Does your organization enforce geographic separation and geolocation restrictions for data backup storage?
Explanation
Geographic separation of data backups helps ensure that a disaster affecting one location doesn't compromise all copies of critical data. This practice involves storing backup data in physically distant locations from the primary data, with restrictions on where backup data can be stored based on compliance requirements, data sovereignty laws, or risk management policies.
Evidence of fulfillment could include documentation of backup storage locations (with geographic coordinates or regions), contracts with geographically dispersed backup service providers, configuration settings for cloud backup services showing geolocation restrictions, or data backup policies that explicitly define geographic separation requirements.
Implementation Example
Enforce geographic separation and geolocation restrictions for data backup storage
ID: PR.DS-11.237
Context
- Function
- PR: PROTECT
- Category
- PR.DS: Data Security
- Sub-Category
- Backups of data are created, protected, maintained, and tested
Related questions
- Does your organization implement cryptographic controls (encryption, digital signatures, hashing) to protect the confidentiality and integrity of stored data across all relevant storage systems?
- Is full disk encryption implemented on all user endpoints (laptops, desktops, mobile devices) that store company data?
- Does your organization validate digital signatures to verify the integrity and authenticity of software before installation or use?
- Does your organization have a policy and technical controls to restrict the use of removable media devices?
- Does your organization physically secure all removable media containing unencrypted sensitive information?
- Does your organization implement cryptographic controls to protect the confidentiality and integrity of network communications?

