CP-09-727 Information System Backup

Information System Backup

CP-09-727
Information System Backup
Contingency Planning
Recover
Disaster Recovery Procedures
LOW, MOD, HIGH
P1
Yes
December 8, 2016

All agency datacenter information resources (servers, storage area network, etc.) containing sensitive or critical information are backed up and replicated to the agency's alternate storage location on a daily basis. These backups are retained for at least 30 days. Workstation information resources are backed up based on a risk assessment of the information contained on the workstation, approved by the information resource owner. An enterprise file sync and share solution shall be made available to all users to preserve an off-site copy of workstation files as deemed necessary by the information resource owner or custodian.

Data is not recoverable due to inadequate or undefined backup and restoration procedures.
The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
The organization performs periodic, regular data backups of application sensitive/critical information.
The state organization conducts backups of system-level information (including system state information) and critical user-level information contained in the information system and protects backup information at the storage location.
Obtain contingency planning policy; contingency plan; procedures addressing information system backup; security plan; backup storage location(s);information system backup test results; other relevant documents or records and ascertain if : (I)the organization defines the frequency of information systems backups. (ii)the organization backs up user-level and system-level information (including system state information) in accordance with the organization-defined frequency. (iii)the organization backs up information to alternate storage sites (if so designated) at a frequency and transfer rate consistent with the organization’s recovery time objectives and recovery point objectives. (iv)the organization protects backup information at the designated storage locations. (v)the organization defines in the security plan, explicitly or by reference, the frequency of information system backup testing. (vi)the organization conducts information system backup testing in accordance with organization-defined frequency. (viii)testing results verify backup media reliability and information integrity.