Documentos de Académico
Documentos de Profesional
Documentos de Cultura
NUMBER: 107-08-nnn
EFFECTIVE DATE: mm-dd-2015
The purpose of this policy is to define the need for performing periodic computer system backups to ensure that mission critical
administrative applications, data and archives and applications, users' data and archives are adequately preserved and
protected against data loss and destruction. Each ETS unit responsible for providing and operating a mission critical application
must document and perform System Specific Data Backup or at least Minimal Data Backup on a periodic basis.
Computer systems that create or update mission critical State data on a daily basis need to be backed up on a daily basis to
minimize the exposure to loss of mission critical data. The unit responsible for providing and operating such systems must
conduct a systematic and detailed investigation of all the influencing factors leading to the compilation of a comprehensive
System Specific Data Backup Policy. System specific backup policies policy must at least fulfill the requirements of the Minimal
Data Backup Policy.
APPLICABILITY
This policy applies to all operating units of ETS. This backup policy is defined to protect against the following situations:
A backup process takes periodic or real-time images of active data in order to provide a method of recovering records that have
been deleted or destroyed. Most backups are retained only for a few days or weeks as later backup images supersede previous
versions.
A backup is designed as a short-term insurance policy to facilitate disaster recovery, while an archive is designed to provide
ongoing access to decades of business information. Archived (historical) records are placed outside the traditional backup cycle
for a long period of time, while backup operations protect active data that's changing on a frequent basis.
There are now over 10,000 regulations in place throughout the world that require records to be held for certain periods of
time. Companies that do not comply face hefty financial penalties, bad PR and even imprisonment for key board members.
Page 1 of 12
BACKUP AND RETENTION POLICY
NUMBER: 107-08-nnn
EFFECTIVE DATE: mm-dd-2015
A record is essentially any material that contains information about the state’s plans, results, policies or performance. In
other words, anything about state business that can be represented with words or numbers can be considered a business
record – and ETS is now expected to retain and manage every one of those records, for several years or even permanently
depending on the nature of the information.
The rules states that if you know ETS is under investigation, or even suspect that it might be, all document destruction and
alteration must stop immediately. And, you must create a statement showing that you’ve ordered a halt to all automatic e-
data destruction practices. ETS also needs to consider all other regulatory rules governing records retention with the
industry. For example, FFIEC, SEC, IRS, etc…most documents must be retained for 7 years.
This Backup and Backup Retention policy does not address mandated requirements for record archiving, such as
Email and business records, however this policy works is concert with the Record Management Policy. Archiving
requirements are defined in the “Record Management, Retention, and Disposition Policy”.
TYPES OF BACKUPS
Backups are created to avoid situations of losing precious data. Backups can be created on daily basis, weekly basis, or monthly
basis. Backups prove useful at the time of data loss, data inaccessibility, software malfunctions, drive corruptions etc. Before a
backup strategy is developed, the types of backups that be performed need to be understood. Defined below are five (5) types.
Full Backup A full backup creates a copy of every file on a storage device. It is Annual (verified) Backup
also the most costly in terms of effort, time and dollar output. The Monthly Backup
media for this can be static (tape, optical disk) or dynamic (disk to
Weekly Backup
disk). These backups are often are used as mandated archive
copies. Daily Backup
Incremental Backup An incremental backup creates copies of only those files or records Weekly Backup
on a storage device that have changed since the last backup. It is Daily Backup
also more complex to restore when a complete files needs to be
restored but it takes less effort to create.
Page 2 of 12
BACKUP AND RETENTION POLICY
NUMBER: 107-08-nnn
EFFECTIVE DATE: mm-dd-2015
not hindered.
Data Replication Replication is the process of sharing information so as to ensure Real Time
consistency between redundant resources, such as software or
hardware components, to improve reliability, fault-tolerance, or
accessibility. The same data is stored on multiple storage devices –
either in the same physical location or in a remote location via
network connectivity
Data Deduplication Data deduplication (often called "intelligent compression" or Annual (verified) Backup
"single-instance storage") is a method of reducing storage needs Monthly Backup
by eliminating redundant data. Only one unique instance of the
Weekly Backup
data is actually retained on storage media, such as disk or tape.
