Policy Statement

Data backup is an integral part of disaster recovery planning.  Data backup protects against the loss of data in the event of a physical disaster, data corruption, error propagation in resilient systems, hardware or software failure, or other incident which may lead to the loss of data.  The backup requirements found in this Policy will allow business processes, teaching and learning activities, research projects and university operations to be resumed in a reasonable amount of time, based on criticality, with minimal loss of data.

Web Address For This Policy

To Be Determined

Scope

This Data Backup Policy applies to:

• IT infrastructure and other services which facilitate Information Systems. 
• Cloud or Third-Party hosted infrastructure and other services which facilitate Information Systems.
• Information Systems that process or store OU data this include desktop devices and workstations.
• The processes, policies, and procedures related to preparing for recovery or continuation of technology infrastructure, systems and applications which are vital to OU after a disaster or outage.
• College(s), department(s), unit(s), or research projects that maintain or is responsible for a Unit-Critical system or data.

Definitions

1. Information System, defined as any and all online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting data, including but not limited to, servers, network infrastructure, computers, tablets, distributed processing systems, network attached and computer controlled medical and laboratory equipment, telecommunication resources, network environments, telephones, fax machines, and printers.  Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
2. Essential IT Service, defined as a system or service considered critical to the University and included in the OU IT Disaster Recovery Plan.  Essential IT Services provide supporting infrastructure to the University and its Mission- or Unit-Critical IT Services.  Essential IT Services may include, but are not limited to: OU network infrastructure, data centers, voice and telephony systems, account and identity management services, centralized storage services, virtual hosting platforms, and university messaging and collaboration services.
3. Mission Critical Service, defined as a system or service considered critical to a university mission and included in the OU IT Disaster Recovery Plan. 
4. Unit Critical Service, defined as a system or service considered to a college, unit, center, institute, or department and included in a department IT Disaster Recovery Plan. 
5. Non-Critical IT Service, defined as a system or service considered to be non-critical and has a Recovery Time Objective of three (3) days or more.
6. Record, defined by Oklahoma Statutes at 67 O.S. Sec. 203, may take many forms.  They include but are not limited to documents, books, papers, photographs, computer disks, electronic mail, video, or audio recordings. 
7. Recovery Time Objective (RTO), defined as the maximum time allowed for the recovery of an IT system or service following an interruption. 
8. Recovery Point Objective, defined as the acceptable amount of data loss measure in time. 

Procedure

Roles and Responsibilities

Asset Administrator

The individual(s) responsible for the overall procurement, development, integration, modification, and operation and maintenance of an Information System. 

• Maintain adequate infrastructure resiliency and document data backup and restoration processes for essential and mission-critical data and the IT systems assigned to them.
• Maintain an inventory of backup jobs and reconcile to RPO requirements.
• Test backup and recovery procedures, at least annually.
• Provide a status update regarding the existence data backup and restoration process documentation to OU IT GRC as part of the OU Security Assessment.

The Data Backup Service Owner is responsible for the selection of, implementation, ongoing maintenance, and availability of enterprise data backup services for regulated and/or confidential data and systems.  The Data Backup Service Owner team will provide backup and restoration job assistance for OU IT Enterprise Backup, OU IT Replication services.

The Research Data Backup Service Owner is responsible for the selection of, implementation, ongoing maintenance, and availability of data backup services for research data and systems.  The Research Data Backup Service Owner team will provide backup and restoration job assistance for OURdisk, OURdrive, and OURRstore services.

The Mission Support role is responsible for assisting Students, Staff, and Faculty within colleges they support, in selecting and implementing data backup strategies that meet their needs, using existing services, if possible.  If existing services are not appropriate, Mission Support assists Students, Staff, and Faculty in completing a Security Assessment for new backup services.  Mission Support may provide backup and restoration job assistance to Students, Staff, or Faculty using Microsoft Backup and Restore or Apple Time Machine tools.

The IT Services role is responsible for monitoring the availability of the Essential and Mission Critical services defined in this Plan.  IT Services may also support Students in selecting and implementing data backup strategies that meet their needs, using existing services, if possible.

Backup

Backup controls provide a set of procedures for implementing, monitoring, protecting, and testing of backup and recovery procedures for IT systems or services (user level, system level, and system documentation including security-related documentation). 

1. Backup and recovery processes for IT systems or services, including those for off-site storage, shall be documented and reviewed as part of required IT Disaster Recovery Plan testing, or more often as needed, with changes to IT systems or services.  See OU IT Disaster Recovery Policy.
2. Data stored or processed shall be backed up on a scheduled basis according to the relevant Business Impact Analysis.
3. Backups for Category A, B, C, D1, or E data shall be stored in an encrypted format.
4. The frequency and extent of backups shall be determined by the business impact analysis and the RPO.
5. Physical access controls implemented at off-site backup storage locations shall meet or exceed the physical access controls of the original site.  This may include but is not limited to: verifying individual access authorizations for physical access requests, utilizing building access control technologies (e.g., electronic badge access readers, physical keys, combination locks), escorting and monitoring visitor activities and maintaining access audit logs.    
6. Backup and recovery procedures shall be tested to ensure that they are viable, following the matrix below:
   1. Essential IT systems or services: Every two (2) years
   2. Mission-Critical or Unit-Critical IT systems or services: Every three (3) years
   3. Non-Critical IT systems or services:  Every five (5) years
7. All electronically backed up systems or services shall be inventoried and reconciled to the business impact analysis and RPO, at least annually. 
8. All software or technology used to provide backups must undergo a Security Assessment in accordance with the OU Cybersecurity Policy.

References

1. National Institute of Standards and Technology Cybersecurity Framework (CSF), PR.IP-9
2. National Institute of Standards and Technology Special Publication 800-171, Controlled Unclassified Information, 3.6.1, 3.6.2
3. General Data Protection Regulation (GDPR)
4. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Security Rule, §164.308(a)(6), §164.308(a)(7), §164.308(a)(7)(ii)(D), §164.310(a)(2)(i), §164.312(a)(2)(ii)
5. Payment Card Industry (PCI) Data Security Standards
6. Gramm-Leach-Bliley Act (GLBA) Safeguards Title 16 I, Subchapter C, Part 314.4(h)
7. U.S. Department of Education, Protecting Student Privacy, Data Governance Checklist
8. OU HIPAA Policy – Documentation Requirements
9. OU IT Disaster Recovery Policy