IT Security Policy 108 - Backups

Status: Draft
Last Revision Date: 13 July 2022

Statement of Purpose

Ensuring secure and accessible data backups is essential for recovery from disasters or security incidents. Malware, such as ransomware, can render data inaccessible, while other forms of malware may corrupt data or damage storage devices. Additionally, natural or man-made disasters may necessitate rebuilding entire system environments. A well-defined backup policy supports best practices and mitigates the risks associated with data loss and operational disruptions.

To achieve this objective, mission-critical data must be stored in recoverable ITS resources.

Policy Summary

Enterprise systems, confidential information, and private data shall be backed up and recoverable in accordance with Clackamas Community College’s Business Continuity requirements. This policy is subject to and superseded by applicable regulations and laws.

Policy

  1. Scheduled backups shall be performed for structured data stored in enterprise databases based on defined business recovery needs.

  2. Colleague database backups (transactional logs) shall occur hourly.

  3. On-premises virtual machines for production use shall be protected by backup copies when the estimated recovery time from backup is shorter than rebuilding from scratch.

  4. File data located on Clackamas Community College’s on-premises servers shall be protected by backup copies.

  5. On-premises data backups shall be scheduled nightly, with a full backup conducted at least once per week.

  6. Backup data shall be retained on-site for thirty (30) days for quick retrieval.

  7. After thirty (30) days, backup data shall be moved to archive storage and retained for up to one (1) year.

  8. Unstructured (i.e., personal/file-based) mission-critical and controlled sensitive data, along with any other data requiring recovery, shall be stored on shared network drives.

  9. Legal, regulatory, privacy, and security considerations shall be evaluated before collecting, processing, sharing, or storing institutional or personal data in the cloud.

  10. Controlled sensitive data shall not be stored in third-party cloud services unless there is a contractual agreement between Clackamas Community College and the service provider (e.g., Clackamas Community College’s Google contract) ensuring confidentiality and recoverability.

  11. Cloud services that store Clackamas Community College data shall require approval from the Chief Information Security Officer (CISO).

  12. Physical media used for archived data storage shall be securely stored for at least one (1) year from the last recorded date. Access shall be restricted to authorized personnel, and storage in a fire-resistant safe meets this requirement.

  13. Physical media shall be encrypted, with encryption keys managed in accordance with the applicable key storage policy.

  14. At least one copy of backup data shall be retained at an off-site location.

  15. All media couriers and transport mechanisms shall require approval from the CISO.

Exemptions

None.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).

Print Article