Back

Separate duplicate originals and backup media from the original electronic storage media.


CONTROL ID
00961
CONTROL TYPE
Records Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain removable storage media controls., CC ID: 06680

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization shall store its backup files in a remote area. The area should not share risk factors with the production file storage area. The organization should consider the time it will take to transfer the files from that system to the current system during recovery. (O34.1(2), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • It is a good practice that the last copy of the data before conversion from the old platform and the first copy of the data after conversion to the new platform are maintained separately in the archive for any future reference. (Critical components of information security 12) (iii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Backups are stored at a multiple geographically-dispersed locations. (Security Control: 1513; Revision: 0, Australian Government Information Security Manual, March 2021)
  • The procedures for securing the backup tapes should be included in the Standard Operating Procedures for the System Administrator. (Control: 0055 Table Row "System backup and recovery", Australian Government Information Security Manual: Controls)
  • The organization should securely store the configuration information off the server in a way that maintains the integrity. (Control: 0386 Bullet 2, Australian Government Information Security Manual: Controls)
  • Backup data should be stored at a secure offsite location, as long as necessary. (¶ 14, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
  • Client organizations must ensure that the infrastructure, systems, and documents of a service provider are secured properly. Organizations are demanding higher security levels in outsourcing facilities, especially when the outsourced activity is critical to the organization's operations. Key physica… (§ 5.2 (Physical Security and Environmental Controls), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The organization must develop, implement, and maintain procedures to ensure that original and archived copies of documents, information, and data are readily identifiable and legible. (§ 4.4.5 ¶ 2(f), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Key components of computer and network installations should be protected by storing source code (or equivalent) in a secure location away from the live environment. (CF.07.01.07b-1, The Standard of Good Practice for Information Security)
  • Key components of computer and network installations should be protected by storing source code (or equivalent) in a secure location away from the live environment. (CF.07.01.07b-1, The Standard of Good Practice for Information Security, 2013)
  • Backups should be stored offsite. Back-up tapes should be stored safely to prevent them from being lost and/or stolen. If the back-up tapes were to be compromised, the entire case could be in jeopardy. (Action 1.8.4, Action 3.4.2, SANS Computer Security Incident Handling, Version 2.3.1)
  • The asset inventory may be kept on an off-line system that is not connected to the production system for added security. (Critical Control 1.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Establish and maintain an isolated instance of recovery data. Example implementations include version controlling backup destinations through offline, cloud, or off-site systems or services. (CIS Control 11: Safeguard 11.4 Establish and Maintain an Isolated Instance of Recovery Data, CIS Controls, V8)
  • Back up systems are a method of copying electronic records to prevent loss of records through system failures. Such systems ought to include a regular backup schedule, multiple copies on a variety of media, dispersed storage locations for the backup copies, and provision for both routine and urgent … (§ 4.3.7.3(a), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The backup system should include a regular backup schedule, providing routine and urgent access to the backup tapes, multiple copies on different media, and dispersed storage locations. (§ 4.3.7.3 ¶ 1(a), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. (M1053 Data Backup, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • On windows systems that transmit scoped data, are audit logs stored on alternate systems? (§ G.17.8, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that process scoped data, are audit logs stored on alternate systems? (§ G.17.8, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that store scoped data, are audit logs stored on alternate systems? (§ G.17.8, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are audit logs stored on alternate systems? (§ V.1.72.9, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • The organization shall keep the system security profile in a secure location and up to date, and it should include pointers to other relevant documents. The organization shall keep a backup copy of the system security profile at a secure off-site storage location, preferably at the same location of … (§ 3.7 ¶ 2, CMS Business Partners Systems Security Manual, Rev. 10)
  • The organization should store separately from the original, a duplicate copy of the record stored on any medium acceptable for the time required. (§ 240.17a-4(f)(3)(iii), 17 CFR Part 240.17a-4, Records to be preserved by certain exchange members, brokers, and dealers)
  • Maintain separately from the originals duplicates of the records and the index that you store on electronic storage media or micrographic media. You may store the duplicates of the indexed records on any medium permitted by this section. You must preserve the duplicate records and index for the same… (§ 240.17Ad-7(f)(2)(v), 17 CFR Part 240.17Ad-7 - Record retention)
  • The organization should maintain separately from the originals duplicates of the records and the index that you store on electronic storage media or micro graphic media. You may store the duplicates of the indexed records on any medium permitted by this section. You must preserve the duplicate recor… (§ 240.17Ad-7(f)(2)(v), 17 CFR Part 240.17Ad-7, Record retention)
  • The method used to back-up records databases must create copies to be stored off-line or at a separate location or locations. (§ C2.2.9.1, § C2.2.9.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Operating System backup copies must be stored in a fire rated container or not located in the same facility with the operational software. (COSW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The hardware inventory backup copy must be stored in a fire-rated container or not located in the same facility with the original. (DCHW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The critical software backup copies must be stored in a fire rated container or not located in the same facility with the operational software. (COSW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Backups of configurations and data off-site and on a separate system or media. (App A Objective 15:4a Bullet 7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Calls for back-up media to be stored at an offsite facility. (SC-2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Calls for back-up media to be stored at an offsite facility. (§ 395C.03, GAO/PCIE Financial Audit Manual (FAM))
  • The organization should store the backups of the Operating System and other critical System Software in a separate location or in a fireproof container that is not located with the operational software. (SG.IR-10 Requirement Enhancements 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)