Back

Determine which data elements to back up.


CONTROL ID
13483
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain backup procedures for in scope systems., CC ID: 01258

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • For files that require higher reliability, duplication is recommended. (P85.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In order to cope with line failures promptly, provide backups for important lines. (P87.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT sys… (3.5 57, Final Report EBA Guidelines on ICT and security risk management)
  • Store offsite all critical backup media, documentation and other IT resources necessary for IT recovery and business continuity plans. Determine the content of backup storage in collaboration between business process owners and IT personnel. Management of the offsite storage facility should respond … (DS4.9 Offsite Backup Storage, CobiT, Version 4.1)
  • Data is evaluated to determine whether backup is required. (A1.2 ¶ 2 Bullet 7 Determines Data Requiring Backup, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Data is evaluated to determine whether backup is required. (A1.2 Determines Data Requiring Backup, Trust Services Criteria)
  • Data is evaluated to determine whether backup is required. (A1.2 ¶ 2 Bullet 7 Determines Data Requiring Backup, Trust Services Criteria, (includes March 2020 updates))
  • CSPs are responsible for providing backups of data in a CSO consistent with the CP-9 security control. Mission Owners are also responsible for assuring their data is backed up consistent with the CP-9. However, mission owners must also consider the risk of entrusting their data to a single non-DoD C… (Section 5.12 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • System data should be backed up regularly. Policies should specify the minimum frequency and scope of backups (e.g., daily or weekly, incremental or full) based on data criticality and the frequency that new information is introduced. Data backup policies should designate the location of stored data… (§ 3.4.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • What data should be backed up and how often should it be backed up? (§ 5.1.2 ¶ 4 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))