System Backup Policy
Backing up is an essential part of protecting Ministry of Justice (MoJ) Information and Communication Technology (ICT or IT) resources. Backing up provides a means of recovering a system or data to a known state, or point in time. In other words, backups enable you to restore a system or data to be effectively indistinguishable from how it was on a particular date and time.
To help identify formal policy statements, each is prefixed with an identifier of the form: POL.SBP.xxx, where xxx is a unique ID number.
Note: Use of the word shall in this document complies with the usage defined in Government Functional Standard - GovS 007: Security.
POL.SBP.001: All systems shall comply with the MoJ Security Policy.
POL.SBP.002: All IT systems shall conform to the IT Security - System Backup Standard.
POL.SBP.003: All IT systems shall be evaluated to determine if a backup schedule is required. This depends on the data stored, and on legal or other regulatory requirements. The evaluation and resulting decision regarding backup requirement shall be documented for the system.
The IT Security - System Backup Standard provides details of the tasks, configurations, and processes required for an IT system backup to comply with this policy.
To address these requirements, these statements from the MoJ Technical Controls Policy apply:
POL.TCP.108: All IT systems shall have back-up procedures to maintain the integrity and availability of all Information Assets held. This must align to the Recovery Point Objective which may be expressed in the Business Impact Assessment (BIA).
POL.TCP.109: All IT systems shall maintain a log of all back-ups taken.
POL.TCP.110: Back-up data shall be stored and handled in a manner appropriate to the protective marking of the Information Assets stored.
POL.TCP.111: All IT systems shall check all historic back-ups regularly to ensure that they can be relied upon. This includes the testing of back-up media such as tape or hard disks.
POL.TCP.112: All IT systems shall have a back-up restoration procedure which is tested regularly. Ideally, the testing takes place automatically.
POL.TCP.113: The retention period for historic back-ups shall align to the retention period of the Information Assets held.
For any further questions or advice relating to security, contact: firstname.lastname@example.org.
If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: email@example.com.