Your IT organization regularly backs up data, systems, network configuration data, databases, security parameters and other information resources. But does it have a data backup policy?
It probably has a backup schedule stating what should be backed up, type of backups to be performed, locations where backed-up data and other resources should reside, frequency of backups, time frames for executing backups, duration of backup storage, how backed-up data and systems can be recovered, and a means of confirming that backups were successful.
Assuming your IT organization does not have a formal, documented backup policy, you can begin preparing one that is consistent with best practices and will also pass audit scrutiny. Review the data backup and recovery policy template included to help you prepare your policy.
Developing a backup policy
An organization should consider the following issues when developing a data backup policy:
- technologies used for backing up, recovering, and restoring data and systems;
- types of data and systems to be backed up;
- network infrastructure requirements to ensure backups can be completed;
- professional staff charged with performing backups and recoveries;
- emergency procedures if data backups become compromised; and
- procedures for ensuring that critical data is securely stored in the event of a data breach, ransomware attack or other cybersecurity event.
In creating a data backup policy, first begin by capturing the above data; it serves as the starting point. Next, consider the following preliminary activities:
- Examine existing IT and other company policies for policy structure and format and use relevant components for the new policy.
- Research the internet for examples of data backup and recovery policies and adapt them as appropriate.
- Examine software products that can assist in preparing policies.
Components of a data backup and recovery policy
A data backup and recovery policy can be simple. A few paragraphs can be sufficient for backup and recovery activities, noting the metrics discussed previously. You can include more detail if necessary. Following is a basic policy outline that can be formatted to address backup and recovery issues:
- Introduction. States the fundamental reasons for having a data backup and recovery policy.
- Purpose and Scope. Provides details on the policy's purpose and scope.
- Statement of Policy. States the policy in clear, specific terms.
- Policy Leadership. Identifies who is responsible for approving and implementing the policy, as well as issuing penalties for noncompliance.
- Verification of Policy Compliance. Delineates what you need, such as gap assessments, performance data and exercise results, to verify that data backup and recovery activities comply with this policy and any other IT policies.
- Penalties for Noncompliance. Defines penalties for failure to comply with policies.
- Appendixes (as needed). Incorporates added reference data, such as lists of contacts and service-level agreements.
Upon completion of a draft data backup policy, have it reviewed by IT department management, human resources and legal, at a minimum. Invite other relevant departments to comment if time is available.