Backup Policy
Template
Choose Classification
DATE:
Click here to add date
VERSION:
Click here to add text
REF:
Click here to add text
This is a guidance box. Remove all guidance boxes
after filling out the template.
Items highlighted in
turquoise
must be edited appropriately.
Items
highlighted in green
are examples and must be
removed. After all edits have been made, all
highlights must be cleared.
Replace
with the
name of the organization for the entire
document. To do so, perform the following:
●
Press
“Ctrl”
+
“H”
keys
simultaneously.
●
Enter “” in
the Find text box.
●
Enter your organization
’s full
name in the “Replace” text box.
●
Click “More”, and make sure
“Match case” is ticked.
●
Click “Replace All”.
●
Close the dialog box.
Insert organization logo by clicking
on the outlined image.
Backup Policy Template
Choose Classification
VERSION <1.0>
4
Purpose
This policy aims to define the cybersecurity requirements related to the
backup and recovery of all of
's information and
technology assets to achieve the main objective of this policy which is
minimizing cybersecurity risks resulting from internal and external threats at
in order to preserve confidentiality, integrity and
availability.
The requirements in this policy are aligned with the cybersecurity
requirements issued by the National Cybersecurity Authority (NCA) in addition
to other related cybersecurity legal and regulatory requirements.
Scope
This policy covers all 's information and technology
assets (e.g., systems, data and information) and applies to all personnel
(employees and contractors) in the .
Policy Statements
1- General Statements
1-1
All IT systems (including cloud, remote access, telework, and critical
systems) in must have defined processes and
procedures.
1-2
System owners are accountable for the creation of the defined
backup processes and procedures, assisted by business
representatives.
1-3
When
’s information technology assets
(systems, data and information) are to be backed-up, the business
owner and representatives of and function> must assist in the creation of the required backup
processes and procedures.
1-4
Physical and logical access to
’s backups,
backup media (physical and online) and restoration capabilities must
be restricted and limited to authorized users only. Additionally, any
physical and logical access privileges to these mediums must be
reviewed periodically, at least once a year.
Backup Policy Template
Choose Classification
VERSION <1.0>
5
1-5
The access, storage
and transfer of all systems
’ backups, cloud
services tenants’ data backups and the media used for these backups
must be protected against damage, amendment or unauthorized
access.
1-6
Cybersecurity requirements for backup, retention and restore must
meet legal and regulatory requirements, be reviewed at least once a
year, and reviewed when there are changes in the relevant legal and
regulatory requirements.
1-7
Key performance indicators (KPI) must be used to ensure the
continuous improvement and effective and efficient use of
cybersecurity
requirements for backup, retention and restoration.
2-
Backups
2-1
Backup media must be tested periodically and at least once a year to
ensure it meets the manufacturer’s stated specifications, is free from
physical fault(s), functions as intended and replaced where required.
2-2
Backups must be taken at regular intervals, to meet legal and
regulatory requirements and as defined by the
.
2-3
A business impact assessment must be conducted to determine the
frequency and type of backup required for each system.
2-4
Daily backups must be performed for all the components of critical
systems.
2-5
Online backup (which makes use of a remote or cloud-based storage
system to get the data to be stored in a server that is connected to
the network) and offline backup (which makes use of a physical piece
of hardware such as an external hard disk, DVD, memory card, etc.
that is isolated from any network or online device to store the data)
must cover all critical system
s’ components.
2-6
Offline and physical backup media must be stored off-site in an
approved secure location, preferably at a physically remote location.
2-7
Online backups must be stored separately from production, test,
development, office and operational technology environments and
networks.