BACKUP & RESTORATION PROCEDURE KING SAUD UNIVERSITY DEANSHIP OF ETRANSACTIONS & COMMUNICATION VERSION 1.1 INTERNAL USE ONLY
PREPARED BY REVIEWED BY APPROVED BY ALTAMASH SAYED NASSER A. AMMAR DR. MOHAMMED A ALNUEM REVISION HISTORY Sr. No. Date of Revision Ver. Validity Description of change Reviewed By Approved By 1 18/03/12 1.0 One Year Initialization Nasser A. Ammar Dr. Mohammed A Alnuem 2 02/03/13 1.1 One Year Department Ownership Changed Mr. Toqeer Ahmad 3 05/03/13 1.1 One Year No Change Mr. Toqeer Ahmad Mr. Mohammed A. Alsarkhi Mr. Mohammed A. Alsarkhi 4 5 6 7 8 9 10 DISTRIBUTION LIST Sr. No Version Number Name Designation Department 1 2 3 ISMS/A.10.3/BR/PRO/ V1.1 Page 2 of 18 Internal Use Only
TABLE OF CONTENTS 1. PURPOSE... 4 2. SCOPE... 4 3. RELATED POLICIES AND PROCEDURES... 4 4. PROCEDURE ENFORCEMENT / COMPLIANCE... 4 5. DOCUMENT OWNER... 5 6. ROLES & RESPONSIBILITY... 5 7. INVOCATION... 6 8. BACKUP PROCEDURE FLOWCHART... 7 9. BACKUP PROCEDURE DETAILS... 8 10. RESTORATION PROCEDURE FLOWCHART... 12 11. RESTORATION PROCEDURE DETAILS... 13 12. ANNEXURE... 16 12.1 FORM... 16 12.2 RECORD... 18 ISMS/A.10.3/BR/PRO/ V1.1 Page 3 of 18 Internal Use Only
1. PURPOSE The purpose of Backup and Restoration Procedure is to establish an effective way for the backup and restoration process adopted by King Saud University - etransactions & Communication Deanship. The data of King Saud University - etransactions & Communication Deanship is a valuable asset which could be lost or destroyed by intentional/unintentional actions. Therefore, it is crucial to safeguard assets by implementing a backup and restore procedure which will define the required actions to protect ETC Deanship's data. 2. SCOPE This procedure applies to King Saud University (KSU) - etransactions & Communication (ETC) Deanship and all parties, its affiliated partners or subsidiaries, including data processing and process control systems, that are in possession of or using information and/or facilities owned by KSU-ETC Deanship. This procedure applies to all staff/ users that are directly or indirectly employed by KSU-ETC Deanship, subsidiaries or any entity conducting work on behalf of KSU that involves the use of information assets owned by ETC Deanship. 3. RELATED POLICIES AND PROCEDURES Backup Policy Communications and Operations Management Policy Change Management Policy Change Management Procedure 4. PROCEDURE ENFORCEMENT / COMPLIANCE Compliance with this procedure is mandatory and ETC Deanship managers shall ensure continuous compliance monitoring within their departments. Compliance with the statements of this procedure is a matter of periodic review by Risk & Information Security Department and any violation of the procedure will result in corrective action by the ISMS Steering Committee. Disciplinary action will be depending on the severity of the violation which will be determined by the investigations. such as termination or others as deemed appropriate by ETC Management and Human Resources Department will be taken. ISMS/A.10.3/BR/PRO/ V1.1 Page 4 of 18 Internal Use Only
5. DOCUMENT OWNER ISMS Manager 6. ROLES & RESPONSIBILITY Each role involved in this procedure shall have main responsibilities as follows: 1. ISMS Manager Evaluating and approving backup and restoration plan according to KSU-ETC Deanship's business needs, considering security and requirements. Informing requester about the results and status of the backup request, backup plan evaluation and approval. 2. Backup Requester / Asset Owners Initiating backup or restoration request and filling up the request form. Coordinating with respective to prepare the request. 3. Evaluating technical requirement of backup in terms of backup frequency, data size, offsite storage, retention and restore. Developing backup plan in terms of backup scope, frequency, type, mechanism, storage location, retention period, encryption, media labeling and media destruction. Planning and performing all activities required for backup and restoration procedures (e.g. obtain, prepare the backup media and prepare systems for the backup/ restoration). Maintaining accurate records of backup and restoration procedures details and components. Evaluating the backup and restore requests according to ETC deanship's business and security needs. Determining the criticality of restore process. Agreeing and reviewing with Backup Requester / Asset Owners in all details of backup and restoration with regard to information security. Ensuring that the backup and restoration procedure is properly implemented. ISMS/A.10.3/BR/PRO/ V1.1 Page 5 of 18 Internal Use Only
