S 6.33 Development of a data backup policy

Initiation responsibility: IT Security Officer

Implementation responsibility: IT Security Officer, Persons responsible for individual applications, Head of IT

A large number of factors influence the approach in the field of data backup. The IT system, the amount of data, the change frequency, and the availability requirements are just some of these factors. Within the data backup policy, a solution taking into consideration these factors and simultaneously being economically reasonable from a cost perspective must be found.

The technical possibilities of backing up data are manifold. However, the selection is always subject to the mentioned factors. Therefore, the influencing variables of the IT systems and the IT applications implemented with the IT system must be defined and documented comprehensibly at first. Then, the suitable approach must be developed and documented. Ultimately, the Top Management must issue an implementation order.

The data backup policy must mandatorily provide for the capability of restoring the data by means of practical training in order to guarantee functional data backup processes (see S 6.41 Training data reconstruction).

The results should be collected in a data backup policy in such a way that they can be updated and extended. One possible structure of a data backup policy is outlined in the following table of contents, for example:

Table of Contents data backup policy

1. Definitions

• Application data, system data, software, logged data
• Complete backup, incremental data backup

2. Threat situation for motivation

• Dependency of the organisation on the database
• Typical threats such as untrained users, shared databases, computer viruses, hackers, power failure, hard disk failure
• Organisation-relevant causes of damage
• Damage events on the own premises

3. Influencing factors per IT system

• Specification of the data to be backed up
• Availability requirements of IT applications for the data
• Time and expenditure required for data reconstruction without data backup
• Data volume
• Change volume
• Modification times of the data
• Periods
• Confidentiality requirements of the data
• Integrity requirements of the data
• Knowledge and data processing-specific skills of the IT users

4. Data backup schedule per IT system

4.1 Specifications per data type

• Type of data backup
• Frequency and time of data backup
• Number of generations
• Data backup medium
• Person in charge of data backup
• Storage location of the backup data media
• Requirements for the data backup archive
• Transport terms
• Reconstruction times for existing data backup

4.2 Specification of the data restoration approach

• General conditions for the data backup archive
  • Contractual terms (for external archives)
  • Refresh cycles for data backup
  • Inventory listing
  • Erasing data backups
  • Destroying useless data media
• Provision of functional reading devices

5. Minimum data backup policy

6. Employees` commitment to data backup

7. Sporadic restoration training

Individual aspects of this data backup policy are described in detail in the safeguards S 6.34 Determining the factors influencing data backup, S 6.35 Stipulating data backup procedures, S 6.37 Documentation of the data backup, S 6.41 Training data reconstruction, and S 2.41 Employees` commitment to data backup so that the essential parts of a user-specific data backup policy are defined for each relevant IT system after having implemented these safeguards.

Review questions:

• Is there an up-to-date data backup policy?
• Are all IT systems affected included in the data backup policy?
• Are the employees informed of the part of the policy applicable to them?
• Is the implementation of the data backup policy checked regularly?