Developing and implementing a digital preservation policy as part of digital continuity planning can assist in ensuring the long term integrity and availability of important information is maintained. Especially when taking into account the potential for data degradation and media, hardware and software obsolesce.
Security Control: 1510; Revision: 1; Updated: Aug-19; Applicability: O, P, S, TS
A digital preservation policy is developed and implemented.
Data backup and restoration processes and procedures
Having data backup and restoration processes and procedures is an important part of business continuity and disaster recovery planning. Such activities will also form an integral part of an overarching digital preservation policy.
Security Control: 1547; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS
A data backup process, and supporting data backup procedures, is developed and implemented.
Security Control: 1548; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS
A data restoration process, and supporting data restoration procedures, is developed and implemented.
Performing backups
When performing backups, all important information, software and configuration settings for software, network devices and other ICT equipment should be captured on a daily basis. This will ensure that should a system fall victim to a ransomware attack, important information will not be lost and that business operations will have reduced downtime.
Security Control: 1511; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Backups of important information, software and configuration settings are performed at least daily.
Backup storage
To mitigate the likelihood of information becoming unavailable due to accidental or malicious deletion of backups, organisations should ensure that backups are protected from unauthorised modification, corruption and deletion. This can be achieved by storing backups offline, ideally at multiple geographically-dispersed locations, or online but in a non-rewritable and non-erasable manner, such as through the use of write once, read many technologies.
Security Control: 1512; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Backups are stored offline, or online but in a non-rewritable and non-erasable manner.
Security Control: 1513; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Backups are stored at a multiple geographically-dispersed locations.
Retention periods for backups
To prevent backups from being retained for an insufficient amount of time to allow for the recovery of information, organisations are strongly encouraged to store backups for three months or greater. In addition, when determining backup retention times, organisations are encouraged to consult with relevant retention requirements as documented in the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication.
Security Control: 1514; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Backups are stored for three months or greater.
Testing restoration of backups
To ensure that backups can be restored when the need arises, and that any dependencies can be identified and managed, it is important that full restoration of backups has been tested at least once following the implementation of backup technologies and processes. Furthermore, full restoration of backups should be tested each time fundamental information technology changes occur, such as when deploying new backup technologies. In the intervening time, it is important that regular testing in the form of partial restoration of backups is undertaken.
Security Control: 1515; Revision: 1; Updated: Jul-19; Applicability: O, P, S, TS
Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur.
Security Control: 1516; Revision: 1; Updated: Jul-19; Applicability: O, P, S, TS
Partial restoration of backups is tested on a quarterly or more frequent basis.
Get Advice
We can speak with you regarding Application Control/Whitelisting. What to expect from your technical team and your end users.
Change is hard and we can provide you the stepping stones to achieve this requirement.
FAQ Links
- FAQ – Can I have better backups then what is “essential 8” recommended?
- FAQ – What kind of resources do i need for backups?
Product Options
We can help recommend products that allow you to achieve this E8 Requirement
Maturity Levels – Daily Backups
Level One
Backups of important information, software and configuration settings are performed monthly.
Backups are stored for between one to three months.
Partial restoration of backups is tested on an annual or more frequent basis.
Level Two
Backups of important information, software and configuration settings are performed weekly.
Backups are stored offline, or online but in a non-rewritable and non-erasable manner.
Backups are stored for between one to three months.
Full restoration of backups is tested at least once.
Partial restoration of backups is tested on a bi-annual or more frequent basis.
Level Three
Backups of important information, software and configuration settings are performed at least daily.
Backups are stored offline, or online but in a non-rewritable and non-erasable manner.
Backups are stored for three months or greater.
Full restoration of backups is tested at least once when initially implemented and each time
fundamental information technology infrastructure changes occur.
Partial restoration of backups is tested on a quarterly or more frequent basis