Backup and Recovery

Backup and Recovery

1.0 Objective
This policy is designed to protect against loss of data and ensure it can be recovered in the event of an equipment failure, intentional destruction, or disaster. 

2.0 Scope
This policy applies to all data and system configurations used by the organization and its employees. 

3.0 Provisions
3.1 Back up 
3.1.1 All server related data and supporting system configuration files on network servers and central storage devices are backed up on a weekly basis. 
3.1.2 All data on Google drive and Gmail will be backed up automatically on a daily basis up to the current system’s supported maximum restore point only. Current maximum restore point as of this version is 25 days from deletion. With the exemptions on the following: Data from Spam folder Email Drafts Deleted My Map files Infinit-O IT has 25 days from when the data was permanently deleted to restore messages. After 25 days, the data is gone forever.
3.1.3 CCTV system footage will be backed up and stored for a maximum of 30 days only after which the footage will be overwritten. Remote backup copies of CCTV’s will not be processed due to the large storage requirement of CCTV data. 3.1.4 Backup media is to be encrypted (either through full backup media encryption or encryption by 3rd party tools)
3.2 Offsite Backup Storage 
3.2.1 A copy of the latest system backup data shall be stored at a secure offsite location twice a month. 
3.2.2 The offsite backup location can be a specialized warehouse or cloud based service with Security certifications.
3.3 Testing 
3.3.1 The ability to restore data from backups shall be tested at least once per month randomly using any backup data candidate. 
3.3.2 Any failed items must be re-backed up immediately.
3.4 Archive 
3.4.1 All employee created files (including emails) are archived after they have left the organization. 
3.4.2 All archived data will be kept for 5 years’ maximum unless specified otherwise
3.5 Restoration 
3.5.1 Users that need files restored must submit a request to the help desk. The request includes information about the file creation date, the name of the file, the last time it was changed, and the date and time it was deleted or destroyed. 
3.5.2 The IT Team may need to verify that the User has permission and/or authorization to view or obtain restored copies of file/s and/or folder/s. Content will be restored to the same source folder or the same area, so any requestor will need access to that folder/area to access the restored file. 
3.5.3 Requests from third party software/hardware vendors for file or system restore for the purpose of system support, maintenance, testing or other unforeseen circumstance should be made via the IT Director from the authorized vendor representative only. 
3.5.4 Personnel accessing backup media for the purpose of a restore must ensure that any media used is returned to a secure location when no longer required.
3.6 Breach of Policy 
3.6.1 Breaches of this policy and/or security incidents can be defined as events which could have, or have resulted in, loss or damage to company assets, or an event which is in breach of the company’s security procedures and policies. All company employees, partner agencies, Third Parties and vendors have a responsibility to report security incidents and breaches of this policy immediately through the company’s QISMS reporting system (third parties, partners or vendors may relay the report to their direct contact. This obligation also extends to any external organization contracted to support or access the Information Systems of the Company. 
3.6.2 The Company will take appropriate measures to remedy any breach of the policy and its associated procedures and guidelines will be dealt with under the disciplinary procedures. 
4.0 Responsibility
4.1 Vice presidents and Directors are responsible for ensuring that all staff and managers are aware of security policies and that they are observed. Managers need to be aware they have a responsibility to ensure staff have sufficient, relevant knowledge concerning the security of information and systems. Designated owners of systems, who have responsibility for the management of systems and inherent information, need to ensure that staff have been made aware of their responsibilities toward security. Designated owners of systems and information need to ensure they uphold the security policies and procedure 
4.2 All users should save all data (files) to the approved network assigned folder locations and not make local copies of data on a computer, mobile phone or other type of portable storage media. 
4.3 If the network becomes unavailable and work related data is at risk of being lost, users can save the data (files) locally (i.e. on the computer being used) or on approved media storage. Once the network becomes available again, data (files) should be immediately transferred to the approved network assigned folder locations and the local copies of data on the computer or portable storage media should be deleted.
5.0 Frequency
5.1 Please refer to above provisions 
6.0 Distribution
6.1 Team members 
6.2 Team Leaders/Managers/Directors 
6.3 Execom
7.0 References
ISO Control Description A.12.3.1 Information Backup 

8.0 Records
8.1 Backup Tracking – \\Google Drive\IT\ISO\Backup Files\ 

    • Related Articles

    • Company Engineering Principles for IT

      Ref. No.: CPP-IT-0301_V1_Company Engineering Principles for Information Technology.doc Company Engineering Principles for Information Technology.doc  Prepared W. Cundangan 05/17/2016 Approved R. Eldridge 05/01/2017 1.0 Objective  The purpose of the ...
    • Equipment Security

      Ref. No.: CPP-IT-0303_V2_Equipment Security.doc  Prepared W. Cundangan 04/26/2017 Approved R. Eldridge 05/01/2017 1.0  Objective   1.1 To set standard guidelines on securing company owned equipments.  2.0 Scope 2.1 This policy shall apply to all ...
    • Teleworking and Mobile Device Policy

      Ref. No.: CPP-IT-0203_V1_Teleworking and Mobile Device Policy.doc  Prepared W. Cundangan 09/21/2015 Approved R. Tan 09/22/2015 1.0 Objective   The purpose of these policy is to ensure that security of information and systems, accessed through ...
    • Network Control and Security

      Ref. No.: CPP-IT-0302_V2_Network Security.doc  Prepared W. Cundangan 04/27/2017 Approved R. Eldridge 05/01/2017 1.0 Objective 1.1 This policy is aimed to ensure the protection of information in networks and relevant supporting network services.  2.0 ...
    • Network Services Acceptable Usage Policy

      Ref. No.: CPP-IT-0201_V2_Network Services Acceptable Usage Policy.doc  Prepared W. Cundangan 04/26/2017 Approved R. Eldridge 05/01/2017 1.0 Objective   1.1 The purpose of this policy is to outline and establish guidelines the acceptable use of ...