IT System and Data Backup and Restoration
Date of Current Revision or Creation: January 1, 2022
The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this standard is to safeguard the University's information assets, prevent loss of data due to accidental deletion or corruption, and to facilitate timely restoration of information and business process should a system failure occur.
Definitions
Backup is the saving of electronic information onto digital storage media for the purpose of preventing loss of data in the event of equipment failure or destruction.
Restore is the process of bringing University information back from digital media and putting it on an online storage system when the data on the online storage system is lost or corrupted.
Standards Statement
Information technology services will provide policy-based, system level, network-based backups of essential IT systems.
Backups of all ODU records and software must be retained such that server operating systems and applications are fully recoverable, any exceptions to this policy must be approved by the system owner and the information security office. This may be achieved using a combination of image copies, incremental backups, differential backups, transaction logs, or other techniques.
Schedule of Backups
Backups are performed by authorized personnel only.
The frequency of backups and data retention requirements is determined by the application owner. Requirements are established when a new system is brought online and reviewed as needed. The volatility of data and the retention period for backup copies is determined by the criticality of the data and systems as defined in the ODU Business Impact Analysis document and set forth classification.
Unless a system supporting an application or business function requires a custom schedule, Information Technology Services will backup systems using a default schedule of full backups and subsequent incremental backups. Versions at the file level are maintained based on system requirements. Version retention and deletion policies associated with file versions are dictated by system requirements and criticality of the entire system.
System Owners must approve of a default or custom backup schedule of a system and any emergency backup and operations restoration plans.
Full backups will back up all files specified within a system's backup program, regardless of when they were last modified or backed up. Incremental backups will back up all files that have changes since the last successful incremental or full backup.
Through the use of full backups and incremental backups, backup windows (time period required to perform backups of one or more systems) will be minimized as will be the storage space (disk or tape) required to store the backed-up data.
Full system backups can be ensured prior to major upgrades to recover system in case of failures during change management. In case of virtual server environments, additional point-in-time backups are taken automatically before any scheduled operating system change management jobs. Those point-in-time backups are retained short term (48-72 hours) to allow for immediate rapid restoration.
All ODU record information accessed from workstations, laptops, or other portable devices should be stored on networked file server drives or on University cloud storage to allow for backup.
Backup Verifications
On a daily basis, logged information generated from each backup job will be reviewed for errors, monitoring of job duration, and to optimize backup performance where possible.
Operations staff will identify problems and escalate the issue to the backup system administration staff who will take corrective actions to reduce any risks associated with failed backups.
Test restores will be performed periodically and problems will be identified and corrected.
Retention Period
The retention periods of information contained within system level backups are designed for recoverability and provide information as it existed on ODU-maintained systems during the time period defined by system backup program.
Backup retention periods are different from records management retention periods for information defined by legal or business requirements.
Off-Site Storage
At a minimum, one fully recoverable version of all ODU Records must be stored in a secure, off-site location. An off-site location may be in a secure space in a separate University building, or with an off-site storage vendor, or a partner higher education institution approved by the Information Security Office.
Documentation must include the authorization and logging of deposits and withdrawals of all physical media that is stored off-site.
Recovery Test
Recovery procedures must be tested on an annual basis.
Media Management/Documentation
Backup data is stored on both disk-based and taped-based storage solutions dependent upon the nature and criticality of the data. In case of disk-based storage, a complete replica of the backed-up data is maintained in a secure off-site location. Data replication between the primary and secondary backup units is encrypted in transit as well as at rest. In the case of tape media, the media will be clearly labeled, and logs will be maintained identifying the location and content of backup media.
Backup images on assigned media (tape and disk) will be tracked throughout the retention period defined for that particular data type. When all data on the backup media have expired, the tape media will be securely re-incorporated and reused whereas in case of disk media the storage space will be reallocated and reused.
Periodically and according to the recommended lifetime defined for the backup media utilized, the operations staff will retire and dispose of media so as to avoid media failures. In case of disk-based solution, industry best practices are followed to permanently remove the data from the backup units before they are decommissioned.
Restoration Requests
In the event of accidental deletion or corruption of information, requests for restoration of information will be made to the Help Desk.
Information Technology Services will carefully verify that the request for restoration of information is authorized by the owners of the information prior to performing the restoration and ensure that the information restored is restored to a file system location with access controls appropriate to the information being restored.
Procedures, Guidelines & Other Related Information
- Federal and State Law
- University IT Policies
- IT Standard 06.1.0 IT Facilities Security Standard
- IT Standard 06.9.0 Data Center Operations Standard
- IT Standard 07.1.0 Business Impact Analysis Standard
- Operations SharePoint Site - OpsProcedureManual
- Old Dominion University Data Backup Platform Process
- Tape Library Procedures
History
|
Date |
Responsible Party |
Action |
|
October 2006 |
OCCS |
Created |
|
October 2007 |
ITAC/CIO |
Reaffirmed |
|
October 2008 |
ITAC/CIO |
Reaffirmed |
|
October 2009 |
ITAC/CIO |
Reaffirmed |
|
October 2010 |
ITAC/CIO |
Reaffirmed |
|
October 2011 |
ITAC/CIO |
Reaffirmed |
|
October 2012 |
ITAC/CIO |
Reaffirmed |
| August 2013 | IT Policy Office | Content updated; Updated for clarity; Numbering revision; departmental name revision |
| January 2015 | IT Policy Office | Updated to reflect current processes |
| Decemer 2018 | IT Policy Office | Definitions and links checked and revised |
| January 2022 | IT Policy Office | Definitions and links checked and revised; minor updates |