General Guidelines: Data Backup and Storage Policy Development

SOME OF THE INFORMATION IN THESE GUIDELINES IS TAKE FROM THE “CONTINGENCY PLANNING GUIDE FOR INFORMATION TECHNOLOGY SYSTEMS: RECOMMENDATIONS OF THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY,” U.S. DEPARTMENT OF COMMERCE, JUNE 2002.

System data should be backed up regularly and the data backup and storage policy should include descriptions of the following controls:

• Who is responsible for the backup plan. The policy should state who in the organization is responsible for creating and/or managing and testing the backup plan.
• Backup method. Data may be backed up on magnetic disk, tape, or optical disks (such as compact disks). The specific method chosen for conducting backups should be based on system and data availability and integrity requirements. These methods include electronic vaulting, mirrored disks (using direct access storage devices [DASD] or RAID), and floppy disks. Note, of course, that paper backup can also be used.
• Frequency and scope of backups. The policy should state whether backups will be daily, weekly, or monthly. incremental or full, based on data criticality and the frequency that new information is introduced.
• Information backup. The policy should state whether the backups will apply to all electronic information or just to electronic protected health information and other sensitive data.
• Location of stored data. It is good business practice to store backed-up data offsite. Commercial data storage facilities are specially designed to archive media and protect data from threatening elements. If using offsite storage, data is backed up at the organization’s facility and then labeled, packed, and transported to the storage facility. When selecting an offsite storage facility and vendor, the following criteria should be considered:
  • Geographic area. Distance from the organization and the probability of the storage site being affected by the same disaster as the organization.
  • Accessibility. Length of time necessary to retrieve the data from storage and the storage facility’s operating hours.
  • Security. Security capabilities of the storage facility and employee confidentiality, which must meet the data’s sensitivity and security requirements.
  • Environment. Structural and environmental conditions of the storage facility (i.e., temperature, humidity, fire prevention, and power management controls).
  • Cost. Cost of shipping, operational fees, and disaster response/recovery services.
• File-naming conventions.
• Media rotation frequency.
• Method for transporting data offsite. If the data is required for recovery or testing purposes, the organization may contact the storage facility requesting specific data to be transported to the organization or to an alternate facility. Commercial storage facilities often offer media transportation and response and recovery services.
• Generations of backups retained.