Redundant data is replaced with a pointer to the unique data copy. Daily Backup
This is often used for email where the same email can be stored
for several user accounts or for attachments that are duplicated.
Transaction Log A transaction log backup creates copies of only those records (in Daily Backup
Backup some cases before and after images of records) on a storage
device that are changed since the last backup.
STORAGE MANAGEMENT
Storage Management is a data storage process which moves data between high-cost and low-cost storage media.
Storage Management is needed because high-speed storage devices, such as hard disk drive arrays, are more expensive (per
byte stored) than slower devices, such as optical discs and magnetic tape drives. While it would be ideal to have all data
available on high-speed devices all the time, this is prohibitively expensive. Instead, Storage
Management policies are set so that the bulk of the backup data is on slower devices, and then backup data is transferred to
faster disk drives when needed.
System Software Latest Version plus patches At Least Annual (verified) Backup
Weekly Monthly Generations
Weekly Generations
Application Software Latest Version plus patches At Least Annual (verified) Backup
Page 3 of 12
BACKUP AND RETENTION POLICY
NUMBER: 107-08-nnn
EFFECTIVE DATE: mm-dd-2015
REQUIREMENTS
The minimal backup policy mandates the following:
• System and application software - All software, whether purchased or developed for the state, is to be protected
by at least one full backup which includes all updates.
• Application data - All application data are to be protected by means of weekly full back-up using the multiple-
generation retention principle.
• System data - System data are to be backed up with at least one generation per month.
• Protocol data - All protocol data are to be protected by means of a full weekly backup using the three-generation
principle.
• Storage - All backup media must be stored in a safe and secure location extraneous to the location of the backed
up systems. All weekly backup media must be stored in a fireproof safe. All software full backup and monthly
backup media must be stored in an off-site backup archive storage location.
• Software licenses and encryption keys necessary to activate both system and application software are to be
backed up with at least one generation per week or daily it they change frequently.
Page 4 of 12
BACKUP AND RETENTION POLICY
NUMBER: 107-08-nnn
EFFECTIVE DATE: mm-dd-2015
backup cycle and stored in the off-site backup archive storage location. End of fiscal year and yearly archive data backup
should be generated in multiple copies and each copy stored in a distinct archive storage location. In this way, the risk of
catastrophic loss is minimized at a reasonable media cost.
CLOUD BACKUP
Cloud backup, also known as online backup, is a strategy for backing up data that involves sending a copy of the data over a
proprietary or public network to an off-site server. The server is usually hosted by a third-party service provider, who
charges the backup customer a fee based on capacity, bandwidth or number of users. In the ETS, the off-site server might
be proprietary, but the chargeback method would be similar.
Online backup systems are typically built around a client software application that runs on a schedule determined by the
level of service the customer has purchased. If the customer has contracted for daily backups, for instance, then the
application collects, compresses, encrypts and transfers data to the service provider's servers every 24 hours. To reduce
the amount of bandwidth consumed and the time it takes to transfer files, the service provider might only provide
incremental backups after the initial full backup.
Capital expenditures for additional hardware are not required and backups can be run dark, which means they can be run
automatically without manual intervention.
Page 5 of 12
BACKUP AND RETENTION POLICY
NUMBER: 107-08-nnn
EFFECTIVE DATE: mm-dd-2015
In many states, cloud backup services are primarily being used for archiving non-critical data only. Traditional backup is a
better solution for critical data that requires a short recovery time objective (RTO) because there are physical limits for
how much data can be moved in a given amount of time over a network. When a large amount of data needs to be
recovered, it may need to be shipped on tape or some other portable storage media.
Amount of Data Best when the total amount to protect is For large amounts of data,
less than 100 GB per 1 Mb of network or for environments with
bandwidth. For example, 100 GB can be limited network
supported by a 1 Mb WAN connection. connectivity, traditional
backup techniques are
more appropriate.
