Back

Perform backup procedures for in scope systems.


CONTROL ID
11692
CONTROL TYPE
Process or Activity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include technical preparation considerations for backup operations in the continuity plan., CC ID: 01250

This Control has the following implementation support Control(s):
  • Perform full backups in accordance with organizational standards., CC ID: 16376
  • Perform incremental backups in accordance with organizational standards., CC ID: 16375
  • Back up all records., CC ID: 11974
  • Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups., CC ID: 16374
  • Document the Recovery Point Objective for triggering backup operations and restoration operations., CC ID: 01259
  • Encrypt backup data., CC ID: 00958
  • Log the execution of each backup., CC ID: 00956
  • Test backup media for media integrity and information integrity, as necessary., CC ID: 01401
  • Test each restored system for media integrity and information integrity., CC ID: 01920
  • Digitally sign disk images, as necessary., CC ID: 06814


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Backup and archival (Critical components of information security 1) 2) q. x., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Confidentiality of data under conversion—ensuring that data is backed up before migration for future reference or any emergency that might arise out of the data migration process (Critical components of information security 12) (ii) c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Backing up firewalls to internal media and not backing up the firewall to servers on protected networks (Critical components of information security 24) vii. a) ¶ 13 Bullet 6, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A cloud computing system must ensure backup of all its clients' information. (EMERGING TECHNOLOGIES AND INFORMATION SECURITY 2 ¶ 5, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Just as with physical servers, virtual systems need to be regularly backed-up for error recovery. (EMERGING TECHNOLOGIES AND INFORMATION SECURITY 1 ¶ 9 h., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • To minimise risks associated with changes, FIs should perform backups of affected systems or applications prior to the change. The FI should establish a rollback plan to revert to a former version of the system or application if a problem is encountered during or after the deployment. The FI should … (§ 7.1.6, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should perform a backup of the information asset prior to the change implementation, and establish a rollback plan to revert the information asset to the previous state if a problem arises during or after the change implementation. (§ 7.5.5, Technology Risk Management Guidelines, January 2021)
  • Information, applications and configuration settings are backed up in a secure and proven manner on a regular basis. (P9:, Australian Government Information Security Manual, March 2021)
  • Backups of important information, software and configuration settings are performed at least daily. (Security Control: 1511; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Data, applications and configuration settings are backed up in a secure and proven manner on a regular basis. (P9:, Australian Government Information Security Manual, June 2023)
  • Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. (Control: ISM-1511; Revision: 3, Australian Government Information Security Manual, June 2023)
  • Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time. (Control: ISM-1810; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Data, applications and configuration settings are backed up in a secure and proven manner on a regular basis. (P9:, Australian Government Information Security Manual, September 2023)
  • Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. (Control: ISM-1511; Revision: 3, Australian Government Information Security Manual, September 2023)
  • Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time. (Control: ISM-1810; Revision: 0, Australian Government Information Security Manual, September 2023)
  • APRA envisages that a regulated institution would regularly backup critical and sensitive IT assets, regardless of the level of resilience in place. Appropriate controls would be implemented to ensure the security of the backups is maintained while in transit and storage, typically via physical secu… (Attachment B ¶ 12, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • § 2.8.14 All information and data critical to the business should be backed up on a regular basis. (§ 2.8.14, Australian Government ICT Security Manual (ACSI 33))
  • Technical and organizational instructions will be issued to ensure data back-ups are conducted at least weekly. When data has been damaged, measures must be implemented to ensure data access is restored within a specific deadline which is not more than 7 days. (Annex B.18, Annex B.23, Italy Personal Data Protection Code)
  • Identifying all locations where account data is stored, processed, and transmitted, including but not limited to: 1) any locations outside of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, and 4) file backups. (12.5.2 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Identifying all locations where account data is stored, processed, and transmitted, including but not limited to: 1) any locations outside of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, and 4) file backups. (12.5.2 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Identifying all locations where account data is stored, processed, and transmitted, including but not limited to: 1) any locations outside of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, and 4) file backups. (12.5.2 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Ensure that each system is automatically backed up on at least a weekly basis, and more often for systems storing sensitive information. To help ensure the ability to rapidly restore a system from backup, the operating system, application software, and data on a machine should each be included in th… (Control 10.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Ensure that all system data is automatically backed up on a regular basis. (CIS Control 10: Sub-Control 10.1 Ensure Regular Automated Backups, CIS Controls, 7.1)
  • Ensure that all of the organization's key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. (CIS Control 10: Sub-Control 10.2 Perform Complete System Backups, CIS Controls, 7.1)
  • The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it. (CIS Control 10: Data Recovery Capabilities, CIS Controls, 7.1)
  • The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it. (CIS Control 10: Data Recovery Capabilities, CIS Controls, V7)
  • Ensure that all system data is automatically backed up on a regular basis. (CIS Control 10: Sub-Control 10.1 Ensure Regular Automated Backups, CIS Controls, V7)
  • Ensure that all of the organization's key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. (CIS Control 10: Sub-Control 10.2 Perform Complete System Backups, CIS Controls, V7)
  • Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. (CIS Control 11: Safeguard 11.2 Perform Automated Backups, CIS Controls, V8)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Backups of information are conducted, maintained, and tested periodically. (PR.IP-4, CRI Profile, v1.2)
  • Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. (A1.2, Trust Services Criteria)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entity’s availability commitments and system requirements. (A1.2, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • regularly backing up systems and data as part of a sustainable disaster recovery and business continuity plan; (Information Security Program Bullet 3 Deployment of Protective Measures Against the Identified Threats and Vulnerabilities ¶ 1 Sub-bullet 9, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Regularly perform and test data back-ups. (RE.2.137, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Regularly perform complete, comprehensive, and resilient data back-ups as organizationally defined. (RE.3.139, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Regularly perform and test data back-ups. (RE.2.137, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Regularly perform complete, comprehensive, and resilient data back-ups as organizationally defined. (RE.3.139, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Regularly perform and test data back-ups. (RE.2.137, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Regularly perform complete, comprehensive, and resilient data back-ups as organizationally defined. (RE.3.139, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Regularly perform and test data back-ups. (RE.2.137, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Additionally, all DoD information/data and CSP information/data shared with the Mission Owner must be made available for off-boarding and backup IAW sections 5.8, Data Retrieval and Destruction for Off-boarding from a CSO and 5.12 - Backup. (Section 5.2.3 ¶ 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Conducts backups of system-level information contained in the information system [FedRAMP Assignment: daily incremental; weekly full]; (CP-9b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Conducts backups of user-level information contained in the information system [FedRAMP Assignment: daily incremental; weekly full]; (CP-9a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Conducts backups of user-level information contained in the information system [FedRAMP Assignment: daily incremental; weekly full]; (CP-9a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Conducts backups of system-level information contained in the information system [FedRAMP Assignment: daily incremental; weekly full]; (CP-9b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Conducts backups of system-level information contained in the information system [FedRAMP Assignment: daily incremental; weekly full]; (CP-9b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Conducts backups of user-level information contained in the information system [FedRAMP Assignment: daily incremental; weekly full]; (CP-9a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Conduct backups of user-level information contained in [FedRAMP Assignment: organization-defined system components] [Assignment: daily incremental; weekly full]; (CP-9a., FedRAMP Security Controls High Baseline, Version 5)
  • Conduct backups of system-level information contained in the system [FedRAMP Assignment: daily incremental; weekly full]; (CP-9b., FedRAMP Security Controls High Baseline, Version 5)
  • Conduct backups of user-level information contained in [FedRAMP Assignment: organization-defined system components] [Assignment: daily incremental; weekly full]; (CP-9a., FedRAMP Security Controls Low Baseline, Version 5)
  • Conduct backups of system-level information contained in the system [FedRAMP Assignment: daily incremental; weekly full]; (CP-9b., FedRAMP Security Controls Low Baseline, Version 5)
  • Conduct backups of user-level information contained in [FedRAMP Assignment: organization-defined system components] [Assignment: daily incremental; weekly full]; (CP-9a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Conduct backups of system-level information contained in the system [FedRAMP Assignment: daily incremental; weekly full]; (CP-9b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • The organization must conduct backups of all systems and Federal Tax Information. (§ 5.6.6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Backups of information are conducted, maintained, and tested (PR.IP-4, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Backups of information are conducted, maintained, and tested periodically (PR.IP-4, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Backups of information are conducted, maintained, and tested periodically. (PR.IP-4, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Organizational records and documents should be examined to ensure the information required to be backed up is identified; the storage location is identified; backups are conducted on a regular basis; and specific responsibilities and actions are defined for the implementation of the information syst… (CP-9, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Perform backup and recovery of databases to ensure data integrity. (T0162, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures). (T0190, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Backups of information are conducted, maintained, and tested. (PR.PO-P3, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • System data should be backed up regularly. Policies should specify the minimum frequency and scope of backups (e.g., daily or weekly, incremental or full) based on data criticality and the frequency that new information is introduced. Data backup policies should designate the location of stored data… (§ 3.4.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • It is good business practice to store backed-up data offsite. Commercial data storage facilities are specially designed to archive media and protect data from threatening elements. If using offsite storage, data is backed up at the organization's facility and then labeled, packed, and transported to… (§ 3.4.2 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Data Backup. As soon as reasonable following reconstitution, the system should be fully backed up and a new copy of the current operational system stored for future recovery efforts. This full backup should be stored with other system backups and comply with applicable security controls. (§ 4.4 ¶ 3 Bullet 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Data backups should be conducted on all systems on a regular basis. Systems can be backed up for individual computers or on a centralized storage device, such as network attached storage (NAS) or storage area network (SAN). There are three common methods for performing system backups: (§ 5.1.2 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • In addition to backing up data, organizations should also back up system software and drivers. Organizations should store software and software licenses in an alternate location. This includes original installation media, license terms and conditions, and license keys, if required. Image loads for c… (§ 5.1.3 ¶ 