Your Backup and Recovery Policy must address using VSS and WSB in your organization. Your Backup and Recovery Policy document must address at minimum all of the following topic: • What is the purpose of the backup policy: this identifies the goal of the policy and why it is important. This includes a policy statement, background, object, scope, definitions, guiding principles, etc. • Who is responsible for backups: What person(s), position, or department is responsible for ensuring the policy and procedures are followed. What are the roles and responsibilities? Who is responsible for backing up the data? who is responsible for restoring data? who is responsible for securing the backed-up data? who is responsible for erasing or destroying it? • Data to be backed up: This identifies what data management determines is important to the organization. • Off site backups: A copy of a backup should be stored at a separate location. This helps protect the data in the event of fire, flood or other disasters that can destroy the primary site. • Label media: Media labeling identifies what data is on the media and when the backup to that location was performed. • Testing: the policy needs to identify when and at what level testing should be performed and how the results are recorded. • Retention requirements: retention determines how many tapes or other media must be purchased and for how long they will be retained before being destroyed.
The length of retention is determined by laws, regulations, and industry guidelines as well as organizational needs. • Execution and frequency of backups: The BIA influences the execution and frequency by identifying RTO (recovery time objectives) and RPO (recovery point objectives). The helps determine the type of back performed and the rotation strategy employed. What is the plan? the schedule? • Protecting backups: Backup media needs to be classified and handled the same as the original data. A breach that compromises the back data is the same as a breach that compromises the original data. The policy needs to identify the backups are to be protected. What measures must be followed to ensure the security of your organizations’ backups? • Disposing of media: How, when, where, and by whom media will be sanitized or destroyed must be specified in the policy.