This policy is designed to protect against loss of data and ensure it can be recovered in the event of an equipment failure, intentional destruction, or disaster.
This policy applies to all data and system configurations used by the organization and its employees.
3.1 Back up
3.1.1 All server related data and supporting system configuration files on network servers and central storage devices are backed up on a weekly basis.
3.1.2 All data on Google drive and Gmail will be backed up automatically on a daily basis up to the current system’s supported maximum restore point only. Current maximum restore point as of this version is 25 days from deletion. With the exemptions on the following:
3.1.2.1 Data from Spam folder
3.1.2.2 Email Drafts
3.1.2.3 Deleted My Map files Infinit-O IT has 25 days from when the data was permanently deleted to restore messages. After 25 days, the data is gone forever.
3.1.3 CCTV system footage will be backed up and stored for a maximum of 30 days only after which the footage will be overwritten. Remote backup copies of CCTV’s will not be processed due to the large storage requirement of CCTV data. 3.1.4 Backup media is to be encrypted (either through full backup media encryption or encryption by 3rd party tools)
3.2 Offsite Backup Storage
3.2.1 A copy of the latest system backup data shall be stored at a secure offsite location twice a month.
3.2.2 The offsite backup location can be a specialized warehouse or cloud based service with Security certifications.
3.3 Testing
3.3.1 The ability to restore data from backups shall be tested at least once per month randomly using any backup data candidate.
3.3.2 Any failed items must be re-backed up immediately.
3.4 Archive
3.4.1 All employee created files (including emails) are archived after they have left the organization.
3.4.2 All archived data will be kept for 5 years’ maximum unless specified otherwise
3.5 Restoration
3.5.1 Users that need files restored must submit a request to the help desk. The request includes information about the file creation date, the name of the file, the last time it was changed, and the date and time it was deleted or destroyed.
3.5.2 The IT Team may need to verify that the User has permission and/or authorization to view or obtain restored copies of file/s and/or folder/s. Content will be restored to the same source folder or the same area, so any requestor will need access to that folder/area to access the restored file.
3.5.3 Requests from third party software/hardware vendors for file or system restore for the purpose of system support, maintenance, testing or other unforeseen circumstance should be made via the IT Director from the authorized vendor representative only.
3.5.4 Personnel accessing backup media for the purpose of a restore must ensure that any media used is returned to a secure location when no longer required.
3.6 Breach of Policy
3.6.1 Breaches of this policy and/or security incidents can be defined as events which could have, or have resulted in, loss or damage to company assets, or an event which is in breach of the company’s security procedures and policies. All company employees, partner agencies, Third Parties and vendors have a responsibility to report security incidents and breaches of this policy immediately through the company’s QISMS reporting system (third parties, partners or vendors may relay the report to their direct contact. This obligation also extends to any external organization contracted to support or access the Information Systems of the Company.
3.6.2 The Company will take appropriate measures to remedy any breach of the policy and its associated procedures and guidelines will be dealt with under the disciplinary procedures.
4.1 Vice presidents and Directors are responsible for ensuring that all staff and managers are aware of security policies and that they are observed. Managers need to be aware they have a responsibility to ensure staff have sufficient, relevant knowledge concerning the security of information and systems. Designated owners of systems, who have responsibility for the management of systems and inherent information, need to ensure that staff have been made aware of their responsibilities toward security. Designated owners of systems and information need to ensure they uphold the security policies and procedure
4.2 All users should save all data (files) to the approved network assigned folder locations and not make local copies of data on a computer, mobile phone or other type of portable storage media.
4.3 If the network becomes unavailable and work related data is at risk of being lost, users can save the data (files) locally (i.e. on the computer being used) or on approved media storage. Once the network becomes available again, data (files) should be immediately transferred to the approved network assigned folder locations and the local copies of data on the computer or portable storage media should be deleted.