Does your organization implement a tiered backup strategy with near-real-time backups for critical data and scheduled backups for other data?
Explanation
A tiered backup strategy ensures different types of data are backed up according to their importance and recovery requirements. Critical data should be backed up continuously or in near-real-time to minimize potential data loss in case of an incident, while less critical data can follow regular backup schedules (daily, weekly, etc.) based on business needs and recovery objectives.
Evidence could include a documented backup policy that defines critical vs. non-critical data, backup schedules for different data types, and reports from backup systems showing successful execution of the defined backup schedules. Screenshots of backup system configurations showing real-time replication for critical systems and scheduled jobs for other systems would also serve as appropriate evidence.
Implementation Example
Continuously back up critical data in near-real-time, and back up other data frequently at agreed-upon schedules
ID: PR.DS-11.234
Context
- Function
- PR: PROTECT
- Category
- PR.DS: Data Security
- Sub-Category
- Backups of data are created, protected, maintained, and tested
Related questions
- Does your organization implement cryptographic controls (encryption, digital signatures, hashing) to protect the confidentiality and integrity of stored data across all relevant storage systems?
- Is full disk encryption implemented on all user endpoints (laptops, desktops, mobile devices) that store company data?
- Does your organization validate digital signatures to verify the integrity and authenticity of software before installation or use?
- Does your organization have a policy and technical controls to restrict the use of removable media devices?
- Does your organization physically secure all removable media containing unencrypted sensitive information?
- Does your organization implement cryptographic controls to protect the confidentiality and integrity of network communications?

