Back

Establish and maintain off-site electronic media storage facilities.


CONTROL ID
00957
CONTROL TYPE
Physical and Environmental Protection
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain backup procedures for in scope systems., CC ID: 01258

This Control has the following implementation support Control(s):
  • Separate the off-site electronic media storage facilities from the primary facility through geographic separation., CC ID: 01390
  • Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations., CC ID: 01392
  • Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur., CC ID: 01393
  • Review the security of the off-site electronic media storage facilities, as necessary., CC ID: 00573
  • Store backup media at an off-site electronic media storage facility., CC ID: 01332
  • Store backup media in a fire-rated container which is not collocated with the operational system., CC ID: 14289


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A licensed corporation must satisfy the SFC that the premises are suitable for the purpose of keeping Regulatory Records. (8. ¶ 3, Circular to Licensed Corporations - Use of external electronic data storage)
  • Licensed corporations are expected to review their use of external electronic data storage to ensure compliance with section 130 of the SFO (including making an application for approval described in paragraph 8 above) and the regulatory expectations set out in this circular. (23., Circular to Licensed Corporations - Use of external electronic data storage)
  • The organization shall store its backup files in a remote area. The area should not share risk factors with the production file storage area. The organization should consider the time it will take to transfer the files from that system to the current system during recovery. (O34.1(2), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • All backups should be stored at an offsite facility, along with the recovery procedures. (§ 2.8.14, Australian Government ICT Security Manual (ACSI 33))
  • firms remain responsible for correctly identifying and classifying data in line with their legal and regulatory obligations, and adopting a risk based approach to the location of data. They also remain responsible for configuration and monitoring of their data in the cloud to reduce security and com… (Table 3 ¶ 1 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • However, the PRA expects firms to adopt a risk-based approach to the location data that allows them to simultaneously leverage the operational resilience advantages of outsourced data being stored in multiple locations and manage relevant risks, which may include: (§ 7.8, SS2/21 Outsourcing and third party risk management, March 2021)
  • Store offsite all critical backup media, documentation and other IT resources necessary for IT recovery and business continuity plans. Determine the content of backup storage in collaboration between business process owners and IT personnel. Management of the offsite storage facility should respond … (DS4.9 Offsite Backup Storage, CobiT, Version 4.1)
  • Client organizations must ensure that the infrastructure, systems, and documents of a service provider are secured properly. Organizations are demanding higher security levels in outsourcing facilities, especially when the outsourced activity is critical to the organization's operations. Key physica… (§ 5.2 (Physical Security and Environmental Controls), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • Back-up storage must be protected by a well-administered and effective access control system. Computer data that is compact and particularly sensitive should also be stored on paper, microfiche, etc., as a backup. (Pg 12-II-19, Pg 12-II-45, Pg 12-II-46, Protection of Assets Manual, ASIS International)
  • A back-up facility should be established, if the organization conducts a considerable amount of business over the Internet. (Special Action 3.1, SANS Computer Security Incident Handling, Version 2.3.1)
  • Business Continuity Planning. An organization should implement safeguards to protect business, especially critical business processes, from the effects of major failures or disasters and to minimize the damage caused by such events, an effective business continuity, including contingency planning/di… (¶ 8.1.6(4), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • The cloud service provider should provide the specifications of its backup capabilities to the cloud service customer. The specifications should include the following information, as appropriate: – scope and schedule of backups; – backup methods and data formats, including encryption, if relevan… (§ 12.3.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Do the scoped systems and data reside in a data center? (§ F.2, Shared Assessments Standardized Information Gathering Questionnaire - F. Physical and Environmental, 7.0)
  • Does the policy or process for the backup of production data include a Requirement to store backups to avoid any damage from a disaster at the main site? (§ G.8.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • The organization must maintain system and application documentation at the off-site storage location. (CSR 5.4.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • CSPs will provide the agency a list of the physical locations where the data could be stored at any given time and update that list as new physical locations are added. (Section 5.2.1 ¶ 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Back-up files and documents must be stored at an offsite location. (§ 8-603.b, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Management should evaluate whether there are appropriate resources to ensure resilience, including an accessible, off-site repository of software, configuration settings, and related documentation, appropriate backups of data, and off-site infrastructure to operate recovery systems. (IV.A Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The organization should store all back-up tapes at an alternate location. (Pg 30, Exam Tier I Obj 6.5, Exam Tier II Obj C.4, FFIEC IT Examination Handbook - Operations, July 2004)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., FedRAMP Security Controls High Baseline, Version 5)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The location where the back-up media is stored should be examined to ensure the media is stored in a fireproof safe or a separate facility away from the operational software. (CP-9(3), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • If the data from handheld devices are backed up on a memory card, the memory card should be stored away from the device. (§ 4.1.3, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • The organization must determine what the requirements are for an alternate storage site and start the necessary agreements. (SG.CP-7 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should store the backups of the Operating System and other critical System Software in a separate location or in a fireproof container that is not located with the operational software. (SG.IR-10 Requirement Enhancements 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must identify an alternate storage site and initiates necessary agreements to allow the storage of Information System backup information. (App F § CP-6, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information. (CP-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization protects the confidentiality, integrity, and availability of backup information at storage locations. (CP-9d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information. (CP-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization protects the confidentiality, integrity, and availability of backup information at storage locations. (CP-9d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization protects the confidentiality, integrity, and availability of backup information at storage locations. (CP-9d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information. (CP-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Development of employee security policies and procedures for the storage of, access to, transport of and transmittal of personal information off-premises; (§ 38a-999b(b)(2)(E), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., TX-RAMP Security Controls Baseline Level 2)