|
Initiation responsibility: IT Security Management
Implementation responsibility: Head of IT Section; IT Security Management; staff responsible for the individual IT applications
The procedure of data backup is determined by a large number of factors, including the IT system, volume of data, frequency of modification of the data, and requirements concerning availability. The data backup policy attempts to find a solution which takes these factors, as well as profitability, into account.
There are numerous technical possibilities of data backup. However, their selection is always determined by the aforementioned factors. For this reason, the decisive parameters of the IT system and their related applications need to be determined first and documented clearly. Subsequently, a suitable procedure must be developed and documented. Finally, the procedure must be implemented by the agency/company management.
In order to ensure that the data-backup system functions correctly, the data backup policy must involve the restorability of data by means of practical exercises (c.f. S 6.41 Training data reconstruction)
The results should be listed as part of the data backup policy, and updated according to requirement. An example of a data backup policy is shown in the following table of contents:
Table of contents - Data Backup Policy
1. Definitions
2. Threat scenario as motivational background
3. Influential factors of an IT system
4. Data backup plan for an IT system
4.1 Specifications for each type of data5. Minimal data backup policy
6. Employees' commitment to data backup
7. Periodic restoration exercises
Individual items of this data backup policy are described more closely in the S 6.34 Determining the factors influencing data backup, S 6.35 Stipulating data backup procedures, S 6.37 Documenting generated data backups, S 6.41 Training data reconstruction, S 2.41 Employees' commitment to data backup, so that the processing of these measures results in the realisation of the essential aspects of a user-oriented data backup policy for individual IT systems.
Additional controls:
© Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |