Store backup media at an off-site electronic media storage facility.
CONTROL ID 01332
CONTROL TYPE Data and Information Management
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish and maintain off-site electronic media storage facilities., CC ID: 00957
This Control has the following implementation support Control(s):
Transport backup media in lockable electronic media storage containers., CC ID: 01264
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Copies of vital records should be stored off-site as soon as possible after creation. Back-up vital records must be readily accessible for emergency retrieval. Access to back-up vital records should be adequately controlled to ensure that they are reliable for business resumption purposes. For certa… (4.6.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
A licensed or registered person should back up business records, client and transaction databases, servers and supporting documentation in an off-line medium on at least a daily basis. (2.8. ¶ 1, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
Store backup files in a remote place (effective against large-scale disasters such as earthquakes). (P41.2. ¶ 3(2) ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
In order to cope with the tampering and destruction of programs caused by unauthorized programs such as computer viruses and damage due to troubles and disasters, it is necessary to acquire backup copies of important program files, such as a production program, and to define the storage and manageme… (P41.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Store backup files in a remote place (effective against large-scale disasters such as earthquakes). (P39.2. ¶ 2(2) ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
To protect data in backup from unauthorised access and modification, the FI should ensure any confidential data stored in the backup media is secured (e.g. encrypted). Backup media should be stored offline or at an offsite location. (§ 8.4.4, Technology Risk Management Guidelines, January 2021)
Backups are stored offline, or online but in a non-rewritable and non-erasable manner. (Security Control: 1512; Revision: 0, Australian Government Information Security Manual, March 2021)
The procedures for securing the backup tapes should be included in the Standard Operating Procedures for the System Administrator. (Control: 0055 Table Row "System backup and recovery", Australian Government Information Security Manual: Controls)
The organization should store the backup media and the associated documented recovery procedures at a remote location and secured in accordance with the classification or sensitivity of the information. (Control: 0119 Bullet 2, Australian Government Information Security Manual: Controls)
The organization should implement controls for maintaining the security of backup media during storage. (Attach B ¶ 12, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
The organization should store the backup media at an off-site location located away from the primary site. (Attach B ¶ 13, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
All components required to enact the recovery plans would typically be located at a sufficient distance from the operational site(s) so that they are not impacted by the same disaster. This includes: recovery sites and hardware; backups of data/information and software; and copies of the recovery pl… (Attachment B ¶ 13, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
All backups should be stored at an offsite location, along with the recovery procedures, and secured in accordance with the classification of the backup. (§ 2.8.14, Australian Government ICT Security Manual (ACSI 33))
ICT system backup and recovery procedures for critical software and data, that ensure that these backups are stored in a secure and sufficiently remote location, so that an incident or disaster cannot destroy or corrupt these critical data; (Title 3 3.3.4(a) 54.b(ii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
The data to be backed up is transmitted to a remote site (e. g. another data centre of the cloud provider) or transported to a remote site on backup media. If the backup of the data is transmitted to the remote site via a network, this is carried out in an encrypted form that conforms to the state o… (Section 5.6 RB-09 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
All critical data should be backed up and stored at an offsite location. This will allow for recovery in case of a disaster. (§ 8.4, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
Procedures should exist for the routine backup of data to a safe storage location that is separated from the primary storage location. (¶ 19.6 Bullet 1, Good Practices For Computerized systems In Regulated GXP Environments)
Backup data should be stored at a secure offsite location, as long as necessary. (¶ 14, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
Verify that all backups are stored securely, preferably offsite. (§ 9.5, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
Observe the physical security of the storage location to verify the backup media storage is secure. (Testing Procedures § 9.5.1.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
The organization must store all backups securely, preferably offsite. (§ 9.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Verify that all backups securely, preferably offsite. (§ 9.5 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Media backups must be stored in a secure location, preferably an offsite facility or a commercial storage facility. (PCI DSS Requirements § 9.5.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the locationâs security at least annually. (9.5.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the locationâs security at least annually. (9.5.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the locationâs security at least annually. (9.5.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Are media back-ups stored in a secure location, preferably in an off-site facility, such as an alternate or backup site, or a commercial storage facility? (9.5.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are media back-ups stored in a secure location, preferably in an off-site facility, such as an alternate or backup site, or a commercial storage facility? (9.5.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Verify that the storage location security is reviewed at least annually to confirm that backup media storage is secure. (9.5.1, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Offline media backups with cardholder data are stored in a secure location. (9.4.1.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Examine documentation to verify that procedures are defined for physically securing offline media backups with cardholder data in a secure location. (9.4.1.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine logs or other documentation and interview responsible personnel at the storage location to verify that offline media backups are stored in a secure location. (9.4.1.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Are media back-ups stored in a secure location, preferably in an off-site facility, such as an alternate or backup site, or a commercial storage facility? (PCI DSS Question 9.5.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Are media back-ups stored in a secure location, preferably in an off-site facility, such as an alternate or backup site, or a commercial storage facility? (PCI DSS Question 9.5.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Offline media backups with cardholder data are stored in a secure location. (9.4.1.1, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