7. INVOCATION This procedure shall be followed whenever there is: BACKUP INVOCATION: Request for Backup If there is a business need to backup any information, a request must be initiated; and this procedure will be triggered. Emergency Backup Request / Disaster Response In the event of urgent change, disaster and emergency backup request shall be initiated; and this procedure will be triggered. Conditional Backup Request (Changes Request / Patch Implementation) If there is a change in any information system or a patch needs to be implemented, a backup request shall be initiated in order to roll back the information system to the previous status in case of any an unexpected failure / disaster caused from that change. Periodic Backup Plan If there is a periodic backup request, this procedure shall be invoked. RESTORE INVOCATION: Regular Restoration Request If there is a business need to restore any information, a request will be initiated; and this procedure will be triggered. Emergency Restore In the event of a disaster, an emergency restoration request will be initiated; and this procedure will be triggered. Periodic Backup Restoration Testing To ensure that the backup scheme is working as expected, restoration testing shall be initiated on a periodic basis. ISMS/A.10.3/BR/PRO/ V1.1 Page 6 of 18 Internal Use Only
8. BACKUP PROCEDURE FLOWCHART Backup Procedure Backup Requester / Asset Owners Start Step 1.a Backup Request Received Backup Request Step 1.b Automated Backup Step 2 Process Evaluate Business and Security Requirements Step 4 Backup Process / Verification Step 5 Restore Test Yes Successful No Accept End Step 7 Media Storage Backup and Restoration Log 4 Step 6 Inspect Log and take corrective action Backup and Restoration Log Step 3 ISMS Manager Evaluate Technical needs & Approve Backup Plan Decision Reject Step 8 Inform Requester Start / End Start and end of the procedure Reference to another procedure Another related procedure Input/ Output Input or output infomation Log/Record Storage to file Step 1 An activity / step Decision A decision in a procedure Form Document / Form 1 Follow to step no. Flow of 2 or more different decisions ISMS/A.10.3/BR/PRO/ V1.1 Page 7 of 18 Internal Use Only
9. BACKUP PROCEDURE DETAILS STEP 1.A : BACKUP REQUEST RECEIVED Backup Requester / Asset Owners Input Backup Request Form Backup Requester / Asset Owners will identify backup needs, and fill up backup request form. Proceed to step 2. Output Backup Request Form Backup Business Needs Identification STEP 1.B : AUTOMATED BACKUP Backup Requester / Asset Owners Input Automated Backup Automated Backup scheduled. Proceed to step 4. Output Backup Business Needs Identification STEP 2 : EVALUATE BUSINESS NEEDS Input Backup Request Form Backup Business Needs Identification Once the backup request form initiated, the department will evaluate the request according to business and security needs and then sends it to the ISMS Manager for assessment. Proceed to step 3. Output Backup Request Form with Business and Security Requirements ISMS/A.10.3/BR/PRO/ V1.1 Page 8 of 18 Internal Use Only
STEP 3 : EVALUATE TECHNICAL NEEDS / BACKUP PLAN ISMS Manager Input Output Backup Request Form with Business and Security Requirements Backup Plan Determine technical requirement, dependencies and limitations to perform backup Job once or maintain periodic backup plan. With the participation of the ETC Department Asset Owners, a backup plan will be developed, which consists of the following: Backup scope: what type of information/ data needs back up (e.g. databases, network settings, file system, etc). Backup frequency: durations by which back up will be taken (taking into consideration the criticality/ availability factors). Backup type: is it (full, incremental or online). Backup mechanism: is it (automatic or manual). Backup storage location: the storage for the backup media should be in a secure location on-site/off-site in different zones if possible, taking into consideration the criticality/ availability factors. Backup retention period: establish the retention period for the backup media. Backup encryption: agree if encryption is required, for which data. Media labeling: agree on a labeling scheme. Media destruction: agree on media disposal process. Once the plan has been determined, ISMS Manager will evaluate the plan and decides on approval: If plan is approved, proceed to step 4. If plan is rejected, inform requester and go to step 8. Backup Form with Technical Requirements Backup Plan Approved / Rejected Backup Plan ISMS/A.10.3/BR/PRO/ V1.1 Page 9 of 18 Internal Use Only
