S 6.84 Regular data backup of the system and archived data

Initiation responsibility: Head of IT

Implementation responsibility: Head of IT, Administrator

Electronic archive systems are exposed to the same risks regarding a loss of data as other IT systems. The selection of suitable data media alone, e.g. optical archiving media, does not provide for sufficient protection against a loss of data if, for example, the archiving medium is destroyed or stolen.

Therefore, the archived data, the related index database, and the system data must be stored redundantly. The procedure mentioned in module S 1.4 Data backup policy must be used for data backup as a matter of principle.

As an alternative to backing up the archived data, the data may also be stored redundantly to physically separated archive systems installed in different fire zones. Some manufacturers of archive systems offer high-availability solutions for this. Nevertheless, the archive system data and the index database data must be backed up in this case as well.

The following specifications must be taken into consideration for backing up the data and handling the storage media:

• Regular data backup of the archived documents and the related index database must be performed. For this, the following procedure may be used, for example:
  • daily backup (automatic difference backups on workdays),
  • weekly backup (automatic difference backups), and
  • total backup once a month and upon installation and after changing the configuration.

• Only storage media according to the manufacturer's specifications should be used.
• If a jukebox is used as storage unit for archiving, it must be taken into account that the storage media can only be removed from and inserted into the jukebox under control of the program. Manual and therefore uncontrolled removal and insertion of the media should be ruled out.
• It must be documented which media are inserted into (online) or removed from (offline) the archive system at which time in order to prevent data from being deleted or added on removed media in an unauthorised manner.

• All media must be labelled in such a way that they cannot be confused.
• Offline media must be stored carefully, i.e. in such a way that they are accessible to Administrators on the one hand, and protected against harmful environmental influences on the other hand. For example, this may be achieved by storing the media in a lockable, fire-proof, and theft-proof steel cabinet (S 120 DIS, VdS class III).
• Backup copies of the individual media must be separated spatially from the archive system immediately after having been created, in such a way that the data can be recovered completely even after the archive was destroyed. The rooms must be protected against being accessed by unauthorised persons.

• The selected procedure for data backup must be documented. Furthermore, it must be documented when which backup copies were created and where these were stored (see also S 6.37 Documentation of the data backup).
• Since all backup media have only a limited service life, they must be replaced by new media regularly according to the manufacturer's recommendations.
• All data backups created must be checked for readability at regular intervals and, if required, copied to new storage media.

• At regular intervals and after changes to the configuration, the usability of the backups and the restart and recovery capabilities of the system must be checked. This test goes beyond the process of merely reading the backup media and checks whether the archive can be recovered using the backed up data without any loss of data . The result must be documented.
• When re-encrypting archived data (see also S 2.264 Regular regeneration of encrypted data in archiving), the data stored on backup media also requires re-encryption and old media must be deleted or destroyed.
• If data backups are installed to the archive system, it must be checked whether this results in losses of data, i.e. whether data to be archived must be re-collected. Furthermore, it must be checked whether deletion flags are present for the restored data that must be taken into consideration.

Review questions:

• Is archived data, including the related index database and the system data, stored redundantly?
• Jukebox use: Is it only possible to remove and insert the storage media under control of the program?
• Are the processes for removing and inserting the archiving media documented including the time stamp?
• Are all data backups created tested for readability at regular intervals and copied to new storage media if required?
• Are the restart and recovery capabilities of the archive system checked and the results documented at regular intervals or after changes to the configuration of the archive system?
• Re-encryption of archived data: Is data on backup media re-encrypted and are old media deleted or destroyed?
• Installation of the data backup to the archive system: Is installed data checked for loss of data and deletion qualifiers?