Corporate BackUp & Restore Policy

1. Purpose, scope, and users

This policy aims to ensure that backup copies are created at defined intervals and regularly tested.

This document applies to the entire Information Security Management System (ISMS) scope and all personal data processing activities.

Users of this document are employees of the IT and DevOps departments.

2. Reference documents

  • ISO/IEC 27001:2013 standard, control A.12.3.1
  • ISO/IEC 27701:2019 standard, control 6.9.3.1
  • EU GDPR Article 32
  • Information Security Policy

3. Introduction

The Resolver corporate backup and recovery policy defines the objectives, accountability, and application of backup and recovery data held in the technology environment of all Resolver company departments.

4. Goals

The main goals of this policy are:

  • To define and apply a clear backup and restore standard for all corporate information systems.
  • To define backup and recovery standards as per data prioritization.
  • To prevent data loss in the case of accidental deletion or corruption of data, system failure, or disaster.
  • To permit timely restoration of information and business processes when such events occur.
  • To manage secure backup and restoration processes and the media employed in the process.
  • To set the retention periods of information contained within system-level backups designed for recoverability and provide a point-in-time snapshot of information as it existed during the time period defined by system backup policies.

List of Services and controls that should apply the policy:

  • Corporate file services:
    • Resolver’s Sensitive / Confidential corporate data.
    • Resolver’s Sensitive / Confidential customer data.
  • Corporate source control services:
    • Resolver’s intellectual property data.
  • Corporate configuration files:
    • Network device configuration files (e.g., WiFi Router, WiFi Access Points, Corporate Firewall, Managed Switches, Routers.)
  • Corporate internal services:
    • Critical services configurations.
    • Critical resources OS System states.
  • Customers’ production applications:
    • Resolver’s hosted application production deployments serve customers’ needs and hold customers’ data.

5. Principle

The following principles direct this policy:

  • Performing proper backup, storage, and data handling are necessary for all departments to achieve their objectives.
  • Staff must accurately follow the policy and protect data availability, confidentiality, and integrity.

6.  Policy

6.1. Data must be protected by regular backups.

The appropriate team must perform backups for data they are responsible for protecting:

  • DevOps Team: customers’ data and production environment configuration settings.
  • Corporate IT: internal resources.
To protect customer data from unforeseen emergency circumstances/disaster Resolver utilizing Highly available storage for data backup;

Amazon S3 https://aws.amazon.com/s3/   which provide us: Unmatched Durability (99.999999999%) Availability, & Scalability.

The backup data is stored in Amazon S3 bucket in the same AWS Region as the primary database.

By default, Amazon S3 redundantly store data across multiple devices across a minimum of three Availability Zones (AZs) in an Amazon S3 Region.

For more information, please refer to: https://aws.amazon.com/s3/faqs/#Durability_.26_Data_Protection

6.2. Exceptions to the standard process must be approved by the CISO.

6.3. All backup data must be stored encrypted with the AES-256 symmetric encryption algorithm.

6.4. Backup copies must be stored in an environmentally protected and access-controlled secure location offsite from the location of the originating asset.

Stored copies must be stored with a short description that includes the following information:

  • Backup date / Resource name/type of backup method (Full/Incremental)

6.5. Stored copies of data must be made available upon authorized request.

The request for stored data must be approved by an authorized person nominated by a Director/Manager in the appropriate department.

Requests for stored data must include:

  • A completed form outlines the specifics of the request, including what copy is being requested, where and when the requester would like it delivered, and why they are requesting the copy.
  • Acknowledgment that the backup copy will be returned or destroyed promptly upon completion of its use.
  • Submission of a return receipt as evidence that the backup copy has been returned.

6.6. The Infrastructure Operator shall develop procedures for the handling and storage of information to prevent unauthorized disclosure, misuse, or loss.

6.7. A record of physical and logical movements of backup media must be maintained.

This includes the following information:

  • All identification information relating to the requested copies.
  • Purpose of the request.
  • Information about the person requesting the copy.
  • Authorization for the request.
  • Where the copy will be held while it is out of storage.
  • When the copy was released from storage.
  • When the copy will be returned to storage?

