CP-09-727 Information System Backup

Information System Backup

Control ID

CP-09-727

Control Name

Information System Backup

Control Category

Contingency Planning

Functional Areas

Recover

Sub-Areas

Disaster Recovery Procedures

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

December 8, 2016

Agency Implementation

All agency datacenter information resources (servers, storage area network, etc.) containing sensitive or critical information are backed up and replicated to the agency's alternate storage location on a daily basis. These backups are retained for at least 30 days. Workstation information resources are backed up based on a risk assessment of the information contained on the workstation, approved by the information resource owner. An enterprise file sync and share solution shall be made available to all users to preserve an off-site copy of workstation files as deemed necessary by the information resource owner or custodian.

Risk Statement

Data is not recoverable due to inadequate or undefined backup and restoration procedures.

Control Description

The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations.

Control Example

The organization performs periodic, regular data backups of application sensitive/critical information.

State Implementation

The state organization conducts backups of system-level information (including system state information) and critical user-level information contained in the information system and protects backup information at the storage location.

Testing Procedures

Obtain contingency planning policy; contingency plan; procedures addressing information system backup; security plan; backup storage location(s);information system backup test results; other relevant documents or records and ascertain if : (I)the organization defines the frequency of information systems backups. (ii)the organization backs up user-level and system-level information (including system state information) in accordance with the organization-defined frequency. (iii)the organization backs up information to alternate storage sites (if so designated) at a frequency and transfer rate consistent with the organization’s recovery time objectives and recovery point objectives. (iv)the organization protects backup information at the designated storage locations. (v)the organization defines in the security plan, explicitly or by reference, the frequency of information system backup testing. (vi)the organization conducts information system backup testing in accordance with organization-defined frequency. (viii)testing results verify backup media reliability and information integrity.