You are here

Data Backup Protection Policy

Effective Dates and Issuing Authority

Effective Date:  July 1, 2011
Date Last Reviewed: January 8, 2013
Date Scheduled for Review:  January 2014
Issuing Authority:   Chief Information Security Officer

Main Goal

The main goal of the enterprise data protection strategy is to protect Temple’s enterprise data by having it backed up to an alternate location away from where the primary data resides. Electronic backups are a business requirement to enable the recovery of data and applications in the case of events such as natural disasters, system disk drive failures, sabotage, data entry errors, or system operations errors.

Technology

Either tape-based or disk-based technology will be used to back up the data of all enterprise level systems

The backup solutions reside in the WDC data center. It is assumed that enterprise production systems are located in the JDC data center. At pre-defined time intervals as specified in a backup plan (see below), a backup of the live data will be performed to our storage located in the WDC data center.  This data represents a point in time and is considered backup data.  For most non-critical systems, backup data and the live data constitute the two locations. Data deemed as mission critical may be replicated between locations using our Storage Area Network (SAN) technology. This guarantees that the data resides in at least two locations in a live production mode as well as at the second location as point-in-time backup data. Due to cost related constraints, the use of a replicated data solution is limited to select University mission critical systems, typically defined as Disaster Level Zero (DR0).

For mission-critical data that requires a higher level of protection, tapes are sent to an off-site vaulting Vendor location. This approach is subject to change in the future if better, more cost-effective options become available.

Service Availability

Backup services are NOT available as a standalone option.  Backup services are bundled with storage services.  The bundled storage/backup services can be purchased for a cost. Please contact ios@temple.edu for details.

Guidelines

The purpose of these guidelines is to establish the rules for the backup of electronic information. These guidelines shall be followed by all individuals responsible for the installation and support of Information Resources, individuals charged with Information Resources security, and data owners.

A backup plan must accompany each data set being backed up. This plan will include backup frequency, files or file systems to be backed up, backup type (full, incremental, etc.) and retention requirements.  Backups will be carried out according to this plan. Backup requirements must be planned for and in alignment with those requirements associated with storing the live data (whether using SAN-based storage or otherwise). To this effect, system owners are hereby advised to notify the Infrastructure and Group (IOS) of Information Technology Services from the initial moment new systems are being planned for and architected. Failure to involve IOS in the planning process may result in unnecessary delays and/or inability to meet the request for system/storage allocation and its corresponding backup.

By default, data backups will be retained for 30 days for all systems. After that, backup data will no longer be available for retrieval.

Physical access controls implemented at the offsite backup storage location must meet or exceed the physical access controls of the source systems. Additionally backup media must be protected in accordance with the highest sensitivity level of information stored.

The sole responsibility of IOS is to make sure that the data hosted in one of its systems and/or storage repositories is backed up securely and effectively. Data and system owners will have the responsibility for verifying whether the integrity of the data being backed up is accurate.  IOS requires that data and system owners regularly test the recoverability of backed up data.  IOS will NOT be responsible for corrupt or incomplete data backups.