Offline media backups with cardholder data are stored in a secure location. (9.4.1.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
Offline media backups with cardholder data are stored in a secure location. (9.4.1.1, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
Offline media backups with cardholder data are stored in a secure location. (9.4.1.1, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
Offline media backups with cardholder data are stored in a secure location. (9.4.1.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
Offline media backups with cardholder data are stored in a secure location. (9.4.1.1, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
Offline media backups with cardholder data are stored in a secure location. (9.4.1.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Offline media backups with cardholder data are stored in a secure location. (9.4.1.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Offline media backups with cardholder data are stored in a secure location. (9.4.1.1, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
If the organization uses tape-based backups as the primary method of backup, copies of the back-up media should be taken and stored offsite as soon as possible. If the media is stored on site, it should be stored in a fireproof safe or controlled environment at some distance from the original source… (Annex F.2.4, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
Talks about different third party alternative site arrangements that can be made. There are four basic types of storage that may be considered:
⢠Dedicated space
⢠Syndicated space
⢠Mobile facilities
⢠Prefabricated
Dedicated space is a guaranteed, consistently available space that the orga… (Stage 2, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
Client organizations must ensure that the infrastructure, systems, and documents of a service provider are secured properly. Organizations are demanding higher security levels in outsourcing facilities, especially when the outsourced activity is critical to the organization's operations. Key physica… (§ 5.2 (Physical Security and Environmental Controls), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
Vital records should be stored at an offsite location. Backups of the evidence obtained during an investigation should be stored offsite and be available immediately. (Revised Volume 3 1-I-33, Revised Volume 2 Pg 1-I-31, Protection of Assets Manual, ASIS International)
Back-ups should be protected from loss, damage and unauthorized access, by keeping copies in secure facilities off-site, to enable systems or networks to be restored using alternative facilities in the event of a disaster. (CF.07.05.06c, The Standard of Good Practice for Information Security)
Back-ups should be protected from loss, damage and unauthorized access, by keeping copies in secure facilities off-site, to enable systems or networks to be restored using alternative facilities in the event of a disaster. (CF.07.05.07c, The Standard of Good Practice for Information Security, 2013)
Backups should be stored off site. Back-up tapes should be stored safely to prevent them from being lost or stolen. If the back-up tapes are compromised, the entire case could be placed in jeopardy. (Action 1.8.4, Action 3.4.2, SANS Computer Security Incident Handling, Version 2.3.1)
The organization should store backup media in a physically secure, locked facility. (Critical Control 8.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
Dispersed storage locations for back-up media are required. (§ 4.3.7.3, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
Organizations should be provided with secure storage facilities and accessories in order to store their vital records, supplies, and magnetic media. For storage facilities that are not located within the recovery premises, the selection process should be the same as that used to select a recovery si… (§ 6.4.7(c), ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
Backup media should be stored at a site that is located away from the main site. This will prevent the backup media from being damaged if there is a disaster at the main site. (§ 9.1.4, § 10.5.1, ISO 27002 Code of practice for information security management, 2005)
In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. (§ 12.3.1 Health-specific control ¶ 1, ISO 27799:2016 Health informatics â Information security management in health using ISO/IEC 27002, Second Edition)
Information processing systems based on the cloud computing model introduce additional or alternative mechanisms to off-site backups for protecting against loss of data, ensuring continuity of data processing operations, and providing the ability to restore data processing operations after a disrupt… (§ 12.3.1 ¶ 3, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
Information processing systems based on the cloud computing model introduce additional or alternative mechanisms to off-site backups for protecting against loss of data, ensuring continuity of data processing operations, and providing the ability to restore data processing operations after a disrupt… (§ 12.3.1 ¶ 3, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
Backup data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level. (A1.2 ¶ 2 Bullet 9 Addresses Offsite Storage, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
When designing to support a backup capability, consideration should be given to information that will be stored in backups. Some of this information may contain cryptographic keys and other information that is protected through security controls while part of the system. Once the information is plac… (11.5.2 ¶ 2, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
The organization stores backup copies of {organizationally documented critical information system software} in a separate facility or in a fire-rated container that is not collocated with the operational system. (CP-9(3) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
The organization stores backup copies of {organizationally documented critical information system software} in a separate facility or in a fire-rated container that is not collocated with the operational system. (CP-9(3) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Back-up data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level. (A1.2 Addresses Offsite Storage, Trust Services Criteria)
Backup data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level. (A1.2 ¶ 2 Bullet 9 Addresses Offsite Storage, Trust Services Criteria, (includes March 2020 updates))
Is backup media stored offsite? (§ G.8.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
§ 3.7 ¶ 2: The organization shall keep a backup copy of the system security profile at a secure off-site storage location, preferably at the same location of the back-up tapes and/or back-up facilities.
