Backup and Encrypt Data: Fillable template and example

Fillable template: Backup and recovery plan DOCX, 99 KB

Fillable templates provide instructions on the information required to be documented for certification.

Example: Backup and recovery plan DOCX, 530 KB

Examples provide sample text to help learners complete a template.

[Organization name]

Backup and recovery plan

Disclaimer
Instructions: Cybersecure Canada has developed this template for your use in relation to certification requirements for the backup and encrypt data security control area. It provides guidance as to how information can be organized and documented for certification. Cybersecure Canada does not guarantee a successful certification from use of this template. Organizations are not obliged to use this template and may provide the certification requirement(s) in a documented format best suited for them.

Backup policy

Revision history

Instructions: it is a best practice for organizations to ensure their policies are reviewed and updated regularly. Document what changes are made, when, and by whom.]

This backup and recovery plan has been modified as follows:

Date

Version

Modification

Modifier

2021-01-01

1.0

Plan created

Dylan smith

Scope

[instructions: identify who in your organization will be responsible for the execution of this policy.

Identify which systems to be included in this policy.

Insert your scope statement or if appropriate, use the provided example.]

This policy shall apply to all identified organization systems, data, and information systems at [organization name].

Backup

Instructions: determine which information in your organization is essential or non-essential. Factors to take into consideration include your business type, size, sector, customer requirements, industry regulations, etc.

Insert your backup statements below or if appropriate, use the examples provided.]

  1. All systems at [organization name] containing essential business information are identified.
  2. Essential systems will have both onsite and offsite backup. Exceptions are permitted with documented justifications. Non-essential systems may also be backed up.
  3. Essential systems have offline backups. Exceptions are permitted with documented justifications.
  4. Essential systems shall be restorable within [x] business days. Non-essential systems shall be restorable within [x] business days.
  5. All backups and recovery processes are tested and verified [frequency].
  6. Access is restricted solely to the individuals responsible for backup, testing, or restoration activities.

Encryption

Instructions: determine how encryption will be applied to your backup activities.

Insert your enforcement statements below or if appropriate, use the example provided.]

All backups, whether onsite, offsite, or offline are stored in an encrypted state.

Enforcement

Instructions: determine who in your organization will be responsible for the implementation of the backup plan.

Insert your enforcement statements below or use the example provided.]

It is the responsibility of [organization name or it team] to ensure the requirements outlined above are implemented. They are the sole personnel permitted to access, restore, test, and manage company backups

Identify business information and systems

Instructions:

  1. Identify and list business data and information systems essential to the organization. Use the table below if preferred.
  2. Identify non-essential systems, information and data repositories which should be included in your backup schedule and plan.
  3. Determine backup locations and frequency, verify against minimum requirements as outlined in the policy section.]

Note: sample text is provided for reference

Hardware/information and data repositories

Id

Device type

Model

Owner

Backup sources

Onsite backup

Offsite backup

Offline backup

Essential? (y/n)

1

Laptop

Latitude 7410

John doe

C:\users

\\nas\backup nightly

Onedrive Weekly

Monthly

Y

2

Laptop2

Macbook air 2020

John doe

/users

\\nas\backup nightly

Onedrive Weekly

Western digital hdd Monthly

Y

Software

Id

Vendor

Software and version

Owner

Backup sources

Onsite backup

Offsite backup

Offline backup

Essential?

(y/n)

1

Kaspersky

Total security 2021

John doe

Config.ini

None

downloadable

None

Downloadable

Bu-mec3

N

3

Intuit

Quickbooks payroll

John doe

Company.qbm

Bu-mec1

Bu-mec2

Bu-mec3

Y

4

Microsoft

Office 365

John doe

Onedrive\exec

onedrive\finance

Bu-mec1

Bu-mec2

Bu-mec3

N

Establish key backup details

Instructions: for the systems identified above, identify key backup details (consult with technical experts as necessary). Below are some examples for guidance.]

Backup location and frequency

Id

Location

Backup device

Backup type

Frequency

Levels & retention

Encryption mechanism

Data compression

\\nas\backup

head office

Nas

Onsite

Nightly 1a.m.

Automated

Keep seven days of backup. Purge everything older than seven days.

Within the seven-day backup, execute one full backup and six incremental backups.

Encrypted storage device.

No

Onedrive

o365 cloud

Cloud

Offsite

Every sun 4a.m.

Automated

Keep four most current weeks of full weekly backups. Purge everything older than four weeks.

Generations are encrypted

Compressed prior to uploading to onedrive

Offline – storage facility

111 avenue drive

External hd

Offline

First of every month at 1a.m.

Keep 12 most current months of full backups for seven years. Purge all backups older than seven years.

Encrypted storage device.

Generations are encrypted

Compressed prior to storing to wd drive.

Identify exceptions

Instructions: document any exceptions and include the justification.]

Essential systems backup exceptions

System

Exception

Justification

Access restriction

Instructions: determine how access will be restricted for the systems (hardware and software) and back up locations identified in this plan.]

Access restrictions

System

Restrictions

Event recovery process

Instructions: outline your event recovery process(es) and use of organization backups (for example, how will your organization respond to a ransomware attack while using the backups).

[person or role] will coordinate with the [organization name]incident response team and any consultants to provide access to offline and online backups as necessary.