STEP 4 : BACKUP / PROCESS VERIFICATION Input Approved Backup Plan Respective department will start backup process, prepare the environment and perform backup on systems / network devices. The backup process will be validated to confirm the success of the process and no problems were encountered by Backup Administrator. Proceed to step 5. Output System / Network Backup STEP 5 : RESTORE TEST Input System / Network Backup Respective department will perform a restore test on a test environment to verify the ability of backup to be restored successfully and meet the requester expectations. If it is successful, go to step 7. If it is unsuccessful, go to step 6 to analyze the issue and then go to step 4 and re-perform the backup if required. Output Successful / Unsuccessful Restore Test STEP 6 : INSPECT BACKUP LOG Input Unsuccessful Backup / Test In case of unsuccessful backup process, respective department will inspect backup logs for errors detection and corrective actions will be taken. Go back to step 4 to retry the backup process again. End process and inform requester if it is failed several times. Update backup and restoration log. ISMS/A.10.3/BR/PRO/ V1.1 Page 10 of 18 Internal Use Only
Output Backup Inspection Results. Corrective Updated Backup and Restoration log STEP 7 : MEDIA STORAGE Input Successful Backup Process Respective department will store Backup media as per Backup Policy. respective department will update backup record and restoration log. End of procedure. Output Successful Backup Media Process and Storage Updated Backup and Restoration Log STEP 8 : INFORM REQUESTER Input Output Rejected Backup Plan Unsuccessful Backup Process Once the request has been rejected, ISMS Manager will inform the requester with justification. Add notification / update the request status. End process if request is rejected / process completed. Approved / Rejected Backup Request. Requester Updated with Request Evaluation and Approval Status. ISMS/A.10.3/BR/PRO/ V1.1 Page 11 of 18 Internal Use Only
10. RESTORATION PROCEDURE FLOWCHART Restoration Procedure Restoration Requester / Asset Owners Start Step 1 Notify ICT Infrastructure Manager Step 5 Restore Verification Successful No 4 Process ISMS Manager Step 2 Evaluate Technical Needs and Approve Overall Request Yes Step 3 Restoration Preparation Type? Emergency 6 Regular Step 4 Restore to Test Environment No Step 8 Inspect Logs & Correct Errors Backup and Restoration Log Successful Step 6 Implement Restoration Yes Step 7 Process Completion Backup and Restoration Log 6 End Start / End Start and end of the procedure Reference to another procedure Another related procedure Input/ Output Input or output infomation Log/Record Storage to file Step 1 An activity / step Decision A decision in a procedure Form Document / Form 1 Follow to step no. Flow of 2 or more different decisions ISMS/A.10.3/BR/PRO/ V1.1 Page 12 of 18 Internal Use Only
11. RESTORATION PROCEDURE DETAILS STEP 1 : NOTIFY ISMS MANAGER Restoration Requester / Asset Owners Input Business Need for Restoration Requester will complete restoration request form and send it to ISMS Manager for evaluation. Proceed to step 2. Output Restoration Business Needs Identification STEP 2 : EVALUATE TECHNICAL NEEDS AND APPROVE OVER ALL REQUEST ISMS Manager. Input Restoration Request Form Restoration Business Needs Identification ISMS Manager will evaluate restoration request from technical point of view and send to step 3. Output Restoration preparation STEP 3: RESTORATION PREPARATION Input Approved Restoration Request Form Respective ETC department will prepare storage media / environment for restoration. Prepare systems / network devices for restoration. If a restoration request is an emergency, jump to step 6. If a restoration request is a regular, proceed to step 4. Output Prepared System and Storage Media ISMS/A.10.3/BR/PRO/ V1.1 Page 13 of 18 Internal Use Only