App A § 5 ¶ 2: The contingency plan shall provide for off-site storage of data; backup softwa… (§ 3.7 ¶ 2, App A § 5 ¶ 2, CMS Business Partners Systems Security Manual, Rev. 10)
CSR 5.4.1: The contingency plan must detail the delivery method to and from the off-site security storage facility.
CSR 5.4.6: The organization must store 3 generations of backups off site. The on-site and off-site backups must be logged with the name, date, time, and location. Operating system and … (CSR 5.4.1, CSR 5.4.6, CSR 5.11.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
The organization will conduct system backups daily that are stored in a safe that is fireproof and only accessible to the IT Manager and senior executives. Additional backups will be stored off site weekly with a bonded provider. (Pg 47, C-TPAT Supply Chain Security Best Practices Catalog)
The emergency restore data disk should be stored in a locked, fireproof container; one copy should be stored offsite. (§ 3.10, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
The back-up tapes should be stored offsite in a locked container to prevent the destruction of the back-up tape in the event of a catastrophe at the main site. (§ 3.1 (1.013), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
The back-up storage media should be stored offsite in a secure location to prevent damage to it in the event of a catastrophe at the main site. (§ 3.10, DISA Windows XP Security Checklist, Version 6 Release 1.11)
The Records Management Application backup database files shall be stored offline and at a separate location from the original database files. (§ C2.2.9.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
Requires that the method used to back-up records databases create copies to be stored off-line or at a separate location or locations. (§ C2.2.9.1, § C2.2.9.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
The hardware inventory backup copy must be stored in a fire-rated container or not located in the same facility with the original. (DCHW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
The Operating System backup copies must be stored in a fire rated container or not located in the same facility with the operational software. (COSW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
The critical software backup copies must be stored in a fire rated container or not located in the same facility with the operational software. (COSW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
The software inventory backup copy must be stored in a fire-rated container or not located in the same facility with the original. (DCSW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Recovery media must be stored offsite in a location that has the appropriate confidentiality level and Mission Assurance Category. (CODB-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Back-up files and documentation must be stored offsite. (§ 8-603.b, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
Backups of configurations and data off-site and on a separate system or media. (App A Objective 15:4a Bullet 7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Determine whether audit procedures for operations consider ⪠The adequacy of security policies, procedures, and practices in all units and at all levels of the financial institution and service providers.
⪠The adequacy of data controls over preparation, input, processing, and output.
⪠The ad… (Exam Tier II Obj C.1, FFIEC IT Examination Handbook - Audit, August 2003)
The organization should maintain copies of the back-up media at an offsite storage location. (Pg G-13, Pg G-16, Exam Tier I Obj 4.1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
The organization should store the back-up media at an offsite location. (Pg 30, Exam Tier I Obj 6.4, Exam Tier I Obj 6.6, FFIEC IT Examination Handbook - Operations, July 2004)
Provisions for secured transport and off-site storage of sensitive customer information. (App A Tier 2 Objectives and Procedures E.1 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Determine whether data and program files are adequately secured, retained, and backed up at off-premises facilities, including secured transport mechanisms for those resources. (App A Tier 2 Objectives and Procedures L.4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Determine whether data and program files are adequately secured, retained, and backed up at off-premises facilities, including secured transport mechanisms for those resources. (Exam Tier II Obj 12.4, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
Calls for back-up media to be stored at an offsite facility. (SC-2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
Back-up media should be stored at an offsite facility. (§ 395C.3, GAO/PCIE Financial Audit Manual (FAM))
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. (CP-9(3) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. (CP-9(3) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. (CP-9(3) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
The organization must store all backups, including that of Federal Tax Information, at a secure back-up location. The organization must ensure the necessary agreements are in place with the alternate storage site. (§ 5.6.6, Exhibit 4 CP-6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
Storing backed up data at an off-site location is a good business practice. The location should be secure and environmentally controlled. Commercial data storage facilities are designed to archive the media and protect the data. The following criteria should be considered when selecting an off-site … (§ 3.4.2, § 5.1.3 ¶ 4, § 5.1.5 ¶ 1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. (CP-9(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
Organizational records and documents should be examined to ensure agreements have been made to store back-up data at an alternate storage site, the alternate storage site agreements are reviewed and updated regularly, and specific responsibilities and actions are defined for the implementation of th… (CP-6, CP-9(3), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. (CP-9(3) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The safe onsite and offsite storage of full and incremental backups. (§ 6.2.6.2 ICS-specific Recommendations and Guidance ¶ 3 Bullet 3, Guide to Industrial Control Systems (ICS) Security, Revision 2)
