Information Security Standards



Electronic backups are a requirement to enable the recovery of data and applications in case of events such as natural disasters, system disk drive failures, corruption, data entry errors, or system operations errors. The purpose of the University backup/recovery procedure is to establish the process for the backup and storage of information resources.


This procedure applies to all University resources that contain mission critical information. The purpose of this procedure is to provide a set of measures that will mitigate information security risks associated with Backup/Recovery of information resources. The intended audience is all University staff responsible for the support and operation of University information resources which contain mission critical information. In addition, these procedures may be applied to non-mission critical information systems to aid in their recovery.


1. The frequency and extent of backups shall be determined by the importance of the information, potential impact of data loss/corruption, and risk management decisions by the information system owner or data owner.

2. Mission critical information backup and recovery processes for each system, including those for offsite storage, shall be documented and reviewed periodically.

3. Appropriate physical access controls must be documented and implemented at offsite backup storage locations.

4. Processes must be in place to verify that the actual offsite storage of mission critical data is taking place.

5. Backups shall be periodically tested to ensure that they are recoverable.


Last Updated March 31, 2014