Security Control: 1510; Revision: 1; Updated: Aug-19; Applicability: O, P, S, TS
A digital preservation policy is developed and implemented.

Having data backup and restoration processes and procedures is an important part of business continuity and disaster recovery planning. Such activities will also form an integral part of an overarching digital preservation policy.

Security Control: 1547; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS
A data backup process, and supporting data backup procedures, is developed and implemented.

Security Control: 1548; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS
A data restoration process, and supporting data restoration procedures, is developed and implemented.

When performing backups, all important information, software and configuration settings for software, network devices and other ICT equipment should be captured on a daily basis. This will ensure that should a system fall victim to a ransomware attack, important information will not be lost and that business operations will have reduced downtime.

Security Control: 1511; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Backups of important information, software and configuration settings are performed at least daily.

To mitigate the likelihood of information becoming unavailable due to accidental or malicious deletion of backups, organisations should ensure that backups are protected from unauthorised modification, corruption and deletion. This can be achieved by storing backups offline, ideally at multiple geographically-dispersed locations, or online but in a non-rewritable and non-erasable manner, such as through the use of write once, read many technologies.

Security Control: 1512; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Backups are stored offline, or online but in a non-rewritable and non-erasable manner.

Security Control: 1513; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Backups are stored at a multiple geographically-dispersed locations.

To prevent backups from being retained for an insufficient amount of time to allow for the recovery of information, organisations are strongly encouraged to store backups for three months or greater. In addition, when determining backup retention times, organisations are encouraged to consult with relevant retention requirements as documented in the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication.

Security Control: 1514; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Backups are stored for three months or greater.

To ensure that backups can be restored when the need arises, and that any dependencies can be identified and managed, it is important that full restoration of backups has been tested at least once following the implementation of backup technologies and processes. Furthermore, full restoration of backups should be tested each time fundamental information technology changes occur, such as when deploying new backup technologies. In the intervening time, it is important that regular testing in the form of partial restoration of backups is undertaken.

Security Control: 1515; Revision: 1; Updated: Jul-19; Applicability: O, P, S, TS
Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur.

Security Control: 1516; Revision: 1; Updated: Jul-19; Applicability: O, P, S, TS
Partial restoration of backups is tested on a quarterly or more frequent basis.