Backup Standard

Description

The university has established processes to maintain the confidentiality, integrity, and availability of information. Backups are an important part of our strategy. Included are our requirements for implementing, monitoring, protecting and testing our backup and recovery procedures for high priority systems and data (i.e. Tier 0, 1 and Tier 2).

Scope

This policy applies to everyone who accesses University data or information resources that fall under LTS defined Tier 0, 1, and Tier 2 services, and HIPAA.

Security Requirements

Lehigh’s Information Security Program (ISP) is built around NIST 800-171 controls and other control frameworks, regulations, and guidance (eg, FERPA, HIPAA, GDPR, PCI, and others). This section should reference which frameworks are relevant to this particular standard.

Example:

NIST 800-171 references the following security requirements within the Security Assessment family:

• 3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

• 3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

• Incident Response Training [800.53 IR-2]

• Incident Response Testing  [800.53 IR-3]    

General Backup Controls

Library and Technology Services will adhere to the following backup controls for all Tier 0, 1, and Tier 2 services, and HIPAA data.

• Processes must be in place to maintain the confidentiality, integrity, and availability of information.

• All data backup must be encrypted in transit and at rest using 256bit AES or better.

• Replication of HIPAA data is not considered backup and this method must not be used for HIPAA data.

• Backup datasets must be stored in at least 2 disparate locations.

• Tier 0, 1, and Tier 2 service backup datasets must be protected against unauthorized modification and deletion.

• Physical access to the data center must be restricted, monitored, and reviewed annually by the Director, TIO.

• Physical access controls must be in place for on-site and off-site backup storage locations.

• Data must be capable of being restored in its original or new location.

• Recovery Time and Point Objectives must be defined and followed for Tier 0, 1, and Tier 2 services.

• Backup dataset retention for Tier 0, 1, and Tier 2 services must be defined and documented by the data stewards.

• Backup retention for HIPAA data must be defined and documented by the data stewards.

Backup Auditing

To ensure our backup process and tools are secure and working properly, auditing must be performed.

• Defined backup monitoring process for backup failures and unauthorized access.

• Backup restoration must be tested quarterly to ensure integrity.

• Physical access controls for on-site and off-site backup storage locations must be reviewed annually by the Director, TIO.

Backup Training

Training for administrators, engineers, and operations personnel must be conducted annually to review our processes and to improve upon them.

• Disaster Recovery exercises must be conducted annually.

• Postmortem must be conducted within a week of that disaster recovery exercise.

• Final report due 2 weeks after the postmortem.

Related

Detail associated standards and guidances.

Definitions

Recovery Point Objective (RPO): Maximum amount of data measured in time that can be lost recovering from a disaster, incident, or failure.

Recovery Time Objective (RTO): Time that an acceptable level of service must be brought online in an event of a disaster, incident, or failure.

Revision History