POLICY NUMBER: POLICY NAME: DATE APPROVED: RESPONSIBLE OFFICER: 1 PURPOSE
ITi-P2003-20 Backup/Recovery Policy 14-12-2005 Director - Information Technology Services.
All electronic information considered of institutional value should be copied onto secure storage media on a regular basis (i.e., backed up), for disaster recovery and business resumption. This policy outlines the minimum requirements for the creation and retention of backups. Special backup needs, identified through technical risk analysis that exceeds these requirements, should be accommodated on an individual basis. 2 BACKGROUND Data custodians are responsible for providing adequate backups to ensure the recovery of data and systems in the event of failure. Backup provisions allow business processes to be resumed in a reasonable amount of time with minimal loss of data. Since hardware and software failures can take many forms, and may occur over time, multiple generations of institutional data backups need to be maintained. Federal and state regulations pertaining to the long-term retention of data (e.g., financial records) will be met using separate archive policy and procedure. Long-term archive requirements are beyond the scope of this policy. 3 DEFINITIONS 3.1 University Critical Data: This is data that if it were deemed unavailable to the University will have an immediate (within 24 hours) critical impact on the following outcomes of the University • teaching and/or • financial and/or • statutory requirements. Owner: Information owners are the department managers, members of the top management team, or their delegates who bear responsibility for the acquisition, development, and maintenance of production applications that process Victoria University information. Custodian: Custodians are in physical or logical possession of either Victoria University information or information that has been entrusted to Victoria University. Custodians are responsible for safeguarding the information, including implement inaccess control systems to prevent inappropriate disclosure, and making backups so that critical information is not lost. Custodians are also required to implement, operate, and maintain the security measures defined by Information owners. Wherever information is maintained only on a personal computer, the User is also a Custodian
User: Users are responsible for familiarizing themselves with and complying with all Victoria University policies, procedures and standards dealing with information security.
KEY WORDS 4.1 Backup; Recovery; Disaster Recovery; Business Continuity; Critical Data;
POLICY 5.1 Backups are used to restore the integrity of computer systems in the event of a hardware or software failure, a physical disaster or the deletion of important files through human intervention. All staff should be encouraged to make backups in their areas of responsibility. Backups of all University data must be retained such that all systems are fully recoverable. This may be achieved using a combination of image copies, incremental backups, differential backups, transaction logs, or other techniques. The frequency of backups is determined by the volatility of data; the retention of backup copies is determined by criticality of the data. At a minimum, backups must be retained for 30 days. At least three versions of the data should be maintained. At a minimum, one fully recoverable version of all University Critical Data must be stored in a secure, off-site location. Derived data should be backed up only if restoration is more efficient than creation in the event of failure. All critical information used on workstations should be placed on networked file server drives to allow for backup. Backup documentation includes identification of all critical data, programs, documentation, and support items that would be necessary to perform essential tasks during a recovery period. Documentation of the restoration process must include procedures for the recovery from single-system or application failures as well as for a total data centre disaster scenario. Backup and recovery documentation will be reviewed and updated regularly to account for new technology, business changes, and migration of applications to alternative platforms. Recovery procedures will be tested on an annual, or as required, basis.
5.4 5.5 5.6 5.7 5.8 5.9 5.10 6
PROCEDURES Each business owner should ensure appropriately documented procedures have been developed for each of their systems
. 7 CONGRUENCE WITH LEGISLATION AND RELATED POLICIES 7.1 Related Policies Appropriate Use of Computing Facilities (ITu-2003-02) Security Access to Controlled Areas in IT (ITu-2003-13) Audit Authorities Policy (ITu-P2003-35) All University policies are recorded in the Central Policy Register, and a list of all existing IT Policy related documents (i.e. ITu, ITi, ITg and ITo) are published on the ITS Policies Web Page
Page 2 of 4
Relevant Legislation The Privacy Act 1988; The Crimes Act 1914; The Copyright Act 1968; and, The Freedom of Information Act 1984.
ACKNOWLEDGEMENT 8.1 SANS (SysAdmin, Audit, Network, Security) Institute http://www.sans.org/resources/policies/ University of Iowa http://www.uiowa.edu/~our/opmanual/
CONSULTATION 9.1 9.2 9.3 9.4 ITS Management and IT Advisory Network. Chair of ISC for recommendations. Information Systems Committee (ISC) for comment. Approval by Director ITS.
10 REVIEW 10.1 This policy shall be reviewed in December 2006.
11 ACCOUNTABILITIES 11.1 RESPONSIBILITY
Associate Director IT Networks and Computing, for the operational management of the policy. 11.2 IMPLEMENTATION PLAN 11.2.1 11.2.2 The Networks and Computing Branch will be responsible for implementing this Policy. Each Branch of Information Technology Services (Administrative Systems, Client Services, Networks and Computing) will be responsible for complying with this Policy. Servers supported by ITS, through a Service Level Agreement, must comply with this Policy.
Internal documentation and Web material for internal staff training purposes will be developed by ITS. 11.4 COMPLIANCE
Page 3 of 4
11.4.1 11.4.2 11.5
Quarterly reports on all servers backed up through the ITS infrastructure will be published via the ITS Web. Monthly backup reports will automatically be generated for those servers supported for other business units through a Service Level Agreement.
EFFECTIVENESS OF THIS POLICY
There will be annual audits to ensure this policy is being adhered to. 12 POLICY ADVISOR Paul Grinsted, Associate director Networks and Computing, ITS. 13 FORMS Nil. 14 ENDORSED BY DEPUTY VICE-CHANCELLOR (ES) AND CHAIR (ISC) Date: 23-11-05
15 APPROVED AND SIGNED BY DIRECTOR (ITS) Date: 14-12-05