Data Backup Policy

<DATE>
<OFFICIAL SPONSORING POLICY> i.e. Director of Information Technology, John Doe
HIPAA §164.308(a)(7)(ii)(A)

BackupAlthough this backup policy is related closely to the business continuity and disaster recovery
policy (BCDR), since it protects against events that are relatively likely to occur, in practice it will be
used more frequently than the BCDR. The purpose of this policy is to provide consistent rules for backup
management to ensure backups are available when needed.
Data to be Backed Up

All data stored on the Firm’s file servers, email servers, network servers, web servers, database servers,
domain controllers, firewalls, and remote access servers will be backed up. It is the user's responsibility
to ensure any data of importance is moved to the file server.

Backup Frequency

Backups are taken in the main office using the Evault/Symantec/CommVault backup system.

Off-Site Rotation

Backups stored offsite are rotated. Define process.

Backup Storage

When stored onsite, backup media must be stored in a fireproof container in an access-controlled area.
When moved offsite, a hardened facility (i.e., commercial backup service) that uses accepted methods of
environmental controls, including fire suppression, and security processes must be used to ensure the
integrity of the backup media and that all Service Level Agreements for clients are met.

Backup Retention

 The Firm has determined that the following will meet all requirements.
 Incremental Backups must be saved for one week.
 Full Backups must be saved for one month.

1
Sample Data Backup Policy
M. Brophy, 2015
This work is licensed under the Creative Commons Attribution-NonCommercial 4.0 International License.
To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/4.0/.
Restoration Procedures & Documentation

The Firm’s Information Technology Manager and contracted IT personnel are responsible for the data
restoration procedures, who is responsible for the restore, how it is performed, under what circumstances,
and how long it will take from request to restoration.

Restoration Testing

Backup restores must be tested when any change is made that may affect the backup system. Backup
restores must also be tested monthly to ensure the integrity of the backups in case of a crisis.

Retention

The Firm does not wish to adopt a "save everything" mentality. Only data that must be retained in order
to protect the Firm's interests or our clients’ interests, preserve evidence, and generally conform to good
business practices.

Data Duplication

When identifying and classifying the Firm's data, it is important to understand where that data may be
stored, particularly as duplicate copies, so that this policy may be applied to all duplicates of the
information.

Retention Requirements

As a rule, Firm operational data and client data should be retained in accordance with the Firm’s Records
Retention Policy. Personal data should be deleted or destroyed when it is no longer needed.

Specific client data may be retained and disposed of in accordance with client’s legal, and/or regulatory
requirements.

Retention of Encrypted Data

If any information retained under this policy is stored in an encrypted format, considerations must be
taken for secure storage of the encryption keys. Encryption keys must be retained as long as the data that
the keys decrypt is retained.

Data Destruction

Data destruction is a critical component of this data retention policy. When the retention timeframe
expires, the Firm must actively destroy the data covered by this policy. If a user feels that certain data
should not be destroyed, he or she should identify the data to the Information Technology Manager so that

2
Sample Data Backup Policy
M. Brophy, 2015
This work is licensed under the Creative Commons Attribution-NonCommercial 4.0 International License.
To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/4.0/.
an exception to the policy can be considered. Since this decision has long-term legal implications,
exceptions will be approved only by the Partners.

The Firm specifically directs users not to destroy data in violation of this policy. Particularly forbidden is
destroying data that a user may feel is harmful to him or herself, or destroying data in an attempt to cover
up a violation of law or Firm policy.

The disposal of non-electronic media (e.g., documents) will be handled by an industry approved
destruction method. See the Firm’s Records Retention Policy.

NotificationPrior to engaging a third-party or related entity (e.g., parent company, subsidiary, affiliate)
that will have access to confidential client data, notification of the engagement will be provided to Firm
Client’s as per client contractual requirements.

3
Sample Data Backup Policy
M. Brophy, 2015
This work is licensed under the Creative Commons Attribution-NonCommercial 4.0 International License.
To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/4.0/.