Recommendation: 

Routine procedures should be established to implement the agreed backup policy and strategy for taking backup copies of data and rehearsing their timely restoration.

The necessary level of backup information should be defined. The extent (e.g. full or differential backup) and frequency of backups should reflect the operational requirements of the organization, the security requirements of the information involved, and the criticality of the information to the continued operation of the organization.

At minimum, backups should be performed at the server level, and users trained to store important information on servers with backup facilities.

Accurate and complete records of the backup copies and documented restoration procedures should be produced. Used backup media should be afforded the same level of protection as the original data based on the relevant information classifications (see R7), and should be appropriately processed when being replaced or re-used (see R11).

Backup arrangements can be centralized and/or automated, to facilitate the backup and restore process, and the production of backup records.

Backup copies should be stored in an off-site location, at a sufficient distance to escape any damage from a disaster at the main site. Backup information should be given an appropriate level of physical and environmental protection, consistent with the standards applied at the main site.

Backup media and restoration procedures should be regularly tested to ensure that they can be relied upon for emergency use when necessary.

For further information on backups procedures and software, and remote backup services, consult the following pages:

• http://en.wikipedia.org/wiki/Backup
• http://en.wikipedia.org/wiki/List_of_backup_software
• http://en.wikipedia.org/wiki/Managed_backup_services

R7, R11, R12, R30

T13, T16, T17, T18, T19, T37