Rate of Data Change Best when the rate of change is less than For data that changes
10% of the total data per month. frequently, traditional
back-up methods that use
local disk and tape, with
tape transport off-site are
more appropriate
RESPONSIBILITIES
Each backup process should have at least one individual in a defined role in charge and one substitute. In the case of
employee termination or removal from that role the Chief Information Officer (CIO) and/or Chief Security Officer (CSO)
should immediately see that the substitute assumes those responsibilities and a new substitute is assigned. These
responsibilities and this process should be documented in the Disaster Recovery/Business Continuity Plan.
• The backup processes fit within the necessary operational window (i.e. a daily backup should not take 25 hours)
• The restoration processes fit within the necessary operational window (i.e. master file restoration should not take
25 hours)
• The restoration is effective, efficient, and accurate
• The documentation is adequate to communicate to someone unfamiliar with the particular process to be able to
conduct the backup, store the media, recover the media, and restore the data in an emergency situation.
Page 6 of 12
BACKUP AND RETENTION POLICY
NUMBER: 107-08-nnn
EFFECTIVE DATE: mm-dd-2015
• This testing should be used as training for other staff members in the backup and restoration policies and
procedures.
System Software Latest Version plus patches At Least Annual (verified) Backup
Weekly Monthly Generations
Weekly Generations
Application Support Latest Version plus patches At Least Annual (verified) Backup
Software Weekly Monthly Generations
Weekly Generations
Application Software Latest Version plus patches At Least Annual (verified) Backup
Weekly Monthly Generations
Weekly Generations
System Data Daily Annual (verified) Backup
Monthly Generations
Weekly Generations
Daily Generations
Daily with real time transaction files
Application Data Annual (verified) Backup
Monthly Generations
Weekly Generations
Daily Generations
Software keys & weekly Annual (verified) Backup
Protocol Data Monthly Generations
Weekly Generations
System specific data backup policy and procedures are driven by various factors, including:
• System hardware
• OS
• Application support systems
• Application software
• Volume of data (both master files and transactions)
• Velocity of data updates
• Criticality of the application for states’ continued viability
The system specific backup policy mandates the following for each of those systems deemed as unique and necessary for
the continued operation of ETS which may have to be restored independently of other applications of functions:
• Software - All software, whether purchased or developed for ETS, is to be protected by at least one full backup
which includes all updates.
Page 7 of 12
BACKUP AND RETENTION POLICY
NUMBER: 107-08-nnn
EFFECTIVE DATE: mm-dd-2015
• System data - System data are to be backed up with at least one generation per month.
• Application support software - All application support data are to be protected by means of a weekly full back-up
using the multiple-generation retention principle.
• Application data - All application data are to be protected by means of a weekly full back-up using the multiple-
generation retention principle.
• Protocol data - All protocol data are to be protected by means of a full weekly backup using the three-generation
principle.
• Storage - All backup media must be stored in a safe and secure location extraneous to the location of the backed
up systems. All weekly backup media must be stored in a fireproof safe.
• All software full backup and monthly backup media must be stored in an off-site backup archive storage location.
• Software licenses and encryption keys necessary to activate both system and application software are to be
backed up with at least one generation per week or daily it they change frequently
BACKUP RETENTION
Backup cycles are defined for daily, weekly, monthly and annual periods. A daily-generation full daily backup cycle involves
retaining seven sets of backups (one week, SSMTWTF). Then the seventh daily backup is retained for one month, as part of a
weekly backup cycle and stored in a local safe. The fourth weekly backup is retained for one year as part of a monthly backup
cycle and stored in the off-site backup archive storage location. End of fiscal year and yearly archive data backup should be
generated in multiple copies and each copy stored in a distinct archive storage location. In this way, the risk of catastrophic loss
is minimized at a reasonable media cost.
The backup process and media should fully document the following items for each generated backup:
Page 8 of 12
BACKUP AND RETENTION POLICY
NUMBER: 107-08-nnn
EFFECTIVE DATE: mm-dd-2015
STORAGE
Backup media, documentation on its use, and necessary hardware and software should be stored in a fireproof and
protected location. In the case of magnetic media they should be in a case or vault that is shielded from electro-magnetic
radiation. For maximum safety the archive media should be stored at a site that is removed from where the backup media
is to be used if necessary.
