|
------- INDEX AND GLOSSARY. DO NOT CHANGE OR DELETE! ----------
Open IT Policy Index
-
Acceptable Use, Administrative or Special Access (Policy)
-
Acceptable Use, Email (Policy)
-
Acceptable Use, Internet (Policy)
-
Acceptable Use, Virtual Private Network (VPN) (Policy)
-
Access Controls, Account (Policy)
-
Account Management (Policy)
-
Change Management (Policy)
-
Computer Virus Prevention (Policy)
-
Contingency Planning (Policy)
-
Data Backup and Storage (Policy)
-
Data Marking, Handling, Processing, Storage, and Disposal (Policy)
-
Deferral of System Security Certification or Accreditation, Annual (Form)
-
General Information Security Management (Procedure)
-
Green Computing (Policy)
-
Incident Response (Policy)
-
Intrusion Detection (Policy)
-
Logging and Audit Trails (Policy)
-
Mobile Computing and Network Access (Policy)
-
Network Access (Policy)
-
Network Access Controls (Standard)
-
Network Configuration (Policy)
-
Network Data Privacy (Policy)
-
Password Management (Policy)
-
Personnel Security (Policy)
-
Physical Security (Policy)
-
Policy Application Checklist (Administrative Utility)
-
Secure Media and Data Handling (Procedure)
-
Secure Software Development Lifecycle (Standard)
-
Social Computing and Networking (Policy)
-
Software and Hardware Security Controls (Policy)
-
Spam and Unsolicited Commercial Email Prohibition (Policy)
-
System Security Certification/Accreditation, Annual (Form)
-
System Security Certification/Accreditation, Annual (Policy)
-
Telecommuting Agreement, Employee (Form)
-------------------------------------------------------------------------------------------------
Overview and Purpose
Electronic backups are a business requirement to enable the recovery of data and applications in the case of events such as natural disasters, system disk drive failures, espionage, data entry errors, or system operations errors.
The purpose of the [variable: Covered Organization] Data
Backup and Storage Policy is to establish the rules for the
backup and storage of [variable: Covered Organization] electronic information.
Coverage
The [variable: Covered Organization] Data
Backup and Storage Policy applies to all individuals within the [variable: Covered Organization] enterprise who are responsible for the installation and support of
Information Resources, individuals charged with
Information Resources Security; and data owners.
Definitions
General Terminology:
Services
Information Services may have existing contracts for offsite
backup data storage. These services can be extended to all [variable: Covered Organization] entities upon request.
Policy
-
The frequency and extent of backups must be in accordance with the importance of the information and the acceptable
risk as determined by the data owner.
-
The [variable: Covered Organization]
Information Resources
backup and recovery process for each system must be documented and periodically reviewed.
-
Any
vendor(s) providing offsite
backup storage for [variable: Covered Organization] must be cleared to handle the highest level of information stored.
-
Physical access controls implemented at offsite
backup storage locations must meet or exceed the physical access controls of the source systems. Additionally
backup media must be protected in accordance with the highest [variable: Covered Organization] sensitivity level of information stored.
-
A process must be implemented to verify the success of the [variable: Covered Organization] electronic information
backup.
-
Backups must be periodically tested to ensure that they are recoverable.
-
Signature cards held by the offsite
backup storage
vendor(s) for access to [variable: Covered Organization]
backup media must be reviewed annually or when an authorized individual leaves [variable: Covered Organization].
-
Procedures between [variable: Covered Organization] and the offsite
backup storage
vendor(s) must be reviewed at least annually.
-
Backup tapes must have at a minimum the following identifying criteria that can be readily identified by labels and/or a bar-coding system:
-
System name
-
Creation Date
-
Sensitivity Classification [Based on applicable electronic record retention regulations.]
-
[variable: Covered Organization] Contact Information
Enforcement
Violation of this policy may result in disciplinary action, including but not limited to performance penalties, employment termination, contract invalidation, civil action, and criminal prosecution. Additionally, violators may lose access privileges to [variable: Covered Organization]
Information Resources.
Supporting Documentation
This policy is supported by the following rules, standards, and procedures:
-
[variable: internal documents (with links, if available)]
-
[variable: external documents (with links, if available)]
Policy Support Contact
-
[variable: title (not personal name) of role responsible for overseeing this procedure]
-
[variable: Contact information of office responsible for overseeing this procedure]
References
-
Copyright Act of 1976
-
Foreign Corrupt Practices Act of 1977
-
Computer Fraud and Abuse Act of 1986
-
Computer Security Act of 1987
-
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
-
The State of Texas Information Act
-
Texas Government Code, Section 441
-
Texas Administrative Code, Chapter 202
-
IRM Act, 2054.075(b)
-
The State of Texas Penal Code, Chapters 33 and 33A
-
DIR Practices for Protecting
Information Resources Assets
-
DIR Standards Review and Recommendations Publications
Policy Model(s)
|
Open IT Policy Project 
