Back

Establish, implement, and maintain backup procedures for in scope systems.


CONTROL ID
01258
CONTROL TYPE
Systems Continuity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include technical preparation considerations for backup operations in the continuity plan., CC ID: 01250

This Control has the following implementation support Control(s):
  • Determine which data elements to back up., CC ID: 13483
  • Document the backup method and backup frequency on a case-by-case basis in the backup procedures., CC ID: 01384
  • Establish and maintain off-site electronic media storage facilities., CC ID: 00957
  • Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility., CC ID: 01257
  • Establish, implement, and maintain security controls to protect offsite data., CC ID: 16259


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • If AIs' computer backup tapes containing customer data need to be regularly transported outside of their premises, AIs should also implement similar controls as mentioned (including, among others, strong data encryption, erase of data after the tapes' retention cycle, proper records and immediate re… (Annex E. ¶ 3, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • Detailed operational instructions such as computer operator tasks, and job scheduling and execution (e.g. instructions for processing information, scheduling requirements and system housekeeping activities) should be documented in an IT operations manual. The IT operations manual should also cover t… (5.1.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • App 2-1 Item Number IV.4(5): The organization must back up data to minimize the effects of failures. The organization must determine the types of data that must get backed up and the method for and timing of the backups in accordance with business requirements, data processing structure, and data re… (App 2-1 Item Number IV.4(5), App 2-1 Item Number IV.6(4), App 2-1 Item Number VI.7.3(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O27: The organization shall keep backup copies of important data files and specify the method for managing them. O29: The organization shall maintain backup copies of programs and specify the method for managing them. O32: The organization shall keep backup copies of configuration and note their met… (O27, O29, O32, O34, O76.3(2), T3.4, T4.1, T48.1(2).2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Determining security requirements, access criteria and backup requirements for the information assets they own (Information owner ¶ 1 Bullet 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Establishing system backups and disaster recovery plans. Establish a disaster recovery plan that allows for rapid recovery from any emergency (including a cyber attack). (Critical components of information security 24) viii. ¶ 1 m., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Backing up firewalls to internal media and not backing up the firewall to servers on protected networks (Critical components of information security 24) vii. a) ¶ 13 Bullet 6, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should develop a data backup strategy for the storage of critical information. (§ 8.4.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should establish a system and data backup strategy, and develop a plan to perform regular backups so that systems and data can be recovered in the event of a system disruption or when data is corrupted or deleted. (§ 8.4.1, Technology Risk Management Guidelines, January 2021)
  • To ensure data availability is aligned with the FI's business requirements, the FI should institute a policy to manage the backup data life cycle, which includes the establishment of the frequency of data backup and data retention period, management of data storage mechanisms, and secure destruction… (§ 8.4.2, Technology Risk Management Guidelines, January 2021)
  • A data backup process, and supporting data backup procedures, is developed and implemented. (Security Control: 1547; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Data backup processes, and supporting data backup procedures, are developed, implemented and maintained. (Control: ISM-1547; Revision: 2, Australian Government Information Security Manual, June 2023)
  • Data backup processes, and supporting data backup procedures, are developed, implemented and maintained. (Control: ISM-1547; Revision: 2, Australian Government Information Security Manual, September 2023)
  • The procedures for backing up data should be included in the Standard Operating Procedures for the System Administrator. (Control: 0055 Table Row "System backup and recovery", Australian Government Information Security Manual: Controls)
  • The organization should back up all critical business information. (Control: 0119 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization should backup critical Information Technology and sensitive Information Technology assets on a regular basis. (Attach B ¶ 12, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Sound practice is to establish a formal policy to govern end-user developed/configured software. The policy would clearly articulate under what circumstances end-user developed/configured software is appropriate, as well as expectations regarding life-cycle management controls including information … (59., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • The baseline should be updated after all changes to the system or application. (§ 3.5.19, Australian Government ICT Security Manual (ACSI 33))
  • Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT sys… (3.5 57, Final Report EBA Guidelines on ICT and security risk management)
