ITSS_01 IT Security Standard Data Backup

Version

Approved by

Approval date

Effective date

Next review date

1.0

Vice-President, Finance and Operations

7 June 2016

7 June 2016

7 June 2017

Standard Statement
The backup of important information is often the last line of defence in the
event of either accidental or malicious loss or modification of UNSW
information, applications and infrastructure configurations. The purpose of this
standard is to set out the baseline requirements for the backup of UNSW
information systems and data.
Purpose

UNSW information must be backed up on a regular basis, protected from

unauthorised access or modification during storage, and available for recovery
in a timely manner. As backup media may contain sensitive information in
high-volumes, (i.e., UNSW financial transactions, Personal Identifiable
Information etc.) the backup media must be protected, during the entire
information lifecycle.
This standard applies to all UNSW Information Communication Technology
systems and end-user computing devices, including non-production systems
that contain information that would impact UNSW in the event data was lost.
This standard does not cover data availability using replication techniques,
such as database synchronisation between production and disaster recovery
facilities or data deduplication.

Scope

Are Local Documents on

this subject permitted?

Yes

Yes, subject to any areas specifically

restricted within this Document

No

Standard
1.

2.
3.
4.

Controls ..................................................................................................................................... 1
1.1
Backup schedule considerations .................................................................................. 1
1.2
Verification of backup processes and investigating failures .........................................2
1.3
Validation of backup media and recovery processes ...................................................2
1.4
Protection of backups and backup media ..................................................................... 2
1.5
Retention and disposal of backups and backup media ................................................2
1.6
Backup media locations and off-site transportation of backup media ..........................2
Control Exceptions .................................................................................................................... 2
ISMS Mapping with Industry Standards ................................................................................... 3
Document Review, Approval & History ..................................................................................... 3
4.1
Quality Assurance ......................................................................................................... 3
4.2
Sign Off ......................................................................................................................... 3

1.

Controls

1.1

Backup schedule considerations

1.1.1

What

Backups must be scheduled according to the availability requirements of the information that
is being backed up. A backup schedule must be documented and maintained for all UNSW
systems. Table 1 documents the minimum backup schedules for the identified UNSW data
types.
Backup Schedule
How Often
How

Infrastructure configuration
(network, server, appliance)

According to Solution Design

Documentation

According to Solution Design Documentation

Software
(O/S, applications, utilities)

or

or

Full
Incremental
Differential

Magnetic tape
Hard disk
Optical storage
Solid state storage

Data
(files, databases)

Note: Data Classification Standard and Data Handling

Guidelines should be consulted to ensure appropriate
treatment of sensitive data.
Data Backup Standard ITSS_01

Page 1 of 3

1.1.2

1.2

1.3

1.4

1.5

1.6

The backup requirements for information systems and data must be documented and
communicated to implementation and support teams for inclusion within operational
procedures before systems entering production.

Verification of backup processes and investigating failures

1.2.1

A sample of jobs must be verified as part of the process to maintain the integrity of the
information being backed up, in a manner commensurate with the reliability of the backup
media.

1.2.2

Backup failure reports must be produced, reviewed and acted upon within a reasonable
timeframe to ensure successful completion.

Validation of backup media and recovery processes

There is a risk that tape and optical media may degrade over time, corrupting or destroying any
information that has been backed-up onto this media.
1.3.1

To protect against data corruption, optical and tape media should not exceed the
manufacturers usage recommendations.

1.3.2

The validation and recovery process must be documented in an auditable manner and tested
on a regular basis to be determined by the IT Recovery Plan.

Protection of backups and backup media

1.4.1

Backup media must be treated as being of an equivalent classification level as the source
information system. For example, sensitive data such as regulated Personal Identifiable
Information must be appropriately encrypted (e.g., at the database or file level) when stored on
backup media.

1.4.2

Access to backup media must be restricted to authorised personnel only.

Retention and disposal of backups and backup media

1.5.1

Backup media must be retained in line with the IT recovery, data retention and record
management requirements where applicable.

1.5.2

Backup media must be disposed of in line with appropriate disposal requirements described in
the Data Classification Standard and Data Handling Guidelines, for example by overwriting
media or physical destruction using a verified, auditable process.

Backup media locations and off-site transportation of backup media

1.6.1

Backup media containing sensitive information must only be transported offsite with
appropriate physical protection, in a secure container, within a secure vehicle, following an
auditable and verifiable process.

1.6.2

The frequency of sending backup media off-site must be documented and justified in the
backup schedule. Consideration of the frequency should take into account the importance and
recovery requirements of the data.

1.6.3

Backup media must be stored in a safe and secure physical location to ensure that media is
protected from unauthorised access, modification or destruction. This includes:
a) Off-site in relation to UNSW and stored at a location with strict physical security in place.
b) In a temperature controlled environment employing fire prevention suppression
mechanisms.
c) In designated fire-safes within the UNSW campus, for local storage of backup media.

2.

Control Exceptions

All exemption requests must be reviewed, assessed and approved by the relevant business stakeholder. Please
refer to the ISMS Base Document for more detail.

Data Backup Standard ITSS_01

Version 1.0 Effective 7 June 2016

Page 2 of 3

3.

ISMS Mapping with Industry Standards

The table below maps the Data Backup Standard with the security domains of ISO27001:2013 Security
Standard and the Principles of Australian Government Information Security Manual.
ISO27001:2013
12 Operations security (12.3 backup)

4.

Information Security Manual

Information Security Documentation

Document Review, Approval & History

This section details the initial review, approval and ongoing revision history of the standard. Post initial review
the standard will be presented to the ISSG recommending the formal UNSW policy consultation and approval
process commence.
A review of this standard will be managed by the Chief Digital Officer on an annual basis.
4.1
Quality Assurance
This document was designed and created by external and internal consultants in consultation with internal key
technical subject matter experts, business and academic stakeholders.
4.2

Sign Off

Endorsed by:
ISSG - Information Security Steering Group
ITC - Information Technology Committee
CDO Chief Digital Officer

Date
th
30 July 2015
th
27 August 2015
th
7 June 2016

Accountabilities
Responsible Officer

Chief Digital Officer

Contact Officer

ITpolicy@unsw.edu.au

Supporting Information
Parent Document (Policy)

IT Security Policy

Supporting Documents

Nil

Related Documents

Data Classification Standard

Data Handling Guidelines
ISMS Base Document

Superseded Documents

IT Security Standard Data Backup, version 1.5 approved by ITC Information

Technology Committee on 27 August 2015

UNSW Statute and / or

Regulation

Nil

Relevant State / Federal

Legislation

Nil

File Number

2016/16925 [IT file number ITSS_01]

Definitions and Acronyms

No terms have been defined

Revision History
Version

Approved by

Approval date

Effective date

Sections modified

1.0

Vice-President, Finance and

Operations

7 June 2016

7 June 2016

This is a new document

Data Backup Standard ITSS_01

Version 1.0 Effective 7 June 2016

Page 3 of 3