Get documents about "SSU Information Technology Security Plan
Document Sample
SSU Information Technology Security Plan Effective: May 14, 2008
Revised:
Author: CSIT
Policy:
10.13. Backup Policy
1.0 Purpose
The purpose of this policy is to provide for the continuity, restoration and recovery of critical
data and systems and to ensure recovery of data in the event of an equipment failure, intentional
destruction of data, or natural disaster.
2.0 Scope
The policy applies to all campus entities and third parties who use computing devices connected
to the University network or who processes or stores critical data owned by Savannah State
University. University users are responsible for arranging adequate data backup procedures for
the data held on IT systems assigned to them.
The department of Computer Services and Information Technology (CSIT) is responsible for the
backup of data held in central systems and related databases. The responsibility for backing up
data held on the workstations of individuals regardless of whether they are owned privately or by
the university falls entirely to the user. University users should consult their departmental IT lead
or system administrator about local back-up procedures.
3.0 Policy
Computer systems that create or update mission critical university data on a daily basis need to
be backed up on a daily basis to minimize the exposure to loss of mission critical data. The unit
responsible for providing and operating such systems must document and perform at least the
minimal data backup requirements on a periodic basis.
3.1 Minimal Data Backup Requirements
Software: All software, whether purchased or created personally, is to be protected by at least
one full backup.
System data: System data are to be backed up with at least one generation per week. A
generation is a media rotation plan, where the media is kept for five backup cycles before the
media is reused.
Application data: All application data are to be protected by means of weekly full backup using
the generation principle.
Backup Policy 1
CSIT - January 2008
Protocol data: All protocol data are to be protected by means of a full weekly backup using the
generation principle.
Storage: All backup media must be stored in a safe and secure location extraneous to the
location of the backed up systems. All weekly backup media must be stored in a fireproof safe.
All software full backup media must be stored in an off-site backup archive storage location.
3.2 Backup Guidelines
Media Storage
For safety backup media should be stored in a fireproof and protected location. In the case of
magnetic media they should be in a case or vault that is shielded from electro-magnetic radiation.
For maximum safety the archive media should be stored at a site that is remote from where the
tapes are used.
Person-In-Charge
Each data backup process should have at least one primary person-in-charge and one substitute.
Data backup is a critical security measure thus the relevant persons-in-charge should be
committed in writing to adherence to the specific data backup (if established) or minimal data
back up policies and procedures.
Training
All persons-in-charge of data backup should receive adequate training on the data backup
process, data restoration process, media rotation, retention and storage. Training can be provided
by CSIT by contacting the helpdesk.
Documentation
Documentation is necessary for orderly and efficient data backup and restoration. The person-in-
charge of data backup should fully document the following items for each generated data
backup:
• Date of data backup
• Type of data backup (incremental, full)
• Number of generations
• Responsibility for data backup
• Extent of data backup (files/directories)
• Data media on which the backup data are stored
• Storage location of backup copies
Restoration of Data
The restoration of data using data backups must be tested occasionally to ensure that complete
data restoration is possible (e.g. all data contained in a server must be installed on an alternative
server using substitute reading equipment to the data backup writing equipment). This ensures
reliable testing as to whether:
Backup Policy 2
CSIT - January 2008
• Data restoration is possible
• The data backup procedure is practicable
• There is sufficient documentation of the data backup, thus allowing a substitute to carry
out the data restoration if necessary
• The time required for the data restoration meets the availability requirements
4.0 Backup Types
Full Backup
A full backup creates a copy of every file on a storage device. This is absolutely the most
complete, comprehensive, and fool-proof type of backup. It is also the most costly in terms of
effort, time and dollar output.
Partial Backup
A partial backup creates a copy of selected files on a storage device. The user selects which files
to backup and which to skip. This can be almost as comprehensive as a full backup since there
are many files that have absolutely no long-term value. Files with no long-term value include
temporary files and cache files; and can take up many megabytes of disk space.
Incremental Backup
An incremental backup creates a copy of files that have changed (modified, added to, or created)
since the last backup was performed. This method can be used in conjunction with full and
partial backups to maximize protection and minimize cost.
Differential Backup
A differential backup creates a copy of files that have changed (modified, added to, or created)
since a specific date and time. This method is also used on conjunction with full and partial
backups to maximize protection and minimize cost.
5.0 Consequence of Non-Compliance
Non-compliance with this policy could severely impact the operation of the institution by
exposing the University to permanent loss of university data leading to loss of financial records,
students' records, academic records, and research material. It may also expose the individual or
the University to legal action.
Backup Policy 3
CSIT - January 2008
Related docs