  • ICT system backup and recovery procedures for critical software and data, that ensure that these backups are stored in a secure and sufficiently remote location, so that an incident or disaster cannot destroy or corrupt these critical data; (Title 3 3.3.4(a) 54.b(ii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • business continuity, such as backup management and disaster recovery, and crisis management; (Article 21 2(c), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • backup policies and procedures specifying the scope of the data that is subject to the backup and the minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data; (Art. 12.1.(a), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Financial entities shall set up backup systems that can be activated in accordance with the backup policies and procedures, as well as restoration and recovery procedures and methods. The activation of backup systems shall not jeopardise the security of the network and information systems or the ava… (Art. 12.2., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • data backup (for all information, applications, and IT components), (§ 8.1 Subsection 5 ¶ 2 Bullet 5, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Policies and instructions with technical and organisational safeguards in order to avoid losing data are documented, communicated and provided according to SA-01. They provide reliable procedures for the regular backup (backup as well as snapshots, where applicable) and restoration of data. The scop… (Section 5.6 RB-06 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The provisions governing the data backup procedures (excluding data archiving) shall be set out in writing in a data backup strategy. The requirements contained in the data backup strategy for the availability, readability and timeliness of the customer and business data as well as for the IT system… (II.7.51, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Restoration of data and applications by means of backup and redundancy concepts. (3.1.2 Requirements (should) Bullet 3 Sub-Bullet 1, Information Security Assessment, Version 5.1)
  • App 2 ¶ 14.g(3): For IT systems that process and access restricted information, the system shall implement data backup with local storage. This is applicable to UK contractors. App 6 ¶ 15.g(3): For IT systems that process and access UK restricted information, the system shall implement data backup… (App 2 ¶ 14.g(3), App 6 ¶ 15.g(3), The Contractual process, Version 5.0 October 2010)
  • What is the role of each user for backing up data on desktops, laptops, and mobile devices? (Table Row II.13, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Devices should be able to save back-up configuration settings on another device or server area. (§ 2.3.1 (2.3.1.110), The Center for Internet Security Wireless Networking Benchmark, 1)
  • Configuration settings should be automatically backed up on a regular basis. (§ 1.2 (2.3.1.110), The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, 1)
  • Configuration settings should be automatically backed up on a regular basis. (§ 1.2 (2.3.1.110), The Center for Internet Security Wireless Networking Benchmark, Linksys Addendum, 1)
  • The validated backup procedures for storage facilities and media should assure data integrity. (¶ 19.5, Good Practices For Computerized systems In Regulated GXP Environments)
  • All gxp related data and the audit trails should be backed up. (¶ 19.6 Bullet 3, Good Practices For Computerized systems In Regulated GXP Environments)
  • Define and implement procedures for backup and restoration of systems, applications, data and documentation in line with business requirements and the continuity plan. (DS11.5 Backup and Restoration, CobiT, Version 4.1)
  • Plan data conversion and infrastructure migration as part of the organisation's development methods, including audit trails, rollbacks and fallbacks. (AI7.5 System and Data Conversion, CobiT, Version 4.1)
  • Store offsite all critical backup media, documentation and other IT resources necessary for IT recovery and business continuity plans. Determine the content of backup storage in collaboration between business process owners and IT personnel. Management of the offsite storage facility should respond … (DS4.9 Offsite Backup Storage, CobiT, Version 4.1)
  • The identity and location of critical files and the ability to conduct backups of user-level and system-level information (including system state information) shall be supported by the control system without affecting normal plant operations. (11.5.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Components shall provide the capability to participate in system level backup operations in order to safeguard the component state (user- and system-level information). The backup process shall not affect the normal component operations. (11.5.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • How are backups of VMs and data secured? (Appendix D, Implement Strong Access Control Measures Bullet 15, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Data backup processes? (12.10.1 (b)(4), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Back-ups of essential information and software (e.g., business information, systems information, and application information) should be performed often enough to meet business requirements. (CF.07.05.01, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for performing back-ups, which cover the types of information to be backed up. (CF.07.05.02a, The Standard of Good Practice for Information Security)
  • Back-ups should be clearly and accurately labeled. (CF.07.05.03g, The Standard of Good Practice for Information Security)
  • Back-ups of essential information and software (e.g., business information, systems information, and application information) should be performed often enough to meet business requirements. (CF.07.05.01, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for performing back-ups, which cover the types of information to be backed up. (CF.07.05.02a, The Standard of Good Practice for Information Security, 2013)
  • Back-ups should be clearly and accurately labeled. (CF.07.05.03f, The Standard of Good Practice for Information Security, 2013)
  • The system should be backed up on a regular basis. Critical systems should be backed up daily. Core services should be backed up in order to restore the services in the event of a denial of service attack. (Action 1.8.4, Special Action 3.1, SANS Computer Security Incident Handling, Version 2.3.1)
  • Ensure that key systems have at least one backup destination that is not continuously addressable through operating system calls. This will mitigate the risk of attacks like CryptoLocker which seek to encrypt or damage data on all addressable data shares, including backup destinations. (Control 10.4, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should validate and update the system image on a regular basis. (Critical Control 3.2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should verify that each system is automatically backed up on a weekly basis and more often if the system stores sensitive information. (Critical Control 8.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The backup procedure should include application software, the Operating System, and data and does not have to be included in the same backup file or use the same backup software. (Critical Control 8.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination. (CIS Control 10: Sub-Control 10.5 Ensure All Backups Have at Least One Offline Backup Destination, CIS Controls, 7.1)
