Back

Test backup media for media integrity and information integrity, as necessary.


CONTROL ID
01401
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform backup procedures for in scope systems., CC ID: 11692

This Control has the following implementation support Control(s):
  • Test backup media at the alternate facility in addition to testing at the primary facility., CC ID: 06375


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In case of a locally incorporated AI, a principal concern is the ability of the HKMA to exercise its legal powers under the Banking Ordinance effectively if there is limited cooperation by the service provider. Accordingly, where a local AI is planning to outsource, for example, a major part of its … (2.9.2, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
  • The backup methods and procedures must be assessed and confirmed by the person responsible in the operations department. This is a control item that constitutes a greater risk to financial information. (App 2-1 Item Number VI.7.3(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization should consider defining procedures to verify that files are protected against inconsistency in developing failure/disaster recovery routines. (O63.2(3), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The FI should carry out periodic testing and validation of the recovery capability of backup media and assess if the backup media is adequate and sufficiently effective to support the FI’s recovery process. (§ 8.4.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should periodically test the restoration of its system and data backups to validate the effectiveness of its backup restoration procedures. (§ 8.4.3, Technology Risk Management Guidelines, January 2021)
  • Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur. (Security Control: 1515; Revision: 1, Australian Government Information Security Manual, March 2021)
  • The organization should test the backup processes on a regular basis to verify its effectiveness. (Control: 0119 Bullet 3, Australian Government Information Security Manual: Controls)
  • APRA envisages that a regulated institution would regularly backup critical and sensitive IT assets, regardless of the level of resilience in place. Appropriate controls would be implemented to ensure the security of the backups is maintained while in transit and storage, typically via physical secu… (Attachment B ¶ 12, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • System backups should be tested on a regular basis to ensure the backup media is effective. (§ 2.8.14, Australian Government ICT Security Manual (ACSI 33))
  • The integrity and the accuracy of backup data should be checked during validation and monitored periodically. (¶ 7.2, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • Financial entities shall set up backup systems that can be activated in accordance with the backup policies and procedures, as well as restoration and recovery procedures and methods. The activation of backup systems shall not jeopardise the security of the network and information systems or the ava… (Art. 12.2., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • test, on a regular basis, the plans and measures referred to in point (f), as well as the effectiveness of the controls implemented in accordance with points (a) and (c); (Art. 16.1. ¶ 2(g), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Backup media and restoration procedures must be tested with dedicated test media by qualified employees at regular intervals. The tests are designed in such a way that the reliability of the backup media and the restoration time can be audited with sufficient certainty. The tests are carried out by … (Section 5.6 RB-08 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The provisions governing the data backup procedures (excluding data archiving) shall be set out in writing in a data backup strategy. The requirements contained in the data backup strategy for the availability, readability and timeliness of the customer and business data as well as for the IT system… (II.7.51, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The continued confidentiality, completeness, integrity and availability of the entity's systems and back-up information is evaluated and confirmed on a periodic basis. (S7.5 Testing confidentiality, completeness, integrity and availability of systems and back-up data, Privacy Management Framework, Updated March 1, 2020)
  • Procedures need to be implemented to validate the recovery of original data and information after backup, media transfer, transcription, archiving, or system failure. (¶ 19.3 Bullet 9, Good Practices For Computerized systems In Regulated GXP Environments)
  • Procedures should be implemented to test the backups and the disaster recovery procedures on a regular basis. (¶ 19.6 Bullet 4, Good Practices For Computerized systems In Regulated GXP Environments)
  • The control system shall provide the capability to verify the reliability of backup mechanisms. (11.5.3.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Components shall provide the capability to validate the integrity of backed up information prior to the initiation of a restore of that information. (11.5.3 (1) ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • When back-up media is stored at a back-up site, the media should be loaded from the tape to disks to verify the media can be read. (Annex F.2.4 ¶ 2, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • Back-ups should be verified to ensure that backed up software and information can be restored successfully. (CF.07.05.03d, The Standard of Good Practice for Information Security)
  • Back-ups should be reconciled to the live version when copies are taken (e.g., by checking of file size, hash totaling, or other methods of verification). (CF.07.05.03f, The Standard of Good Practice for Information Security)
  • Back-ups should be verified to ensure that backed up software and information can be restored successfully. (CF.07.05.03c, The Standard of Good Practice for Information Security, 2013)
  • Back-ups should be reconciled to the live version when copies are taken (e.g., by checking of file size, hash totaling, or other methods of verification). (CF.07.05.03e, The Standard of Good Practice for Information Security, 2013)
  • System administrators should test the back-up media to ensure the drives are working properly. (Action 1.8.4, SANS Computer Security Incident Handling, Version 2.3.1)
  • Test data on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working. (Control 10.2, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should regularly test the backup media by restoring the data to verify it is working properly. (Critical Control 8.2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Master images should be tested at the hot Disaster Recovery site or the warm Disaster Recovery site, as applicable. (Critical Control 3.4, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, for defining and adhering to the retention period of any critical asset as per established policies and procedures, as well as applicable legal, statutory, or regulatory compliance obl… (BCR-12, Cloud Controls Matrix, v3.0)
  • Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and availability of the backup, and verify data restoration from backup for resiliency. (BCR-08, Cloud Controls Matrix, v4.0)
  • Testing the recovery of backups must be implemented at planned intervals. (DG-04, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Test data integrity on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working. (CIS Control 10: Sub-Control 10.3 Test Data on Backup Media, CIS Controls, 7.1)
  • Test data integrity on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working. (CIS Control 10: Sub-Control 10.3 Test Data on Backup Media, CIS Controls, V7)
  • Business Continuity Planning. An organization should implement safeguards to protect business, especially critical business processes, from the effects of major failures or disasters and to minimize the damage caused by such events, an effective business continuity, including contingency planning/di… (¶ 8.1.6(4), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. (A.12.3.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The backup media should be tested regularly to ensure that it will operate correctly in the event of an emergency. (§ 10.5.1, ISO 27002 Code of practice for information security management, 2005)
  • Backup copies of information, software and system images should be taken and tested regularly in accordance with an agreed backup policy. (§ 12.3.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. (§ 8.13 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The cloud service provider should provide the specifications of its backup capabilities to the cloud service customer. The specifications should include the following information, as appropriate: – scope and schedule of backups; – backup methods and data formats, including encryption, if relevan… (§ 12.3.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Procedures exist to provide for the integrity of backup data and systems that are maintained to support the system availability and related security policies. (Availability Prin. and Criteria Table § 3.4, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Does the policy or process for the backup of production data include a Requirement to test backup media and restoration procedures at least annually? (§ G.8.1.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • The organization must test backup information for information integrity and media reliability after each backup. (CSR 5.4.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Back-up procedures must be tested regularly to verify they are operating correctly. (§ 8-603.b, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Processing data using backup media or alternative methods. (App A Objective 10:16h, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Systems, applications, and data recovery is tested at least annually. (Domain 5: Assessment Factor: Resillience Planning and Strategy, TESTING Baseline 2 ¶ 3, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Processes to regularly test backup copies for readability. (App A Objective 15:4a Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Documented periodic physical reviews to confirm that all relevant backup material is available. (App A Objective 15:4a Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The back-up media should be tested regularly to ensure the media is readable. (Pg G-13, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The back-up system should be tested periodically to ensure it functions correctly. (Pg 30, FFIEC IT Examination Handbook - Management)
  • The organization should periodically test the back-up copies for readability. (Pg 30, Exam Tier I Obj 6.7, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization should ensure the backup capabilities are tested regularly to ensure the procedures work correctly and employees are familiar with the procedures. (Pg 26, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Have backup router configuration files been tested? (IT - Routers Q 24, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • How often are the backup router configuration files tested? (IT - Routers Q 24, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Have the server backups been tested and does documentation of the tests exist? (IT - Servers Q 25, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • To determine how often back-up media should be tested, the Information System Contingency Plan Coordinator should reference the Business Impact Analysis and the resilience policy. (§ 5.1.5 ¶ 1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Backups of information are conducted, maintained, and tested (PR.IP-4, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Backups of information are conducted, maintained, and tested periodically (PR.IP-4, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Backups of information are conducted, maintained, and tested periodically. (PR.IP-4, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Organizational records and documents should be examined to ensure back-up information is tested in the organization-defined time period and the results of the tests show that the back-up media is reliable and that the integrity of the information is maintained. (CP-9(1), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Backups of information are conducted, maintained, and tested. (PR.PO-P3, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization must test backups at a defined frequency to verify information integrity and media reliability. (SG.IR-10 Requirement Enhancements 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should test backup information on a predefined frequency to verify information integrity and media reliability. (App F § CP-9(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization tests backup information {organizationally documented frequency} to verify media reliability and information integrity. (CP-9(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization tests backup information {organizationally documented frequency} to verify media reliability and information integrity. (CP-9(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization tests backup information {organizationally documented frequency} to verify media reliability and information integrity. (CP-9(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Backups of data are created, protected, maintained, and tested (PR.DS-11, The NIST Cybersecurity Framework, v2.0)
  • ability to restore its critical data and information systems from backups. (§ 500.16 Incident Response and Business Continuity Management (d)(2), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)