RESPONSIBILITIES
Each backup process should have at least one individual in a defined role in charge and one substitute. In the case of
employee termination or removal from that role the Chief Information Officer (CIO) and/or Chief Security Officer (CSO)
should immediately see that the substitute assumes those responsibilities and an new substitute is assigned. These
responsibilities and this process should be documented in the Disaster Recovery/Business Continuity Plan.
• The backup processes fit within the necessary operational window (i.e. a daily backup should not take 25 hours)
• The restoration processes fit within the necessary operational window (i.e. master file restoration should not take
25 hours)
• The restoration is effective, efficient, and accurate
• The documentation is adequate to communicate to someone unfamiliar with the particular process to be able to
conduct the backup, store the media, recover the media, and restore the data in an emergency situation.
Page 9 of 12
BACKUP AND RETENTION POLICY
NUMBER: 107-08-nnn
EFFECTIVE DATE: mm-dd-2015
In a study, the University of California at Santa Cruz showed that 90% of data stored to NAS was never accessed again, and
another 6.5% of the data was only accessed once more. It has been estimated that more than 95 percent of data stored is
rarely accessed beyond 90 days after it was created.
A best practice is to have a set of defined policies and procedures that manage and control it. The policies and procedures
should include:
• Craft the processes and procedures you need to ensure backups are completed properly, including assigning
responsibility for getting backups accomplished and monitoring the effort to spot problems, while also ensuring
that those responsible are sufficiently trained.
• Ensure that backup copies are valid and can be successfully restored, which requires that you rank the importance
of your data and establish ways that the most important data is backed up first and restored first. Be sure that you
have adequate time to back-up all the data that is important to your business, and be sure to understand the time
required to restore that data in case of loss or corruption. This includes regularly checking and testing your
equipment, media, and processes.
• Ensure that backup copies are safe. This means storing your backups in a logically and physically secured offsite
location. It also means ensuring that you haven’t backed up viruses and other malware, spam, and data that is not
important or that is harmful to your business.
• Maintain backup logs so you — and your auditors — can track backup activities.
• Regularly revisit your backup/restore risks, procedures, and technologies to make sure they are adequate as
business needs and conditions evolve.
• Dispose of backup media carefully, making sure that they are physically destroyed so that their contents cannot
be read by the unauthorized.
Page 10 of 12
BACKUP AND RETENTION POLICY
NUMBER: 107-08-nnn
EFFECTIVE DATE: mm-dd-2015
MINIMIZE RISK
It is a best practice to hold at least 3 copies of data in different locations, including one of these stored in a remote
region for disaster recovery purposes in the case of fire, flood, earthquake or business interruption event. Data
encryption is a best practice that can and does protect data that is at rest or in transit and is mandated by a number of
federal, state, and institutional regulatory bodies It's not just about the reliability of the technology you choose or the
security of your location, but about the overall strategy for holding multiple copies on different media, online and
offline, secured and protected.
In a data archiving TCO study, the total cost of ownership over a five year period for the longterm storage of data in a
tiered storage archiving environment was examined. The analysis compared a disk-to disk solution to a solution
consisting of a mixture of disk and tape. After factoring in acquisition costs of equipment, media, electricity costs and
data center floor space, the study found that the total cost of archiving solution based on disk was about 23 times
more expensive than a tape library archiving solution.
Page 11 of 12
BACKUP AND RETENTION POLICY
NUMBER: 107-08-nnn
EFFECTIVE DATE: mm-dd-2015
• Regular testing of process and media - with all backup data, regardless of technology used for storage, frequent
testing of restore the capability essential.
• Shelf life - you need to ensure that the storage medium selected has sufficient expected shelflife. In general, tape
offers between 4 and 6 times the life expectancy of disk, with media manufacturers specifying up to 15 years for
DAT and up to 30 years for LTO tape media.
• Efficient restores – the amount of time it takes to restore data needs to fall within the operational requirements
of the enterprise.
Page 12 of 12