Guidelines for Data Protection - Disaster Recovery
Disaster Recovery
The following tables define baseline controls for protecting the availability of Institutional Data and ensuring the continuity of business operations during an unplanned event. The extent to which business continuity and disaster planning controls are implemented should be based on an analysis of the business impact should a particular data set become unavailable. Available human and financial resources will also go into the decision making process. If there is little or no impact to the University should a particular data set become unavailable, the backup and recovery strategy may be to accept the risk of not having backups. The appropriate Data Steward should be involved in any decision to not backup Institutional Data. If such a strategy is approved, some of the controls below may not be applicable. It is also important to note that backup copies of institutional data should retain the same classification as their production copy.
Disaster Recovery Planning
ID |
Control |
Public |
Private |
Restricted |
DR-1 |
A disaster recovery plan is documented |
Recommended |
Recommended |
Required |
DR-2 |
Disaster recovery plans are periodically tested |
Recommended |
Recommended |
Required |
Backup and Recovery Controls
ID |
Control |
Public |
Private |
Restricted |
DR-3 |
A backup and recovery strategy for Institutional Data is documented |
Required |
Required |
Required |
DR-4 |
Backup and recovery procedures are documented and followed |
Required |
Required |
Required |
DR-5 |
Backup and recovery procedures are periodically tested |
Recommended |
Recommended |
Recommended |
DR-6 |
Backup copies of data are accurately inventoried |
Required |
Required |
Required |
DR-7 |
Content and physical location of removable backup media is tracked |
Required |
Required |
Required |
DR-8 |
Removable backup media is periodically validated |
Recommended |
Recommended |
Recommended |
DR-9 |
Backup copies of data are stored in a secondary location that is not in close proximity to the primary location (e.g. secondary datacenter, third-party storage site, etc.) |
Recommended |
Recommended |
Recommended |