STEP 4: RESTORE TO TEST ENVIRONMENT Input Prepared System and Storage Media Respective ETC department will perform restoration on the system / network devices on a test environment. Proceed to step 5 to verify the results with requester. Output Test Restoration Process Results STEP 5: TEST RESTORATION VERIFICATION Input Test Restoration / Restore Implementation Process Results The requester will confirm the success of the test / implementation process, the data is restored completely and the restored data is as per the expectations. If a process is successful, proceed to step 6 to perform the restoration. If a process is unsuccessful, go back to step 4 to re-test the restoration. Output Successful / Unsuccessful Test Restoration Process Results STEP 6: IMPLEMENT RESTORATION Input Test Restoration Verification Emergency Restoration Request Respective ETC department will perform / implement restoration on requested production system / devices: If a restoration is successful, proceed to step 7. If a restoration is unsuccessful, proceed to step 8. Output Implementation of Restoration ISMS/A.10.3/BR/PRO/ V1.1 Page 14 of 18 Internal Use Only
STEP 7: PROCESS COMPLETION Input Restoration Process Completion Verification Output Respective ETC department will update the backup and restoration Log. Updated Backup and Restoration Log Closed / Updated Restoration Request Form STEP 8: INSPECT LOG AND CORRECT ERRORS Input Unsuccessful Restoration Process on System / Network Devices. Output In case of unsuccessful restoration process, concerned department will inspect logs for errors detection and corrective actions will be taken. Proceed to step 6 to retry the restoration process again. End process and inform requester if failed several times. Update backup and restoration log. Corrective Backup and Restoration Log Updated Restoration Request Form ISMS/A.10.3/BR/PRO/ V1.1 Page 15 of 18 Internal Use Only
12. ANNEXURE 12.1 FORM SECTION A BACKUP / RESTORE REQUEST System Name/ Label System ID Request Purpose & Description Data Description Requester Name: Signature: Supervisor Name: Signature: Tel #: Email: SECTION B Department: Location: Approved Not Approved Comments: BACKUP PLAN Type of Backup Backup Priority Backup Test Planned Backup Media Storage Location Backup Frequency Backup Type Backup Time (Optional) Periodic / planned Yes Details: On Site Location: Daily Full Date Start: / / Emergency Critical High Weekly Incremental Conditional Medium No Offsite Low Reason: Location: Monthly Differential Change Request Patch Management Other Other Other Date Finish: / / Time Start: Time Finish: SECTION C RESTORE PLAN Type of Restore Restore Priority Restore Test Planned Restore Media Storage Location Restore Reason Other Details Restore Time (Optional) Periodic Test Yes Details: On Site Location: System Fault Date Start: / / Emergency Conditional Change Request Patch Management Other Critical High Medium Low No Reason: Offsite Location: Human error Incident / Disaster Other Date Finish: / / Time Start: Time Finish: RESTORE DOWNTIME (OPTIONAL) DOWNTIME DURATION DOWNTIME APPROVAL Yes (need signatures) Days: Time: Owner Name Signature Date: Date: Start Time: Finish Time: No ISMS/A.10.3/BR/PRO/ V1.1 Page 16 of 18 Internal Use Only
AFFECTED DEPARTMENT WHICH MUST BE NOTIFIED PRIOR TO THE RESTORE DEPARTMENT NAME DIRECTOR NAME SIGNATURE Test Plan Prepared Yes No Test Performed in Test Environment Yes No BACKUP / RESTORE TESTING IF Not Successful Cause : Recommendation: Test Result Successful Not Successful Plan Prepared Yes No Plan Initiated Due to Restore Failure Yes No ROLLBACK / RECOVERY PLAN IF Not Successful Cause : Recommendation: Plan Initiated Result: Successful Not Successful ADDITIONAL REQUIREMENT Technical / Support Documentation Yes No Vendors staffs required in Computer Room Yes (attach access request form) No Implementation Plan attached Yes Not Required Drawing required and approved Yes Not Required SECTION D ISMS MANAGER APPROVAL Department Name Director Name Approval Signature Yes Yes No No ISMS/A.10.3/BR/PRO/ V1.1 Page 17 of 18 Internal Use Only
12.2 RECORD BACKUP AND RESTORATION LOG No. Date System/ Application Name Backup Type Restoration Type Starting Time Finishing Time Status (Backup / Restoration) Person Name Signature Remarks 1. 2. 3. 4. ISMS/A.10.3/BR/PRO/ V1.1 Page 18 of 18 Internal Use Only