Back

Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility.


CONTROL ID
01257
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain backup procedures for in scope systems., CC ID: 01258

This Control has the following implementation support Control(s):
  • Store backup vital records in a manner that is accessible for emergency retrieval., CC ID: 12765


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Protecting backup data from unauthorized access. (Critical components of information security 5) (xiii) j), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Recovery plans should include details on the location and how to access data storage at the off-site location. (Attach B ¶ 7(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • relevant information pertaining to alternate sites for the recovery of business and/or IT operations and details of the location and procedures for gaining access to off-site data storage; (Attachment B ¶ 7(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Back up database content regularly, encrypt backup files, and protect access to backup media. (§ 3-10, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003)
  • Back-up arrangements should enable software and information to be restored in a critical timescale (i.e., the timescale beyond which a loss of service would be unacceptable to the organization) by using near-line storage (which often involves backing up information to an Automated Tape Library) that… (CF.07.05.05b, The Standard of Good Practice for Information Security)
  • Back-up arrangements should enable software and information to be restored in a critical timescale (i.e., the timescale beyond which a loss of service would be unacceptable to the organization) by using near-line storage (which often involves backing up information to an Automated Tape Library) that… (CF.07.05.06b, The Standard of Good Practice for Information Security, 2013)
  • Off-site backups should be able to be retrieved in a timely manner. (Action 1.8.4, SANS Computer Security Incident Handling, Version 2.3.1)
  • The cloud service provider should provide the specifications of its backup capabilities to the cloud service customer. The specifications should include the following information, as appropriate: – scope and schedule of backups; – backup methods and data formats, including encryption, if relevan… (§ 12.3.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The organization should be able to retrieve the offsite, back-up copies in a timely manner. (Pg 30, FFIEC IT Examination Handbook - Operations, July 2004)
  • All back-up media should be labeled in a unique way to ensure quick identification during an emergency. (§ 5.1.5 ¶ 1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Obtaining and loading backup media; (§ 4.3.2 ¶ 2 Bullet 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Backup media should be stored offsite in a secure, environmentally controlled location. When selecting the offsite location, hours of the location, ease of accessibility to backup media, physical storage limitations, and the contract terms should be taken into account. The ISCP Coordinator should re… (§ 5.1.5 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))