S 6.36 Stipulating a minimal data backup policy

Initiation responsibility: IT Security Management

Implementation responsibility: IT Security Management

The minimum requirements which a company/agency needs to fulfil as regards data backup must be determined. This allows universal handling of many cases which would otherwise require extremely detailed investigations and complex data backup policies. It also provides a basis generally applicable to all IT systems, including new ones for which data backup policy have not been prepared yet.

This is demonstrated by the following example:

Minimal data backup policy

Software:

All software, whether purchased or created personally, is to be protected once by means of a full backup.

System data:

System data are to be backed up with at least one generation per month.

Application data:

All application data are to be protected by means of a full backup at least once a month using the three-generation principle.

Protocol data:

All protocol data are to be protected by means of a full backup at least once a month using the three-generation principle.

Additional controls:

• Are all employees, including new ones, instructed on, and committed to, the data backup or minimal data backup policy?

• Is the minimal data backup policy updated?

• Are the operative resources required for minimal data backup available?