is asking about your backup strategy, specifically focusing on 'involatile' backups - meaning backups that are stored on persistent media that retains data even when power is removed (like tape, hard drives, or cloud storage) as opposed to volatile memory (like RAM). The question has two main components: 1. Whether you make backup copies according to predefined schedules 2. Whether these backups are securely stored and protected The guidance specifically asks you to address involatile storage (confirming the persistent nature of your backups) and to list retention periods (how long you keep these backups before they're deleted or overwritten). This question is being asked in a security assessment because proper backup procedures are critical for: - Business continuity and disaster recovery - Data protection against ransomware or other destructive attacks - Compliance with data retention requirements - Ensuring data availability in case of system failures To best answer this question, you should: 1. Confirm that you have scheduled, automated backups 2. Specify the type of involatile storage used (tape, disk, cloud, etc.) 3. Describe the security measures protecting these backups (encryption, access controls, physical security) 4. Detail your retention periods and backup schedule (daily, weekly, monthly, etc.) 5. Mention any testing or verification processes for backups

Guidance

Ensure that response addresses involatile storage and lists retention periods.

Example Responses

Example Response 1

Yes Our organization implements a comprehensive backup strategy using involatile storage We perform daily incremental backups and weekly full backups to encrypted hard drives that are stored in a secure, access-controlled data center Monthly backups are additionally copied to encrypted AWS S3 storage with versioning enabled All backup media are encrypted using AES-256 encryption Our retention policy maintains daily backups for 30 days, weekly backups for 3 months, and monthly backups for 7 years Access to backup systems requires multi-factor authentication, and all backup activities are logged and monitored We test backup restoration quarterly to verify data integrity and recoverability.

Example Response 2

Yes We utilize a multi-tiered backup approach with predefined schedules Our primary backups occur nightly to on-premises storage arrays with RAID-6 configuration, while secondary backups are performed weekly to Microsoft Azure Blob Storage with immutable storage enabled Both storage types are involatile All backup data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2+ Physical backup media is stored in a fire-resistant safe with limited access Our retention schedule is as follows: daily backups - 14 days; weekly backups - 8 weeks; monthly backups - 12 months; annual backups - 5 years We conduct monthly test restorations to validate backup integrity and maintain detailed backup logs that are reviewed weekly by our security team.

Example Response 3

No While we do perform regular system backups, we do not currently have a formalized schedule or documented retention policy Our backups are stored on external hard drives kept in the server room, but we do not have specific security controls for these devices beyond standard building access controls We're in the process of implementing a more robust backup solution with cloud storage and encryption, but this is still in the planning phase We recognize this as a gap in our security posture and have included it in our security roadmap for implementation within the next quarter, with planned retention periods of 30 days for daily backups and 1 year for monthly backups.

Context

Tab: Product
Category: Data