Backup and Recovery Policy

Version: 1.00Issue Date: 12/16/2014

This Backup and Recovery Policy is intended to ensure that computers are regularly backed up to prevent loss of data. All information stored in electronic form is required to be backed up to keep it save in the event of system failure, disasters, or attacks. Information required to re-create the environment and services must be backed up including not only the data but operating system software, application software, information about contacts required to acquire new equipment, organizational financial account information, and information about the business function including procedures, policies, and processes. A copy of backup and recovery procedures must be stored away from the primary site so they are not destroyed in the event of a disaster.

1.0 Overview

This Backup and Recovery Policy is an internal IT policy which defines the backup policy for computers within the organization which are expected to have their data backed up. These systems are typically servers but are not necessarily limited to servers. Servers expected to be backed up include the file server, the mail server, and the web server.

2.0 Purpose

This Backup and Recovery Policy is designed to protect data in the organization to be sure it is not lost and can be recovered in the event of an equipment failure, intentional destruction of data, or disaster.

3.0 Scope

This Backup and Recovery Policy applies to all equipment and data owned and operated by the organization. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Definitions

  1. Backup - The saving of files onto magnetic tape or other offline mass storage media for the purpose of preventing loss of data in the event of equipment failure or destruction.
  2. Archive - The saving of old or unused files onto magnetic tape or other offline mass storage media for the purpose of releasing on-line storage room.
  3. Restore - The process of bringing off line storage data back from the offline media and putting it on an online storage system such as a file server.

5.0 Backup Identification

IT management is responsible for identifying all systems, vendor supplied programs including operating systems and application programs, IT policies, IT procedures, contact information for vendors and business partners and any other relevent information needed to rebuild the IT department from scratch in the event of a disaster. The business owners are responsible for identifying similar items required to rebuild their business function in the event of a disaster. The IT management working with the business owners must identify specific items relating to the business that must be backed up regularly and the frequency of backup. Any backups done on a slower schedule than documented in this policy must be agreed to in writing by the business owner and IT management.

IT management is resposible for creating procedures for transferring the identified items required for business rebuild offsite and ensuring they are transferred by delegated staff. IT management must be sure procedures exist and are kept both on and offsite for the purpose of both file recovery and disaster recovery.

6.0 Timing

Full backups are performed nightly on Monday, Tuesday, Wednesday, Thursday, and Friday. If for maintenance reasons, backups are not performed on Friday, they shall be done on Saturday or Sunday. IT management is responsible for ensuring the backups are performed as scheduled. IT management delegates specific system administrators to perform specific backups and those administrators are responsible for carrying out that function but the IT managers must ensure that the administrators perform and check backups in a timely manner.

7.0 Tape Storage

There shall be a separate or set of tapes for each backup day including Monday, Tuesday, Wednesday, and Thursday. There shall be a separate or set of tapes for each Friday of the month such as Friday1, Friday2, etc. Backups performed on Friday or weekends shall be kept for one month and may be used again the next month on the applicable Friday. A monthly backup of all data should be kept at least one year. Backups performed Monday through Thursday shall be kept for one week and used again the following appropriate day of the week.

8.0 Tape Drive Cleaning

Tape drives shall be cleaned weekly and the cleaning tape shall be changed monthly.

9.0 Monthly Backups

Every month a monthly backup tape shall be made using the oldest backup tape or tape set from the tape sets.

10.0 Age of tapes

The date each tape was put into service shall be recorded on the tape. Tapes that have been used longer than six months shall be discarded and replaced with new tapes.

11.0 Responsibility

The IT department manager shall delegate a member of the IT department to perform regular backups. The delegated person shall develop a procedure for performing backups, testing backups and test the ability to restore data from backups on a monthly basis.

12.0 Testing

The ability to restore data from backups shall be tested at least once per month.

13.0 Data Backed Up

Data to be backed up include the following information:

  1. User data stored on the hard drive.
  2. System state data
  3. The registry
  4. Application software

Systems to be backed up include but are not limited to:

  1. File server
  2. Mail server
  3. Production web server
  4. Production database server
  5. Domain controllers
  6. Test database server
  7. Test web server

14.0 Archives

Archives are made at the end of every year in December. User account data associated with the file and mail servers are archived one month after they have left the organization.

15.0 Restoration

Users that need files restored must submit a request to the help desk. Include information about the file creation date, the name of the file, the last time it was changed, and the date and time it was deleted or destroyed.

16.0 Tape Storage Locations

The IT management must determine and specify an offsite location(s) for storage of backup tapes for recovery in the event of a system loss or loss or a room and also in the event of a disaster in a local area. The storage locations must be physically secure enough to keep the backup media safe considering the level of sensitivity stored on the media. The storage locations must have sufficient environmental controls to keep the backup media from degrading.

Offline tapes used for nightly backup shall be stored in an adjacent building in a fireproof safe. Monthly tapes shall be stored across town (recommended no less than five miles away) in our other facility in a fireproof safe. The administrator shall transport the required tapes or make arrangements for someone to transport the tapes with the approval of management.

This policy may contain descriptions about how various systems and types of systems are backed up such as Windows or UNIX systems.

17.0 User Backup Responsibilities

Users are responsible for either storing their data on a networked file server rather than their local workstation or they must make arrangements for backing up their workstation or back it up on a regular basis. The frequency of backup and whether the data can be stored on a workstation depends on the business criticality of the data for preserving the business function. Storage of critical or sensitive data on a location other than a networked server must be approved by management.

18.0 Other Backup Responsibilities

  • Management must delegate someone to make periodic images of production servers for use to restore the server in the event of a catestrophic hardware failure or a disaster.
  • The image should be stored offsite. Hardware requirements and specifications for all servers should be saved and stored offsite.
  • Backup inventory must be tracked using implemented procedures. The locations of backup media must be known by delegated and authorized IT staff.
  • Equipment used for restoration must be compatable with the backup media. This means that in the event of a disaster, backup reading equipment that is available must be capable of reading the backup media.
  • All data and information required to rebuild the business including source code for developed programs, procedures, policies, software, system documentation, program documentation, network documentation, and contact information must be stored offsite.

19.0 Enforcement

Since data preservation is important to maintain the organizational services, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

20.0 Other Requirements

  • Files that are required to be backed up should be recorded for each server.
  • Auditors should audit every six months to be sure all servers are being backed up regularly. Auditors must report results to senior management.


Approved by:__________________________ Signature:_____________________ Date:_______________