2 Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Back Up Policy Version Date 10/10/12 Effective Date 1 November 2012 Issue THREE Review Date October 2013 May 2007 Change Record Modified Date Author Version Description of Changes 14/05/2010 Clare Kelly 1.1 Incorporates comments by ZH, TB, CK and NS 04/05/2011 Roberta McCaughan /05/2011 S Smith 1.3 Review for Service Desk 13/07/2011 S Smith 1.4 Change made to 4.1. See ISMS 2011 Audit Action List for information. 21/07/2011 S Smith 1.5 Change made to 4.2. See ISMS 2011 Audit Action List for information 10/08/11 A R Last 1.6 Final review 10/10/12 A R Last 1.7 Annual review Stakeholder Sign off Name Position Signature Date Nigel Spencer Information Services Manager July 2011 Clare Kelly IT Support Manager July 2011 Nigel Spencer Head of IS October 2012 Security Sign-off Name Position Signature Date Adrian Last Business Support Manager August 2011 Adrian Last ISMS Manager October
3 Table of Contents 1. Purpose 3 2. Scope 3 3. Policy Policy Statement Policy Objectives Policy Overview Policy Maintenance 4 4. Policy Requirements Build Documentation Server Imaging Identification of Data for Back-up Back-up Schedules Restoration Software Compatibility Back-up Retention Media Storage Reporting Security Incidents Business Continuity User Awareness 6 5. Disciplinary Process 6 6. Deviations from Policy 6 7. Glossary of Terms 6 Appendix A - List related documents, procedures and processes 7 2
4 1. Purpose The purpose of this policy is to ensure that The Crown Estate s electronic information resources are backed-up at scheduled intervals to suitably secure storage media in order to facilitate the restoration of all or part of those information resources in the event of loss or corruption of the original data. 2. Scope The scope of this policy applies to: Any of The Crown Estate s premises where electronic information is stored; and Information system resources, including data networks and servers located at May The 2007 Crown Estate and non-crown Estate locations, where these systems are under the jurisdiction and/or ownership of The Crown Estate, and any servers authorised to access The Crown Estate s data networks. Out of Scope: The Crown Estate is not responsible for backing up non-crown Estate machines. The Crown Estate IT Service Desk also does not back up PCs or laptops. Users should always save data to servers. i.e. data on users laptops and PCs is their own responsibility. It should be noted that personal drives on individual PCs and laptops will not be backed-up. Only data stored on corporate servers is subject to this Policy. 3. Policy 3.1. Policy Statement The Crown Estate s information system resources are assets important to The Crown Estate s business and stakeholders and its dependency on these assets demands that appropriate levels of information security be instituted and maintained. It is The Crown Estate s policy that appropriate back-up measures are implemented to protect its information system resources from loss or corruption, and to maintain appropriate levels of confidentiality, integrity and availability of such information system resources Policy Objectives The objectives of this policy with regard to the protection of information system resources against loss or corruption are to: Minimise the threat posed by the potential loss or corruption of electronic information owned by The Crown Estate or temporarily entrusted to it; and Minimise reputation exposure, which may result from the loss or corruption of The Crown Estate s electronic information resources Policy Overview The Crown Estate information system resources are important business assets that are vulnerable to loss or corruption due to technical failure, human error or malicious attack. It is therefore essential to ensure that verified back-ups are taken in order to be able to restore lost or corrupted data to its original state at a specified point in time. 3
5 3.4. Policy Maintenance Supporting standards, guidelines and procedures will be issued on an on-going basis by The Crown Estate. Users will be informed of any subsequent changes or updated versions of such standards, guidelines and procedures by way of or other relevant communication media. Users shall then have the obligation to obtain the current information systems policies from The Crown Estate intranet (i-site) or other relevant communication media on an on-going basis and accept the terms and conditions contained therein. 4. Policy Requirements The Crown Estate s information system resources shall be backed-up at scheduled intervals in order to provide assurance of restoration in the event of loss or corruption of data May 2007 and for business continuity planning purposes Build Documentation The IT Service Desk will document and build processes and test recovery routines to mitigate risks of data loss Server Imaging Where appropriate, disk images will be taken and stored in order to provide for the most rapid restoration of mission-critical servers to a known state. The IT Service Desk will document build processes and test recovery routines to mitigate risks of data loss Identification of Data for Back-up Data will only be backed up when requested via a Back-up Application form sent to the IT Service Desk, along with a Request for Service (RFS). No assumption should be made that data is being backed up unless a Back-up Application form has been completed and acknowledged. Emergency or special back-ups may be requested by contacting the IT Service Desk in writing Back-up Schedules The production environment must not be impacted by the running of back-up jobs. All back-ups must be created, scheduled and run according to the performance and availability requirements of the environment. Back-ups are scheduled as one of the following: Daily Weekly Monthly Annual (both calendar year-end in December and financial year end in March). Archive Once-off According to standard definitions of terms, back-ups are determined as: Full Differential Incremental 4
