Carnegie Mellon University

Guidelines for Data Protection - Disaster Recovery

Disaster Recovery

The following tables define baseline controls for protecting the availability of Institutional Data and ensuring the continuity of business operations during an unplanned event. The extent to which business continuity and disaster planning controls are implemented should be based on an analysis of the business impact should a particular data set become unavailable.  Available human and financial resources will also go into the decision making process. If there is little or no impact to the University should a particular data set become unavailable, the backup and recovery strategy may be to accept the risk of not having backups.  The appropriate Data Steward should be involved in any decision to not backup Institutional Data.  If such a strategy is approved, some of the controls below may not be applicable.  It is also important to note that backup copies of institutional data should retain the same classification as their production copy.

Disaster Recovery Planning

ID Control Public Private Restricted
DR-1 A disaster recovery plan is documented Recommended Recommended Required
DR-2 Disaster recovery plans are periodically tested Recommended Recommended Required

Backup and Recovery Controls

ID Control Public Private Restricted
DR-3 A backup and recovery strategy for Institutional Data is documented Required Required Required
DR-4 Backup and recovery procedures are documented and followed Required Required Required
DR-5 Backup and recovery procedures are periodically tested Recommended Recommended Recommended
DR-6 Backup copies of data are accurately inventoried Required Required Required
DR-7 Content and physical location of removable backup media is tracked Required Required Required
DR-8 Removable backup media is periodically validated Recommended Recommended Recommended
DR-9 Backup copies of data are stored in a secondary location that is not in close proximity to the primary location (e.g. secondary datacenter, third-party storage site, etc.) Recommended Recommended Recommended