Backup Policy. Document Title: No. Pages 5. Document Type: Policy. Scope: OCIO, Operations Branch

Transcription

1 Document Title: Backup Policy Document Type: Policy No. Pages 5 Scope: OCIO, Operations Branch Trim Number: DOC02866/2007 Revision: 3 Treasury Board Approval: TBM Date Implemented: 2011/03/08 Approval Date: Review Date: 2013/05/26 Lead Branch - Name: Randy Mouland, Executive Director Operations Chief Information Office: Jean Tilley, Chief Information Officer (A) Treasury Board Approval: Secretary (yyyy-mm-dd) (yyyy-mm-dd) (yyyy-mm-dd) Authority Name Authority Name Authority Name

2 Table of Contents 1.0 Introduction Purpose Scope Definitions Backup Retention Scheduling Exceptions Security Off-Site Storage Supporting Documentation Disposal Testing Approval Process Change Policy References... 5 Backup Policy Page 2 of 5

3 1.0 Introduction Today, governments face an ever expanding set of information protection challenges and regulatory information retention requirements. The availability of information is crucial to the business of government. Likewise, recovering this information in a timely manner after a data loss event is essential. 2.0 Purpose The purpose of this policy is to establish the Office of the Chief Information Officer s (OCIO) timeline and approach for the backup of client data to enable recovery should it be required. 3.0 Scope This policy covers backup and recovery services provided by the OCIO to departments and public bodies to which it supplies these services. 4.0 Definitions Backup: A copy or snapshot in time of electronic data created to facilitate recovery for business continuity or disaster recovery purposes. Client: Departments and public bodies to which the OCIO provides backup and recovery services. 5.0 Backup OCIO has a standard approach for its backup services while, at the same time, offering a measure of operational flexibility. 5.1 Retention Data written to backup media is preserved indefinitely as long as the original data used to make the backup remains on the source system. Data which is not deleted by clients is backed up indefinitely by the OCIO. The standard backup retention period for data which was replaced or removed at its source (e.g. electronic records deleted by clients) is 30 calendar days from the date of the change. In cases where the backup methodology employed uses a retention window rather than the default period of 30 calendar days, retention will be set as low as possible, while maintaining a minimum of 30 calendar days from the date of the change. In such cases, the exception(s) will be documented by the OCIO. Backup Policy Page 3 of 5

4 Government of Newfoundland and Labrador Office of the Chief Information Officer If a client can demonstrate a requirement for an exception to the thirty calendar day retention period, a request may be made to the OCIO (refer to Section 5.3). 5.2 Scheduling The standard backup schedule as defined by the OCIO is daily, seven days a week unless otherwise agreed upon as per Section Exceptions If an exception to the OCIO s standard backup process is required for reasons such as Access to Information requests or legal discovery requirements, the supporting documentation and authorization from the Deputy Minister or equivalent of the requesting department or public body is required. 5.4 Security Access to backup media, devices or backup systems software is restricted to authorized staff. Requests for physical or system access by unauthorized staff must be directed to the Executive Director, Operations Branch, OCIO. 5.5 Off-Site Storage Copies of backups will be stored in a safe location, physically distant from the data processing center to facilitate disaster recovery efforts. 5.6 Supporting Documentation Documentation regarding the build and recovery of the implemented backup solution must be maintained in locations that allow for access during disaster recovery efforts. Tape and other backup media must be clearly labelled or bar coded to reflect the data written to the media and the date which the backup action occurred. 5.7 Disposal Backup media must be physically destroyed in a secure manner that renders the stored data irretrievable. Media destruction shall be conducted by authorized staff or by an approved designate. All requests for destruction require a Disposal Certificate upon completion declaring that the data has been securely destroyed. 5.8 Testing The OCIO is responsible for periodic testing of its backup and recovery services. Client involvement is required to test and confirm successful recovery of information for which they are responsible. Backup Policy Page 4 of 5

5 Government of Newfoundland and Labrador Office of the Chief Information Officer 6.0 Approval Process Treasury Board Office of the Chief Information Officer - Executive Director - Operations Branch Office of the Chief Information Officer Chief Information Officer 7.0 Change Policy This policy will be changed as necessary in order to appropriately reflect current software and hardware standards. Reviews will take place on a biennial basis. Substantial changes will be made available to employees at the earliest possible convenience. 8.0 References N/A Backup Policy Page 5 of 5