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Minimize the amount of data stored on a client computer. Critical user data should be stored on central servers that are backed up as part of an organization's enterprise backup strategy, rather than on the client computer hard drive. (§ 5.2.1 ¶ 2 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Mainframes should be backed up regularly, and backup media should be stored offsite. Backup and retention schedules should be based on the criticality of the data being processed and the frequency that the data is modified. (See Section 5.2.2 for backup solutions.) As with servers, remote journaling… (§ 5.4.2 ¶ 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Network Storage. Data stored on networked client/server systems can be backed up to a networked disk. The amount of data that can be backed up from a client/server system is limited by the network disk storage capacity or disk allocation to the particular user. If users are instructed to save files … (§ 5.2.2 ¶ 4 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Operation/Maintenance Phase. When the information system is operational, users, administrators, and managers should maintain a test, training, and exercise program which continually validates the contingency plan procedures and technical recovery strategy. Exercises and tests should be conducted on … (Appendix F ¶ 9, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Perform backup and recovery of databases to ensure data integrity. (T0162, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures). (T0190, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization conducts backups of user-level information contained in the information system {according to organizationally documented frequency consistent with recovery time objectives}. (CP-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of user-level information contained in the information system {organizationally documented recovery point objectives}. (CP-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of system-level information contained in the information system {according to organizationally documented frequency consistent with recovery time objectives}. (CP-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of system-level information contained in the information system {organizationally documented recovery point objectives}. (CP-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of information system documentation including security-related documentation {according to organizationally documented frequency consistent with recovery time objectives}. (CP-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of information system documentation including security-related documentation {organizationally documented recovery point objectives}. (CP-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of user-level information contained in the information system {according to organizationally documented frequency consistent with recovery time objectives}. (CP-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of user-level information contained in the information system {organizationally documented recovery point objectives}. (CP-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of system-level information contained in the information system {according to organizationally documented frequency consistent with recovery time objectives}. (CP-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of system-level information contained in the information system {organizationally documented recovery point objectives}. (CP-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of information system documentation including security-related documentation {according to organizationally documented frequency consistent with recovery time objectives}. (CP-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of information system documentation including security-related documentation {organizationally documented recovery point objectives}. (CP-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of user-level information contained in the information system {according to organizationally documented frequency consistent with recovery time objectives}. (CP-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of user-level information contained in the information system {organizationally documented recovery point objectives}. (CP-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of system-level information contained in the information system {according to organizationally documented frequency consistent with recovery time objectives}. (CP-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of system-level information contained in the information system {organizationally documented recovery point objectives}. (CP-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of information system documentation including security-related documentation {according to organizationally documented frequency consistent with recovery time objectives}. (CP-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of information system documentation including security-related documentation {organizationally documented recovery point objectives}. (CP-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of user-level information contained in the information system {according to organizationally documented frequency consistent with recovery time objectives}. (CP-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of user-level information contained in the information system {organizationally documented recovery point objectives}. (CP-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of system-level information contained in the information system {according to organizationally documented frequency consistent with recovery time objectives}. (CP-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of system-level information contained in the information system {organizationally documented recovery point objectives}. (CP-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of information system documentation including security-related documentation {according to organizationally documented frequency consistent with recovery time objectives}. (CP-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts backups of information system documentation including security-related documentation {organizationally documented recovery point objectives}. (CP-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; (CP-9b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Conducts backups of user-level information contained in the information system [TX-RAMP Assignment: daily incremental; weekly full]; (CP-9a., TX-RAMP Security Controls Baseline Level 1)
  • Conducts backups of system-level information contained in the information system [TX-RAMP Assignment: daily incremental; weekly full]; (CP-9b., TX-RAMP Security Controls Baseline Level 1)
  • Conducts backups of user-level information contained in the information system [TX-RAMP Assignment: daily incremental; weekly full]; (CP-9a., TX-RAMP Security Controls Baseline Level 2)
  • Conducts backups of system-level information contained in the information system [TX-RAMP Assignment: daily incremental; weekly full]; (CP-9b., TX-RAMP Security Controls Baseline Level 2)