The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.
Note: This control has one or more sub-controls that must be validated manually.
When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted information. When the attackers are discovered, it can be extremely difficult for organizations without a trustworthy data recovery capability to remove all aspects of the attacker's presence on the machine.
1. Quick wins: Ensure that each system is automatically backed up on at least a weekly basis, and more often for systems storing sensitive information. To help ensure the ability to rapidly restore a system from backup, the operating system, application software, and data on a machine should each be included in the overall backup procedure. These three components of a system do not have to be included in the same backup file or use the same backup software. All backup policies should be compliant with any regulatory or official requirements.
2. Quick wins: Test data on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working.
3. Quick wins: Train key personal on both the backup and restoration processes. To be ready in case a major incident occurs, alternative personnel should also be trained on the restoration process just in case the primary IT point of contact is not available.
4. Configuration/Hygiene: Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network. This includes remote backups and cloud services.
5. Configuration/Hygiene: Store backup media, such as hard drives and tapes, in physically secure, locked facilities. End-of-life backup media should be securely erased/destroyed.
CP-9 (a, b, d, 1, 3), CP-10 (6)
Once per quarter (or whenever new backup equipment is purchased), a testing team should evaluate a random sample of system backups by attempting to restore them on a test bed environment. The restored systems should be verified to ensure that the operating system, application, and data from the backup are all intact and functional.
Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur.
A control system is a device or set of devices used to manage, command, direct, or regulate the behavior of other devices or systems. In this case, we are examining an organization's capability to restore systems in the event that data need to be restored because of a data loss or breach of a system. While backups are certainly an important part of this process, the ability to restore data is the critical component. The following list of the steps in the above diagram shows how the entities work together to meet the business goal defined in this control. The list also delineates each of the process steps in order to help identify potential failure points in the overall control.
Step 1:Production business systems backed up on a regular basis to authorized organizational backup systems
Step 2: Backups created are stored offline at secure storage facilities.