Information Technology Standard 06.10.0

IT System and Data Backup and Restoration


Date of Current Revision or Creation: January 1, 2022


The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to safeguard the University's information assets, prevent loss of data due to accidental deletion or corruption, and to facilitate timely restoration of information and business process should a system failure occur.

Definitions

Backup is the saving of electronic information onto digital storage media for the purpose of preventing loss of data in the event of equipment failure or destruction.

Restore is the process of bringing University information back from digital media and putting it on an online storage system when the data on the online storage system is lost or corrupted.

Standards Statement

Information technology services will provide policy-based, system level, network-based backups of essential IT systems.

Backups of all ODU records and software must be retained such that server operating systems and applications are fully recoverable, any exceptions to this policy must be approved by the system owner and the information security office. This may be achieved using a combination of image copies, incremental backups, differential backups, transaction logs, or other techniques.

Schedule of Backups

Backups are performed by authorized personnel only.

The frequency of backups and data retention requirements is determined by the application owner. Requirements are established when a new system is brought online and reviewed as needed. The volatility of data and the retention period for backup copies is determined by the criticality of the data and systems as defined in the ODU Business Impact Analysis document and set forth classification.

Unless a system supporting an application or business function requires a custom schedule, Information Technology Services will backup systems using a default schedule of full backups and subsequent incremental backups. Versions at the file level are maintained based on system requirements. Version retention and deletion policies associated with file versions are dictated by system requirements and criticality of the entire system.

System Owners must approve of a default or custom backup schedule of a system and any emergency backup and operations restoration plans.

Full backups will back up all files specified within a system's backup program, regardless of when they were last modified or backed up. Incremental backups will back up all files that have changes since the last successful incremental or full backup.

Through the use of full backups and incremental backups, backup windows (time period required to perform backups of one or more systems) will be minimized as will be the storage space (disk or tape) required to store the backed-up data.

Full system backups can be ensured prior to major upgrades to recover system in case of failures during change management. In case of virtual server environments, additional point-in-time backups are taken automatically before any scheduled operating system change management jobs. Those point-in-time backups are retained short term (48-72 hours) to allow for immediate rapid restoration.

All ODU record information accessed from workstations, laptops, or other portable devices should be stored on networked file server drives or on University cloud storage to allow for backup.

Backup Verifications

On a daily basis, logged information generated from each backup job will be reviewed for errors, monitoring of job duration, and to optimize backup performance where possible.

Operations staff will identify problems and escalate the issue to the backup system administration staff who will take corrective actions to reduce any risks associated with failed backups.

Test restores will be performed periodically and problems will be identified and corrected.

Retention Period

The retention periods of information contained within system level backups are designed for recoverability and provide information as it existed on ODU-maintained systems during the time period defined by system backup program.

Backup retention periods are different from records management retention periods for information defined by legal or business requirements.

Off-Site Storage

At a minimum, one fully recoverable version of all ODU Records must be stored in a secure, off-site location. An off-site location may be in a secure space in a separate University building, or with an off-site storage vendor, or a partner higher education institution approved by the Information Security Office.

Documentation must include the authorization and logging of deposits and withdrawals of all physical media that is stored off-site.

Recovery Test

Recovery procedures must be tested on an annual basis.

Media Management/Documentation

Backup data is stored on both disk-based and taped-based storage solutions dependent upon the nature and criticality of the data. In case of disk-based storage, a complete replica of the backed-up data is maintained in a secure off-site location. Data replication between the primary and secondary backup units is encrypted in transit as well as at rest. In the case of tape media, the media will be clearly labeled, and logs will be maintained identifying the location and content of backup media.

Backup images on assigned media (tape and disk) will be tracked throughout the retention period defined for that particular data type. When all data on the backup media have expired, the tape media will be securely re-incorporated and reused whereas in case of disk media the storage space will be reallocated and reused.

Periodically and according to the recommended lifetime defined for the backup media utilized, the operations staff will retire and dispose of media so as to avoid media failures. In case of disk-based solution, industry best practices are followed to permanently remove the data from the backup units before they are decommissioned.

Restoration Requests

In the event of accidental deletion or corruption of information, requests for restoration of information will be made to the Help Desk.

Information Technology Services will carefully verify that the request for restoration of information is authorized by the owners of the information prior to performing the restoration and ensure that the information restored is restored to a file system location with access controls appropriate to the information being restored.

Procedures, Guidelines & Other Related Information

History

Date

Responsible Party

Action

October 2006

OCCS

Created

October 2007

ITAC/CIO

Reaffirmed

October 2008

ITAC/CIO

Reaffirmed

October 2009

ITAC/CIO

Reaffirmed

October 2010

ITAC/CIO

Reaffirmed

October 2011

ITAC/CIO

Reaffirmed

October 2012

ITAC/CIO

Reaffirmed

August 2013 IT Policy Office Content updated; Updated for clarity; Numbering revision; departmental name revision
January 2015 IT Policy Office Updated to reflect current processes
Decemer 2018 IT Policy Office Definitions and links checked and revised
January 2022 IT Policy Office Definitions and links checked and revised; minor updates