Content

Information Security Backup Policy

Purpose

The purpose of this policy is to maintain data integrity and availability of the LightForce’s IT Resources to prevent loss of data and to facilitate the restoration of the IT Resources and business processes.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the LightForce community including staff, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, LightForce’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Definitions

IT Resources

IT resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Backup

Saving or copying information onto digital storage media.

Restore

Performed to return data that has been lost, stolen, or damaged to its original condition or to move data to a new location.

Recovery Point Objective (RPO)

The maximum acceptable amount of data loss measured in time. It is the age of the files or data in backup storage required to resume normal operations if a computer system or network failure occurs.

Recovery Time Objective (RTO)

The maximum desired length of time allowed between an unexpected failure or disaster and the resumption of normal operations and service levels. The RTO defines the point in time after a failure or disaster at which the consequences of the interruption become unacceptable.

Policy

Server and Hosted Data Backup Policy

Backup procedures and policies are developed for two purposes, disaster recovery and data recovery. In the event of a catastrophe, due to a physical disaster, personnel error, or other misfortune, reliable backups must provide timely and accurate restoration of all functions of the organization. Data recovery may be required to restore programs, information or other data that has become corrupted or inadvertently removed.

  • Backup procedures for all servers must be approved by IT. Procedures must include an appropriate time schedule, media description, co-located storage, documentation, and testing process.
  • Knowledge of the backup location and access to the site should be limited to a few key people within the organization, but at least two individuals should have access.
  • Wherever possible, backups should be protected in transit and at rest via Encryption.
  • Backups must be performed in a manner to support the information Recovery Point Objective (RPO).
  • An inventory of backups must be maintained.
  • A backup restore must be performed annually to validate the defined RPO and RTO.
  • Backup retention should be per the LightForce’s Information Security Policy: https://it-security.lightforceortho.com/security_policies/Information_Security_Policy.html
  • Backup and recovery documentation must be reviewed and updated regularly to account for new technology, business changes, and migration of applications to alternative platforms.