6 Back-up logs will be reviewed daily by the IT Support Team and failures logged by the IT Service Desk for onward investigation. Tests will be conducted to investigate the cause of back-up failures and action taken accordingly to prevent recurrence Restoration Test restorations will be conducted by the IT Support Team at regular intervals using a disparate cross-section of application types to ensure that back-ups are working correctly and that restorations can be successfully executed. Requests for restoration of live systems must be logged with the IT Service Desk. Requests for full system restores must be accompanied by a high priority call and Change Control Approval. May 2007 Where possible, restores are made initially to an alternate location, and then copied to the live location following verification. Where restoration is to a live system and the system is not terminally corrupt, the existence of a suitably-recent back-up is confirmed in case the restoration fails. Where no suitably-recent backup exists, a back-up is taken first. Users will be notified of the outcome of the restore Software Compatibility A secure library of application software versions will be maintained for as long as corresponding back-ups are retained in order to ensure that a compatible version of the software will be available for use if the need arises to restore an application to a pre-upgrade state. 5
7 4.7. Back-up Retention Back-ups are retained in accordance with the following periods of time: Back-up Schedule Daily Weekly Monthly Annual Archive Once-off Retention Period Minimum 1 month Minimum 2 months Minimum 3 months 6 years Indefinite As requested 4.8. Media Storage Back-up tapes are collected and stored offsite by an appropriately-resourced third party contractor. Tapes held temporarily onsite are stored in a controlled, secure environment Reporting Security Incidents All security incidents, including significant back-up or restoration failures, should be reported immediately to the IT Service Desk Business Continuity Business continuity plans shall include provision for the restoration of information resources from back-ups. This document is supported and guided by the Business Continuity Plan for IS User Awareness Users shall be made aware of this Policy and all its provisions. May Disciplinary Process The Crown Estate reserves the right to audit compliance with the policy from time to time. Any disciplinary action, arising from breach of this policy, shall be taken in accordance with The Crown Estate s Rules and Disciplinary Code as amended from time to time. Disciplinary action may ultimately lead to dismissal. 6. Deviations from Policy Unless specifically approved, any deviation from this policy is strictly prohibited. Any deviation to or non-compliance with this policy shall be reported to the ISMS Manager or Head of IS. 7. Glossary of Terms The terms used in this policy document are to be found in the ISMS Glossary of Terms. In particular, a back-up is defined as a copy of a specified subset of The Crown Estate s electronic information resources. 6
8 Appendix A - List related documents, procedures and processes Backup Checklist Procedure Backup and Recovery Process Business Continuity Planning Policy/Procedure Disaster Recovery Policy/Procedure Business Continuity Plan for Information Systems Department The Crown Estate s Rules and Disciplinary Code May
Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 email@example.com www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version
BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS DIRECTORATE OF BANKING SUPERVISION AUGUST 2009 TABLE OF CONTENTS PAGE 1.0 INTRODUCTION..3 1.1 Background...3 1.2 Citation...3
Delgado Community College Information Technology Security Policy Approved: *November 5, 2010 ) Delgado Community College IT Security Policy Page 2 *November 5, 2010 Table of Contents Title Page 1.0 Introduction
Information Security Policy The purpose of this Policy is to describe the procedures and processes in place to ensure the secure and safe use of the federation s network and its resources and to protect
Poplar Street Primary School ICT Security and Acceptable Use Policy E-Safety policy 2013/14 Working Together Aiming High! 1 Contents 1. Introduction... 3 2. Policy Objectives... 3 3. Application... 3 4.
Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND
NYSED DATA DASHBOARD SOLUTIONS RFP ATTACHMENT 6.4 MAINTENANCE AND SUPPORT SERVICES 1. Definitions. The definitions below shall apply to this Schedule. All capitalized terms not otherwise defined herein
Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact
PUBLIC POWER CORPORATION S.A. INFORMATION TECHNOLOGY DIVISION CENTRAL SYSTEMS SUPPORT SECTION IT SYSTEMS SECURITY SUBSECTION PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS
Hamilton College Administrative Information Systems Security Policy and Procedures Approved by the IT Committee (December 2004) Table of Contents Summary... 3 Overview... 4 Definition of Administrative
Information Technology Policies and Procedures Wakulla County School District March 2014 Table of contents TABLE OF CONTENTS... 1 1.0 OVERVIEW... 2 2.0 PURPOSE... 2 3.0 SCOPE... 2 4.0 ACCEPTABLE USE POLICY...
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Isuz Ltd. trading as Schoolcomms
REED COLLEGE ediscovery GUIDELINES FOR PRESERVATION AND PRODUCTION OF ELECTRONIC RECORDS TABLE OF CONTENTS A. INTRODUCTION... 1 B. THE LANDSCAPE OF ELECTRONIC RECORDS SYSTEMS... 1 1. Email Infrastructure...
Author: Role: Mal Blackburne College Learning Manager Page 1 of 14 Introduction...3 Objectives/Constraints...3 Assumptions...4 Incidents Requiring Action...4 Physical Safeguards...5 Types of Computer Service
Jefferson County School District Information Technology Policies and Procedures 575 S. Water Street Monticello, FL 32344 (850) 342-0100 www.jeffersonschooldistrict.org June 2014 Table of Contents 1.0 Overview...
Mobile Devices Security Policy 1.0 Policy Administration (for completion by Author) Document Title Mobile Devices Security Policy Document Category Policy ref. Status Policy Unique ref no. Issued by GSU
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1 Models of IT Security Security Rules & Regulations: An Interpretation Dines Bjørner Fredsvej 11, DK 2840 Holte, Denmark Presented at Humboldt
CONSULTATION PAPER P019-2014 SEPTEMBER 2014 GUIDELINES ON OUTSOURCING PREFACE 1 MAS first issued the Guidelines on Outsourcing ( the Guidelines ) in 2004 1 to promote sound risk management practices for