It is good business practice to store backed-up data offsite. Commercial data storage facilities are specially designed to archive media and protect data from threatening elements. If using offsite storage, data is backed up at the organization's facility and then labeled, packed, and transported to… (§ 3.4.2 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Offsite Data Storage. If offsite data storage is used, procedures should be documented for returning retrieved backup or installation media to its offsite data storage location. (§ 4.4 ¶ 3 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Contingency considerations for client/server systems should emphasize data availability, confidentiality, and integrity at both the server system level and the client level. To address these requirements, regular and frequent backups of data should be stored offsite. Specifically, the system manager… (§ 5.2.1 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Hot Sites. Hot sites are locations with fully operational equipment and capacity to quickly take over system operations after loss of the primary system facility. A hot site has sufficient equipment and the most current version of production software installed, and adequate storage for the productio… (§ 5.1.5 ¶ 2 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Store backups offsite or at an alternate site. As mentioned in Section 3.4.2, backup media should be stored offsite or at an alternate site in a secure, environmentally controlled facility. (§ 5.2.1 ¶ 1 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Store backup information at an alternate site. If users back up data on a stand-alone system rather than saving data to the network, a means should be provided for storing the media at an alternate site. Software licenses and original system software, vendor SLAs and contracts, and other important d… (§ 5.2.1 ¶ 2 Bullet 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
In addition to backing up data, organizations should also back up system software and drivers. Organizations should store software and software licenses in an alternate location. This includes original installation media, license terms and conditions, and license keys, if required. Image loads for c… (§ 5.1.3 ¶ 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Store backup media offsite. Backup media should be labeled, logged, and stored offsite in a secure, environmentally controlled facility. The storage facility should be located far enough away from the original site to reduce the likelihood that both sites would be affected by the same event. Additio… (§ 5.4.1 ¶ 1 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Mainframes should be backed up regularly, and backup media should be stored offsite. Backup and retention schedules should be based on the criticality of the data being processed and the frequency that the data is modified. (See Section 5.2.2 for backup solutions.) As with servers, remote journaling… (§ 5.4.2 ¶ 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Backup media should be stored offsite in a secure, environmentally controlled location. When selecting the offsite location, hours of the location, ease of accessibility to backup media, physical storage limitations, and the contract terms should be taken into account. The ISCP Coordinator should re… (§ 5.1.5 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Operation/Maintenance Phase. When the information system is operational, users, administrators, and managers should maintain a test, training, and exercise program which continually validates the contingency plan procedures and technical recovery strategy. Exercises and tests should be conducted on … (Appendix F ¶ 9, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
The organization should store backups of the Operating System and other critical Information System software in a separate facility or in a fire-rated container that is not collocated with the operational software. (App F § CP-9(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization stores backup copies of {organizationally documented critical information system software} in a separate facility or in a fire-rated container that is not collocated with the operational system. (CP-9(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization stores backup copies of {organizationally documented other security-related information} in a separate facility or in a fire-rated container that is not collocated with the operational system. (CP-9(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization stores backup copies of {organizationally documented critical information system software} in a separate facility or in a fire-rated container that is not collocated with the operational system. (CP-9(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization stores backup copies of {organizationally documented other security-related information} in a separate facility or in a fire-rated container that is not collocated with the operational system. (CP-9(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization stores backup copies of {organizationally documented critical information system software} in a separate facility or in a fire-rated container that is not collocated with the operational system. (CP-9(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
The organization stores backup copies of {organizationally documented critical information system software} in a separate facility or in a fire-rated container that is not collocated with the operational system. (CP-9(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. (CP-9(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. (CP-9(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
include procedures for backing up or copying, with sufficient frequency, information essential to the operations of the covered entity and storing such information offsite; and (§ 500.16 Incident Response and Business Continuity Management (a)(2)(v), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
The organization stores backup copies of {organizationally documented critical information system software} in a separate facility or in a fire-rated container that is not collocated with the operational system. (CP-9(3) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. (CP-9(3) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