6.8. Special controls must be used to protect sensitive or critical information.

Where special controls are required, i.e., to protect sensitive or critical information, the following should be considered:

  • Use of a secured container(s).
  • Hand delivery of the backup.
  • Tamper-evident packaging.
  • In extreme cases, the delivery should be split and dispatched by separate routes.

Backup copies must be maintained in accordance with Resolver’s Retention and Disposal Schedule for backup copies or as stipulated by specific customer requirements.

The schedule will determine the status of the information and whether it can be disposed of, cycled back into production, or remain in archive storage.

6.9. All backup media must be appropriately disposed of.

Prior to retirement and disposal, IT will ensure that:

  • The media no longer contains active backup images.
  • An unauthorized party cannot read or recover the media’s current or former contents.
  • With all backup media, IT will ensure the physical destruction of media prior to disposal.

6.10. Backup copies should periodically be tested for recovery capability

All relevant department backups should be verified periodically, and a report should be created on its ability to recover data (relevant for Logical/Cloud-based backup procedure).

On a semi-annually basis, log information generated from each backup job will be reviewed for the following purposes:

  • To check for and correct errors.
  • To monitor the duration of the backup job.
  • To optimize backup performance where possible.

IT and DevOps teams will identify problems and take corrective action to reduce any risks associated with failed backups.

  • Random test restores will be done once every 6 months in order to verify that backups have been successful.
  • IT will maintain records demonstrating the review of logs and test restores so as to demonstrate compliance with this policy for auditing purposes.

The Backup Operators shall report on their ability to recover data (relevant for physical storage media) every six months.

The ability to recover data shall be measured by:

  • Ability to retrieve backup media samples (copies).
  • A backup recovery exercise.

The ability to recover data shall be reported to the departments via the semi-annually Directors reporting process.

6.11. Ensuring the effectiveness of backup processes

The effectiveness of backup processes shall be evaluated annually, and updates, if any (to the backup processes) shall be implemented.

7.  Responsibilities and frequency schedule

7.1. Corporate IT Department

The corporate IT Department is responsible for backing up internally-hosted corporate information systems. The department should maintain the following backup schedule:

  • Network file shares:
    • Weekly Full backup
    • Daily Incremental backup
  • Source control:
    • Weekly Full backup
    • Daily Incremental backup
  • Configuration files:
    • Monthly Full backup
    • Relevant backup initiated by configuration changes.
  • Internal services and data (license server, etc.):
    • Weekly Full backup
    • Daily Incremental backup

7.2. DevOps Team

The DevOps Team is responsible for backing up all Customer production environments. DevOps Team should maintain the following backup schedule:

  • CORE Production
    • Backed up via AWS RDS’s Automated Backups.
    • Backup retention period of 31 days.
    • Amazon RDS automated backup provides the ability to restore to any point in time during your backup retention period up to 15 minutes ago.
  • Perspective Production
    • Hourly DB transaction log backup.
    • Nightly EBS Volume Snapshot.
    • Weekly Full backup saved on EBS volume (local disk).
    • Weekly on-disk backup retention period: 1 week.
    • Effective, the combined backup retention period is 31 days.
  • GRC Cloud Production
    • Hourly DB transaction log backup.
    • Nightly EBS Volume Snapshot.
    • Weekly Full backup saved on EBS volume (local disk).
    • Weekly on-disk backup retention period: 1 week.
    • Effective, the combined backup retention period is 31 days.
  • RiskVision Production
    • Daily Full backup.
    • The Backup retention period is 14 days.
  • GAL Production
    • Weekly Full backup
    • Hourly DB transaction logs backup
    • Effective, the combined backup retention period is 14 days.

7.3. Employees

All Resolver employees are responsible for storing corporate data in the cloud (Box) or on network resources approved by the IT Department.

Employees must ensure no corporate data is stored exclusively on their local machines.

8.  Validity and document management

This document is valid as of August 2023.

The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • The number of unsuccessful backup tests.

EFFECTIVE ON: August 2023

REVIEW CYCLE: Annual at least and as needed