A.12.3 Resolver Corporate BackUp & Restore Policy

1. Purpose, scope, and users

The purpose of this policy is to ensure that backup copies are created at defined intervals and regularly tested.

This document applies to the entire Information Security Management System (ISMS) scope, and to all personal data processing activities.

Users of this document are employees of IT and DevOps departments.

2. Reference documents

  • ISO/IEC 27001:2013 standard, control A.12.3.1
  • EU GDPR Article 32
  • Information Security Policy

3. Introduction

The Resolver corporate backup and recovery policy define the objectives, accountability, and application of backup and recovery of data held in the technology environment of all Resolver company departments.

4. Goals

The main goals of this policy are:

  • To define and apply a clear backup and restore standard for all corporate information systems.
  • To define backup and recovery standards as per data prioritization.
  • To prevent the loss of data in the case of accidental deletion or corruption of data, system failure, or disaster.
  • To permit timely restoration of information and business processes when such events occur.
  • To manage secure backup and restoration processes and the media employed in the process.
  • To set the retention periods of information contained within system-level backups designed for recoverability and provide a point-in-time snapshot of information as it existed during the time period defined by system backup policies.

List of Services and controls that should apply the policy:

  • Corporate file services:
    • Resolver’s Sensitive / Confidential corporate data.
    • Resolver’s Sensitive / Confidential customer data.
  • Corporate source control services:
    • Resolver’s intellectual property data.
  • Corporate configuration files:
    • Network device configuration files (e.g.: WiFi Router, WiFi Access Points, Corporate Firewall, Managed Switches, Routers.)
  • Corporate internal services:
    • Critical services configurations.
    • Critical resources OS System states.
  • Customers’ production applications:
    • Resolver’s hosted application production deployments serving customers’ needs and holding customer’s data.

5. Principle

The following principles direct this policy:

  • Performing proper backup, storage, and handling of data is necessary for all departments to achieve their objectives.
  • Staff must accurately follow the policy and protect the availability, confidentiality, and integrity of data.

6. Policy

6.1. Data must be protected by regular backups.

The appropriate team must perform backups for data they are responsible to protect:

  • DevOps Team: customers’ data and production environment configuration settings.
  • Corporate IT: internal resources.

6.2. Exceptions to the standard process must be approved by the CISO.

6.3. All backup data must be stored encrypted with the AES-256 symmetric encryption algorithm.

6.4. Backup copies must be stored in an environmentally-protected and access-controlled secure location offsite from the location of the originating asset.

Stored copies must be stored with a short description that includes the following information:

  • Backup date / Resource name / type of backup method (Full/Incremental)

6.5. Stored copies of data must be made available upon authorized request.

The request for stored data must be approved by an authorized person nominated by a Director/Manager in the appropriate department.

Requests for stored data must include:

  • A completed form that outlines the specifics of the request, including what copy is being requested, where and when the requester would like it delivered, and why they are requesting the copy.
  • Acknowledgment that the backup copy will be returned or destroyed promptly upon completion of its use.
  • Submission of a return receipt as evidence that the backup copy has been returned.

6.6. The Infrastructure Operator shall develop procedures for the handling and storage of information to prevent unauthorized disclosure, misuse, or loss.

6.7. A record of physical and logical movements of backup media must be maintained.

This includes the following information:

  • All identification information relating to the requested copies.
  • Purpose of the request.
  • Information about the person requesting the copy.
  • Authorization for the request.
  • Where the copy will be held while it is out of storage.
  • When the copy was released from storage.
  • When the copy will be returned to storage.

6.8. Special controls must be used to protect sensitive or critical information.

Where special controls are required, i.e. to protect sensitive or critical information, the following should be considered:

  • Use of a secured container(s).
  • Hand delivery of the backup.
  • Tamper-evident packaging.
  • In extreme cases, the delivery should be split and dispatched by separate routes.

Backup copies must be maintained in accordance with Resolver’s Retention and Disposal Schedule for backup copies, or as stipulated by specific customer requirements.

The schedule will determine the status of the information, as to whether it can be disposed of, cycled back into production, or remain in archive storage.

6.9. All backup media must be appropriately disposed of.

Prior to retirement and disposal, IT will ensure that:

  • The media no longer contains active-backup images.
  • The media’s current or former contents cannot be read or recovered by an
    unauthorized party.
  • With all backup media, IT will ensure the physical destruction of media prior to
    disposal.

6.10. Backup copies should periodically be tested for recovery capability

All relevant department backups should be verified periodically, and a report created on its ability to recover data (relevant for Logical/Cloud-based backup procedure).

On a quarterly basis, log information generated from each backup job will be reviewed for the following purposes:

  • To check for and correct errors.
  • To monitor the duration of the backup job.
  • To optimize backup performance where possible.

IT and DevOps teams will identify problems and take corrective action to reduce any risks associated with failed backups.

  • Random test restores will be done once every 6 months in order to verify that backups
    have been successful.
  • IT will maintain records demonstrating the review of logs and test restores so as
    to demonstrate compliance with this policy for auditing purposes.

Every quarter the Backup Operators shall report on its ability to recover data (relevant for physical storage media).

The ability to recover data shall be measured by:

  • Ability to retrieve backup media sample (copies).
  • A backup recovery exercise.

The ability to recover data shall be reported to the departments via the quarterly Directors reporting process.

7. Responsibilities and frequency schedule

7.1. Corporate IT Department

The corporate IT Department is responsible for backing up internally-hosted corporate information systems. The department should maintain the following backup schedule:

  • Network file shares:
    • Weekly Full backup
    • Daily Incremental backup
  • Source control:
    • Weekly Full backup
    • Daily Incremental backup
  • Configuration files:
    • Monthly Full backup
    • Relevant backup initiated by configuration changes.
  • Internal services and data (license server, etc.):
    • Weekly Full backup
    • Daily Incremental backup

7.2. DevOps Team

The DevOps Team is responsible for backing up all Customer production environments. DevOps Team should maintain the following backup schedule:

  • CORE Production
    • Backed up via AWS RDS’s Automated Backups.
    • Backup retention period of 31 days.
    • Amazon RDS automated backup provides an ability to restore to any point in time during your backup retention period up to 15 minutes ago.
  • Perspective Production
    • Hourly DB transaction log backup.
    • Nightly EBS Volume Snapshot.
    • Weekly Full backup saved on EBS volume (local disk).
    • Weekly on-disk backups retention period 1 week.
    • Effective, the combined backup retention period is 31 days.
  • GRC Cloud Production
    • Hourly DB transaction log backup.
    • Nightly EBS Volume Snapshot.
    • Weekly Full backup saved on EBS volume (local disk).
    • Weekly on-disk backups retention period 1 week.
    • Effective, the combined backup retention period is 31 days.
  • RiskVision Production
    • Daily Full backup.
    • The Backup retention period is 14 days.
  • GAL Production
    • Weekly Full backup
    • Hourly DB transaction logs backup
    • Effective, the combined backup retention period is 14 days.

7.3. Employees

All Resolver employees are responsible for storing corporate data in the cloud (Box) or on network resources approved by the IT Department.

Employees are to ensure that no corporate data is stored exclusively on their local machines.

8. Validity and document management

This document is valid as of July 2020.

The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • The number of unsuccessful backup tests.

EFFECTIVE ON:September 2020

REVIEW CYCLE:Annual at least and as needed

REVIEW, APPROVAL & CHANGE HISTORY:Last time reviewed and approved in August 2020 byResolver’s Information Technology Security team.