Document the backup method and backup frequency on a case-by-case basis in the backup procedures.

Back

CONTROL ID
01384

CONTROL TYPE
Systems Continuity

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain backup procedures for in scope systems., CC ID: 01258

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

O29.2: To ensure the quality of programs and determine the time intervals for saving backup copies, the organization shall establish a generation management method by considering how much time it takes to recover damaged programs and the impact during that downtime. O34.2: The organization shall rou… (O29.2, O34.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
When acquiring backup copies, it is necessary to set appropriate intervals at which to store data files according to type, time to update, etc. (P39.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
To ensure data availability is aligned with the FI's business requirements, the FI should institute a policy to manage the backup data life cycle, which includes the establishment of the frequency of data backup and data retention period, management of data storage mechanisms, and secure destruction… (§ 8.4.2, Technology Risk Management Guidelines, January 2021)
Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT sys… (3.5 57, Final Report EBA Guidelines on ICT and security risk management)
backup policies and procedures specifying the scope of the data that is subject to the backup and the minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data; (Art. 12.1.(a), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Technical and organizational instructions will be issued to ensure data back-ups are conducted at least weekly. (Annex B.18, Italy Personal Data Protection Code)
The frequency for storing the backup data at a safe storage location should be based on an analysis of the risk to the data. (¶ 19.6 Bullet 1, Good Practices For Computerized systems In Regulated GXP Environments)
Identifying all locations where account data is stored, processed, and transmitted, including but not limited to 1) any locations outside of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, and 4) file backups. (A3.2.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Business continuity plans should identify data back up frequency. (§ 5.2 (Business Continuity) ¶ 3, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
There should be documented standards / procedures for performing back-ups, which cover back-up cycles. (CF.07.05.02b, The Standard of Good Practice for Information Security)
There should be documented standards / procedures for performing back-ups, which cover methods for performing back-ups (including validation, labelling and storage). (CF.07.05.02c, The Standard of Good Practice for Information Security)
There should be documented standards / procedures for performing back-ups, which cover back-up cycles. (CF.07.05.02b, The Standard of Good Practice for Information Security, 2013)
There should be documented standards / procedures for performing back-ups, which cover methods for performing back-ups (including validation, labelling and storage). (CF.07.05.02c, The Standard of Good Practice for Information Security, 2013)
Backup arrangements should take into account legal, regulatory, and contractual requirements (e.g., the handling of personally identifiable information, document retention, and customer information). (CF.07.05.04, The Standard of Good Practice for Information Security, 2013)
Backups should be created as soon there are indictors that a security-related incident has occurred. New (unused) media should be used to back up the system to prevent juries from being convinced that the "evidence is faulty" because it could have been present prior to the incident. Backing up the i… (Action 3.4.1, SANS Computer Security Incident Handling, Version 2.3.1)
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. (CIS Control 11: Safeguard 11.2 Perform Automated Backups, CIS Controls, V8)
Business Continuity Planning. An organization should implement safeguards to protect business, especially critical business processes, from the effects of major failures or disasters and to minimize the damage caused by such events, an effective business continuity, including contingency planning/di… (¶ 8.1.6(4), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
The backup system should include a regular backup schedule, providing routine and urgent access to the backup tapes, multiple copies on different media, and dispersed storage locations. (§ 4.3.7.3 ¶ 1(a), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
The type and frequency of backups should be determined based on the business needs, the security requirements of the information, and the criticality of the information to the organization. (§ 10.5.1, ISO 27002 Code of practice for information security management, 2005)
The cloud service provider should provide the specifications of its backup capabilities to the cloud service customer. The specifications should include the following information, as appropriate: â scope and schedule of backups; â backup methods and data formats, including encryption, if relevan… (§ 12.3.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology â Security techniques â Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entityâs availability commitments and system requirements. (A1.2, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
CSR 5.4.1: The contingency plan must specify what critical data is and how often it is backed up. CSR 5.4.5: The organization must create backup files on a prescribed basis and store enough off-site to avoid a disruption if the current files are damaged or lost. CSR 5.4.6: The organization must per… (CSR 5.4.1, CSR 5.4.5, CSR 5.4.6, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
Government data backups must be performed by remote users on a regular basis. (§ 3.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
The organization must conduct backups at least weekly. (CODB-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
The organization must conduct backups daily. (CODB-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
A redundant secondary system must be used to maintain the data backup. (CODB-3, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
The frequency of the backups must be determined by the Information System Security Manager (ISSM). (§ 8-603.a, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
Procedures to verify adherence to backup schedules. (App A Objective 15:4a Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Management responsibility to document, maintain, and test the plan and backup systems periodically according to risk. (App A Objective 12:9 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
The continuity plan should include the back-up schedule and method for all vital records. The frequency of backups should be adjusted based on the volume of data processed and the amount of data that may need to be recreated. (Pg 30, Pg G-7, Pg G-12, Pg G-15, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
The organization should develop written standards documenting the methodology used to back up the system. (Pg 30, Exam Tier I Obj 6.1, Exam Tier I Obj 6.4, FFIEC IT Examination Handbook - Operations, July 2004)
Determine whether data and program files are adequately secured, retained, and backed up at off-premises facilities, including secured transport mechanisms for those resources. (App A Tier 2 Objectives and Procedures L.4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
The service provider shall determine how to verify the Information System backup and how often to verify it. (Column F: CP-9, FedRAMP Baseline Security Controls)
The joint authorization board must approve and accept the verification procedures and the time period for the Information System backups. (Column F: CP-9, FedRAMP Baseline Security Controls)
Does management schedule the backup and retention of data? (IT - Business Continuity Q 15, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
System data should be backed up on a regular basis, and a policy should be developed specifying the back-up frequency based on data criticality and the frequency new data is introduced into the system. The method used for backing up the data should be based on the system and data integrity and avail… (§ 3.4.2, § 5.1.2 ¶ 3 thru 5, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
Several alternative approaches should be considered when developing and comparing strategies, including cost, maximum downtimes, security, recovery priorities, and integration with larger, organization-level contingency plans. Table is an example that can assist in identifying the linkage of FIPS 19… (§ 3.4.1 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
System data should be backed up regularly. Policies should specify the minimum frequency and scope of backups (e.g., daily or weekly, incremental or full) based on data criticality and the frequency that new information is introduced. Data backup policies should designate the location of stored data… (§ 3.4.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Minimum frequency of backups and storage of backup media. (§ 3.1 ¶ 1 Bullet 7, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
What data should be backed up and how often should it be backed up? (§ 5.1.2 ¶ 4 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Storage volume. To ensure adequate storage, the amount of data to be backed up should determine the appropriate backup solution. (§ 5.1.2 ¶ 5 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Mainframes should be backed up regularly, and backup media should be stored offsite. Backup and retention schedules should be based on the criticality of the data being processed and the frequency that the data is modified. (See Section 5.2.2 for backup solutions.) As with servers, remote journaling… (§ 5.4.2 ¶ 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))