  • Ensure that all backups have at least one backup destination that is not continuously addressable through operating system calls. (CIS Control 10: Sub-Control 10.5 Ensure Backups Have At least One Non-Continuously Addressable Destination, CIS Controls, V7)
  • The organization should consider redundant databases to prevent successful attack attempts. (§ 4.4.9, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • ¶ 8.1.6(4) Business Continuity Planning. An organization should implement safeguards to protect business, especially critical business processes, from the effects of major failures or disasters and to minimize the damage caused by such events, an effective business continuity, including contingency… (¶ 8.1.6(4), ¶ 10.3.1, ¶ 10.3.7, ¶ 10.4.15, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. (A.12.3.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Backup procedures should be in place to ensure all pertinent information and software will be available if a disaster or media failure occurs. The backup procedures should include what data should be backed up, how frequently it should be backed up, the physical and environmental protection standard… (§ 10.5.1, ISO 27002 Code of practice for information security management, 2005)
  • Backup copies of information, software and system images should be taken and tested regularly in accordance with an agreed backup policy. (§ 12.3.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. (§ 8.13 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Where the cloud service provider provides backup capability as part of the cloud service, the cloud service customer should request the specifications of the backup capability from the cloud service provider. The cloud service customer should also verify that they meet their backup requirements. The… (§ 12.3.1 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The back-up and recovery procedures should be reviewed at a specified, documented frequency. (§ 12.3.1 ¶ 7, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The public cloud PII processor should have a policy which addresses the requirements for backup of information and any further requirements (e.g. contractual and/or legal requirements) for the erasure of PII contained in information held for backup purposes. (§ 12.3.1 ¶ 10, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The public cloud PII processor should have a policy which addresses the requirements for backup of information and any further requirements (e.g. contractual and/or legal requirements) for the erasure of PII contained in information held for backup purposes. (§ 12.3.1 ¶ 8, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • The back-up and recovery procedures should be reviewed at a specified, documented frequency. (§ 12.3.1 ¶ 6, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Procedures are in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur. (A1.2 ¶ 2 Bullet 8 Performs Data Backup, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization conducts and maintains backups of information and periodically conduct tests of backups to business assets (including full system recovery) to achieve cyber resilience. (PR.IP-4.2, CRI Profile, v1.2)
  • Backups of information are conducted, maintained, and tested periodically. (PR.IP-4, CRI Profile, v1.2)
  • The organization conducts and maintains backups of information and periodically conduct tests of backups to business assets (including full system recovery) to achieve cyber resilience. (PR.IP-4.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Components shall provide the capability to participate in system level backup operations in order to safeguard the component state (user- and system-level information). The backup process shall not affect the normal component operations. (11.5.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. (M1053 Data Backup, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • Procedures exist to provide for the completeness, accuracy, and timeliness of backup data and systems. (Processing Integrity Prin. and Criteria Table § 3.20, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • controls over data loss prevention, access provisioning and deprovisioning, user identification and authentication, data destruction, system event monitoring and detection, and backup procedures (¶ 3.59 Bullet 9 Sub-Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Reading policy and procedure manuals, system documentation, flowcharts, narratives, asset management records, and other system documentation to understand IT policies and procedures and controls over data loss prevention, access provisioning and deprovisioning, user identification and authentication… (¶ 3.50 Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. (A1.2, Trust Services Criteria)
  • Procedures are in place for backing up data, monitoring to detect back-up failures, and initiating corrective action when such failures occur. (A1.2 Performs Data Backup, Trust Services Criteria)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Procedures are in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur. (A1.2 ¶ 2 Bullet 8 Performs Data Backup, Trust Services Criteria, (includes March 2020 updates))
  • Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entity’s availability commitments and system requirements. (A1.2, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • The elements that comprise a business continuity plan are flexible and may be tailored to the size and needs of a member. Each plan must address a variety of issues including data back up and recovery. (R 3510(c)(1), NASD Manual)
  • Is there a policy or process for the backup of production data? (§ G.8.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • The organization shall keep the system security profile in a secure location and up to date, and it should include pointers to other relevant documents. The organization shall keep a backup copy of the system security profile at a secure off-site storage location, preferably at the same location of … (§ 3.7 ¶ 2, CMS Business Partners Systems Security Manual, Rev. 10)
