ITSS_01 IT Security Standard – Data Backup

Version Approved by Approval date Effective date Next review date

1.0 Vice-President, Finance and Operations 7 June 2016 7 June 2016 7 June 2017

Standard Statement
The backup of important information is often the last line of defence in the
event of either accidental or malicious loss or modification of UNSW
information, applications and infrastructure configurations. The purpose of this
standard is to set out the baseline requirements for the backup of UNSW
information systems and data.
Purpose UNSW information must be backed up on a regular basis, protected from
unauthorised access or modification during storage, and available for recovery
in a timely manner. As backup media may contain sensitive information in
high-volumes, (i.e., UNSW financial transactions, Personal Identifiable
Information etc.) the backup media must be protected, during the entire
information lifecycle.
This standard applies to all UNSW Information Communication Technology
systems and end-user computing devices, including non-production systems
that contain information that would impact UNSW in the event data was lost.
Scope
This standard does not cover data availability using replication techniques,
such as database synchronisation between production and disaster recovery
facilities or data deduplication.

Are Local Documents on ☐ Yes ☐ Yes, subject to any areas specifically ☐ No

this subject permitted? restricted within this Document

Standard

1. Controls ..................................................................................................................................... 1
1.1 Backup schedule considerations .................................................................................. 1
1.2 Verification of backup processes and investigating failures .........................................2
1.3 Validation of backup media and recovery processes ...................................................2
1.4 Protection of backups and backup media ..................................................................... 2
1.5 Retention and disposal of backups and backup media ................................................2
1.6 Backup media locations and off-site transportation of backup media ..........................2
2. Control Exceptions .................................................................................................................... 2
3. ISMS Mapping with Industry Standards ................................................................................... 3
4. Document Review, Approval & History ..................................................................................... 3
4.1 Quality Assurance ......................................................................................................... 3
4.2 Sign Off ......................................................................................................................... 3

1. Controls
1.1 Backup schedule considerations
1.1.1 Backups must be scheduled according to the availability requirements of the information that
is being backed up. A backup schedule must be documented and maintained for all UNSW
systems. Table 1 documents the minimum backup schedules for the identified UNSW data
types.
Backup Schedule
What How Often How
Infrastructure configuration According to Solution Design According to Solution Design Documentation
(network, server, appliance) Documentation

Software or or
(O/S, applications, utilities)
Full Magnetic tape
Data Incremental Hard disk
(files, databases) Differential Optical storage
Solid state storage

Note: Data Classification Standard and Data Handling

Guidelines should be consulted to ensure appropriate
treatment of sensitive data.

Data Backup Standard – ITSS_01 Page 1 of 3

 1.1.2 The backup requirements for information systems and data must be documented and
communicated to implementation and support teams for inclusion within operational
procedures before systems entering production.

1.2 Verification of backup processes and investigating failures

1.2.1 A sample of jobs must be verified as part of the process to maintain the integrity of the
information being backed up, in a manner commensurate with the reliability of the backup
media.
1.2.2 Backup failure reports must be produced, reviewed and acted upon within a reasonable
timeframe to ensure successful completion.

1.3 Validation of backup media and recovery processes

There is a risk that tape and optical media may degrade over time, corrupting or destroying any
information that has been backed-up onto this media.
1.3.1 To protect against data corruption, optical and tape media should not exceed the
manufacturer’s usage recommendations.
1.3.2 The validation and recovery process must be documented in an auditable manner and tested
on a regular basis to be determined by the IT Recovery Plan.

1.4 Protection of backups and backup media

1.4.1 Backup media must be treated as being of an equivalent classification level as the source
information system. For example, sensitive data such as regulated Personal Identifiable
Information must be appropriately encrypted (e.g., at the database or file level) when stored on
backup media.
1.4.2 Access to backup media must be restricted to authorised personnel only.

1.5 Retention and disposal of backups and backup media

1.5.1 Backup media must be retained in line with the IT recovery, data retention and record
management requirements where applicable.
1.5.2 Backup media must be disposed of in line with appropriate disposal requirements described in
the Data Classification Standard and Data Handling Guidelines, for example by overwriting
media or physical destruction using a verified, auditable process.

1.6 Backup media locations and off-site transportation of backup media

1.6.1 Backup media containing sensitive information must only be transported offsite with
appropriate physical protection, in a secure container, within a secure vehicle, following an
auditable and verifiable process.
1.6.2 The frequency of sending backup media off-site must be documented and justified in the
backup schedule. Consideration of the frequency should take into account the importance and
recovery requirements of the data.
1.6.3 Backup media must be stored in a safe and secure physical location to ensure that media is
protected from unauthorised access, modification or destruction. This includes:
a) Off-site in relation to UNSW and stored at a location with strict physical security in place.
b) In a temperature controlled environment employing fire prevention suppression
mechanisms.
c) In designated fire-safes within the UNSW campus, for local storage of backup media.

2. Control Exceptions
All exemption requests must be reviewed, assessed and approved by the relevant business stakeholder. Please
refer to the ISMS Base Document for more detail.

Data Backup Standard – ITSS_01 Page 2 of 3

Version 1.0 Effective 7 June 2016
3. ISMS Mapping with Industry Standards
The table below maps the Data Backup Standard with the security domains of ISO27001:2013 Security
Standard and the Principles of Australian Government Information Security Manual.

ISO27001:2013 Information Security Manual

12 Operations security (12.3 backup) Information Security Documentation

4. Document Review, Approval & History

This section details the initial review, approval and ongoing revision history of the standard. Post initial review
the standard will be presented to the ISSG recommending the formal UNSW policy consultation and approval
process commence.

A review of this standard will be managed by the Chief Digital Officer on an annual basis.

4.1 Quality Assurance

This document was designed and created by external and internal consultants in consultation with internal key
technical subject matter experts, business and academic stakeholders.

4.2 Sign Off

Endorsed by: Date

th
ISSG - Information Security Steering Group 30 July 2015
th
ITC - Information Technology Committee 27 August 2015
th
CDO – Chief Digital Officer 7 June 2016

Accountabilities

Responsible Officer Chief Digital Officer

Contact Officer ITpolicy@unsw.edu.au

Supporting Information
Parent Document (Policy) IT Security Policy

Supporting Documents Nil

Data Classification Standard
Data Handling Guidelines
Related Documents
ISMS Base Document

IT Security Standard – Data Backup, version 1.5 approved by ITC Information

Superseded Documents
Technology Committee on 27 August 2015

UNSW Statute and / or

Nil
Regulation

Relevant State / Federal

Nil
Legislation

File Number 2016/16925 [IT file number ITSS_01]

Definitions and Acronyms

No terms have been defined
Revision History
Version Approved by Approval date Effective date Sections modified

Vice-President, Finance and

1.0 7 June 2016 7 June 2016 This is a new document
Operations

Data Backup Standard – ITSS_01 Page 3 of 3

Version 1.0 Effective 7 June 2016