S 6.33 Development of a data backup policy

Initiation responsibility: IT Security Management

Implementation responsibility: Head of IT Section; IT Security Management; staff responsible for the individual IT applications

The procedure of data backup is determined by a large number of factors, including the IT system, volume of data, frequency of modification of the data, and requirements concerning availability. The data backup policy attempts to find a solution which takes these factors, as well as profitability, into account.

There are numerous technical possibilities of data backup. However, their selection is always determined by the aforementioned factors. For this reason, the decisive parameters of the IT system and their related applications need to be determined first and documented clearly. Subsequently, a suitable procedure must be developed and documented. Finally, the procedure must be implemented by the agency/company management.

In order to ensure that the data-backup system functions correctly, the data backup policy must involve the restorability of data by means of practical exercises (c.f. S 6.41 Training data reconstruction)

The results should be listed as part of the data backup policy, and updated according to requirement. An example of a data backup policy is shown in the following table of contents:

Table of contents - Data Backup Policy

1. Definitions

• Application data, system data, software, protocol data

• Full backup, incremental backup

2. Threat scenario as motivational background

• Dependence of the institution on the data stock

• Typical threats like usage by untrained personnel, joint usage of data stocks, computer viruses, hackers, power failure, hard disk errors.

• Causes of damage specific to individual institutions

• In-house cases of damage

3. Influential factors of an IT system

• Specifying the data to be backed up

• Data availability requirements of the IT applications

• Effort required for data reconstruction without data backup

• Data volumes

• Modification volumes

• Modification times

• Deadlines

• Confidentiality requirements

• Integrity requirements

• Knowledge and data-processing competence of IT users

4. Data backup plan for an IT system

• Type of data backup

• Frequency and times of data backup

• Number of generations

• Data backup medium

• Responsibility for data backup

• Storage location for backup copies

• Requirements concerning the data backup archive

• Transport modes

• Reconstruction times for the existing data backup system

• Contractual terms (for external archives)

• Refresh cycles for data backup

• Inventory listing

• Erasing data backups

• Destroying useless data media

5. Minimal data backup policy

6. Employees' commitment to data backup

7. Periodic restoration exercises

Individual items of this data backup policy are described more closely in the S 6.34 Determining the factors influencing data backup, S 6.35 Stipulating data backup procedures, S 6.37 Documenting generated data backups, S 6.41 Training data reconstruction, S 2.41 Employees' commitment to data backup, so that the processing of these measures results in the realisation of the essential aspects of a user-oriented data backup policy for individual IT systems.

Additional controls:

• Is a data backup policy for the institute documented and updated?

• Are all relevant IT systems included in this policy?

• How are staff members informed about the sections of the concept which are applicable to them?

• Is adherence to the concept monitored?

• How are changes in the influencing factors taken into account?