  • The organization must have a retrievable, exact copy of electronic CMS sensitive information before the equipment that processes this information is moved. (CSR 5.4.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The recovery data should be updated every time the system is modified. This will allow the system to be restored to the current software version. (§ 3.10, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • A new back-up tape should be made after any system modifications or updates have been completed. (§ 3.1 (1.013), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
  • Each time the system goes through a system modification update, the emergency back-up media should be updated with the new configuration or software. (§ 3.10, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • CSPs are responsible for providing backups of data in a CSO consistent with the CP-9 security control. Mission Owners are also responsible for assuring their data is backed up consistent with the CP-9. However, mission owners must also consider the risk of entrusting their data to a single non-DoD C… (Section 5.12 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • All Data replication must traverse a CSP's private internal network (physical or virtual) from CSP offering site/location to the DR/COOP facility and protect the data in transit. If this network traverses the Internet, the network connection must be encrypted end-to-end in an IPsec tunnel implemente… (Section 5.10.3.3 ¶ 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • The backup and recovery procedures, following system failure, shall ensure data integrity by being able to compile updates to the Records Management Application. (§ C2.2.9.3.1, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The backup and recovery procedures, after system failure, shall ensure updates are shown in the Records Management Application and partial updates are separately identified. (§ C2.2.9.3.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • Procedures must be developed to regularly backup essential information and security-related data. (§ 8-603.a, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Procedures shall be developed and implemented for creating and maintaining exact copies of retrievable electronic protected health information. (§ 164.308(a)(7)(ii)(A), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (§ 164.308(a)(7)(ii)(A), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Data backup and storage—centralized or decentralized approach. (§ 5.2.1.4 ¶ 1(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Operating systems; (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Utility programs; and (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Data; (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Data synchronization, back-up, and recovery; (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Appropriateness of resilience practices, including the adequacy of recovery infrastructure and backup processes. (IV.A Action Summary ¶ 3 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Implement appropriate backups and sufficient documentation and retention periods for each iteration of data backup. (App A Objective 6:3b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Periodically reassess backup and recovery strategies as technology and threats change. (App A Objective 6:3c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Backup and replication processes that facilitate recovery. (VI.B Action Summary ¶ 2 Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Storage, backup, and capacity needs to accommodate the entity's strategic plans. (App A Objective 12:4b Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implements physical and logical controls in the VoIP environment, evaluates options for backup systems, and considers control solutions specific to VoIP, such as VoIP-ready firewalls. (App A Objective 13:3o, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • This examination procedure may be coordinated with the examination procedures in the "Business Continuity Management" and "Information Security" booklets. Determine whether management implements backup methods, including replication, based on the risk and criticality of the systems and data. (App A Objective 15:4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Policies, standards, and procedures. (App A Objective 15:4a Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • VM versioning, replication, and life cycle policies for backup processes. (App A Objective 15:4a Bullet 8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management responsibility to document, maintain, and test the plan and backup systems periodically according to risk. (App A Objective 12:9 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The adequacy of corporate contingency planning and business resumption for data centers, networks, service providers, and business units. Consider the adequacy of offsite data and program backup and the adequacy of business resumption testing. (TIER II OBJECTIVES AND PROCEDURES C.1. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine whether audit procedures for operations consider ▪ The adequacy of security policies, procedures, and practices in all units and at all levels of the financial institution and service providers. ▪ The adequacy of data controls over preparation, input, processing, and output. ▪ The ad… (Exam Tier II Obj C.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • The organization should decide what to back up based on the criticality of the software and data to the organization's operations. (Pg G-12 thru Pg G-15, Exam Tier I Obj 4.1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Back-up copies should be updated when a change is made to an application or system. (Pg 30, Pg G-13, Pg G-14, Exam Tier I Obj 6.5, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Pg 30, Pg 32, Exam Tier I Obj 6.2 The back-up procedures should include the methodology to perform the backups and the responsibilities of personnel. The same requirements should be used throughout the organization. (Pg 30, Pg 32, Exam Tier I Obj 6.2, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization should have a back-up plan. The plan should include procedures for backing up critical data and processing functions; procedures on how to obtain and use personnel and equipment; and procedures on how to continue processing during a disruption. (Pg 26, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Determine whether the institution duplicates or retains transaction files for input reconstruction for a minimum of 24 hours. Note that NACHA rules require the retention of all entries, including return and adjustment entries, transmitted to and received from the ACH for a period of six years after … (Exam Tier II Obj 12.3, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Review the institution's policies and procedures regarding back-up systems. Assess whether: ▪ The institution maintains adequate back-up procedures and supplies for events such as equipment failures and line malfunctions. ▪ Supervisory personnel approve the acquisition and use of back-up equipme… (Exam Tier II Obj 10.2, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • (SC-2.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The service provider shall determine which cloud environment elements require Information System backups. (Column F: CP-9, FedRAMP Baseline Security Controls)
