Backups of data are created, protected, maintained, and tested
Backups are the last line of defense against ransomware, accidental deletion, and data corruption. An untested backup is not a backup: it is a hope. Organizations that only discover their backup process is broken when they need to restore are learning the lesson at the worst possible time. Regular backup testing is what separates organizations that survive ransomware from those that pay the ransom.
Implementation steps
- 1
Define backup scope, frequency, and retention
Document what data must be backed up (at minimum: production databases, critical configuration files, customer data), how frequently (typically daily for critical data, weekly for less critical), and how long backups are retained (typically 30 days of daily plus monthly backups going back a year). The schedule should match your recovery point objective (RPO).
aws-s3gcsveeambackblazeacronis - 2
Protect backups from the primary system
Backups that are accessible from the systems they back up can be encrypted by ransomware. Keep at least one backup copy in a separate account, separate region, or offline. Use immutable storage (object lock in S3, WORM) for critical backups. Limit who can delete backups and require MFA for deletion of protected backups.
aws-s3gcsazure-backupveeam - 3
Test restore capability at least quarterly
Regularly test that backups can actually be restored. At a minimum, restore a sample of data each quarter to a test environment and verify it is complete and usable. For critical systems, test a full restore annually and document the time taken to restore, confirming it meets your recovery time objective (RTO).
aws-s3veeamacronis
Evidence required
Backup configuration and schedule
Documentation of what is backed up, how frequently, and how long backups are retained.
- · Backup policy document with scope, frequency, and retention table
- · Cloud backup configuration screenshots showing schedule and retention
- · Veeam or equivalent backup job configuration
Backup restoration test records
Records of actual restore tests confirming that backups can be successfully recovered.
- · Quarterly restore test log showing data verified in test environment
- · Annual disaster recovery test report including restore time
- · Backup monitoring dashboard showing successful backup jobs and last verified restore
Related controls
Mechanisms are implemented to achieve resilience requirements in normal and adverse situations
Technology Infrastructure Resilience
The confidentiality, integrity, and availability of data-at-rest are protected
Data Security
The confidentiality, integrity, and availability of data-in-transit are protected
Data Security
Data are destroyed according to policy when no longer needed
Data Security