  • The joint authorization board must approve and accept the cloud environment elements that require Information System backup. (Column F: CP-9, FedRAMP Baseline Security Controls)
  • Is the firewall backed up? (IT - Firewalls Q 25, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union Information Technology policy include backup procedures and recovery procedures? (IT - Policy Checklist Q 19, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are there written backup test procedures? (IT - Routers Q 25, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are there procedures for backing up the Operating System and the software for each server? (IT - Servers Q 24, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • § 4.7.5 Bullet 1: Establish and implement procedures to create and maintain exact retrievable copies of ePHI. § 4.7.5 Bullet 2: Establish and implement procedures to restore any lost data. § 4.13.4 Bullet 1: Create an exact retrievable copy of ePHI before moving hardware or media. § 4.13.4 Bulle… (§ 4.7.5 Bullet 1, § 4.7.5 Bullet 2,4.13.4 Bullet 1, § 4.13.4 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The data back-up policy should identify where stored data will be located, the file-naming conventions to be used, how often the media will be rotated, and what method will be used to transfer the media offsite. (§ 3.4.2, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Backups of information are conducted, maintained, and tested (PR.IP-4, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Develop and implement network backup and recovery procedures. (T0065, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Perform system administration on specialized cyber defense applications and systems (e.g., antivirus, audit and remediation) or Virtual Private Network (VPN) devices, to include installation, configuration, maintenance, backup, and restoration. (T0180, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Plan, execute, and verify data redundancy and system recovery procedures. (T0186, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Design or integrate appropriate data backup capabilities into overall system designs, and ensure that appropriate technical and procedural processes exist for secure system backups and protected storage of backup data. (T0056, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Data Backup. As soon as reasonable following reconstitution, the system should be fully backed up and a new copy of the current operational system stored for future recovery efforts. This full backup should be stored with other system backups and comply with applicable security controls. (§ 4.4 ¶ 3 Bullet 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Automate backup of data. Client/server systems should have software installed that automatically schedules data backups to a central data backup location. Data for backup should be stored at a common directory name (such as \My Documents) to ease in automated backup and to make sure that only pertin… (§ 5.2.1 ¶ 2 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must perform backups of user-level information on a defined frequency. (SG.IR-10 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must perform backups of system-level information on a defined frequency. (SG.IR-10 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must perform backups of system documentation and security-related documentation on a defined frequency. (SG.IR-10 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must backup user level information on a predefined frequency that is consistent with the recovery time and recovery point objectives. (App F § CP-9.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must backup system level information on a predefined frequency that is consistent with the recovery time and recovery point objectives. (App F § CP-9.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must backup system documentation and security-related documentation on a predefined frequency that is consistent with the recovery time and recovery point objectives. (App F § CP-9.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Develop and implement network backup and recovery procedures. (T0065, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Design or integrate appropriate data backup capabilities into overall system designs, and ensure that appropriate technical and procedural processes exist for secure system backups and protected storage of backup data. (T0056, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Plan, execute, and verify data redundancy and system recovery procedures. (T0186, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Backups of data are created, protected, maintained, and tested (PR.DS-11, The NIST Cybersecurity Framework, v2.0)
  • Bank systems should reduce bank vulnerability to system failures, unauthorized intrusions, and other problems. Back-up systems should be maintained and tested on a regular basis to minimize the risk of system failures and unauthorized intrusions. System failures and unauthorized intrusions may resul… (¶ 38, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
  • Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include: (1) controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered acce… (CYBERSECURITY GUIDANCE ¶ 3 Bullet 2, IM Guidance Update: Cybersecurity Guidance, No. 2015-02)
  • include procedures for backing up or copying, with sufficient frequency, information essential to the operations of the covered entity and storing such information offsite; and (§ 500.16 Incident Response and Business Continuity Management (a)(2)(v), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)