Backup and Encrypt Data: Fillable template and example

From: Innovation, Science and Economic Development Canada

Fillable template: Backup and recovery plan DOCX, 99 KB

Fillable templates provide instructions on the information required to be documented for certification.

Example: Backup and recovery plan DOCX, 530 KB

Examples provide sample text to help learners complete a template.

[Organization name]

Backup and recovery plan

Disclaimer
Instructions: Cybersecure Canada has developed this template for your use in relation to certification requirements for the backup and encrypt data security control area. It provides guidance as to how information can be organized and documented for certification. Cybersecure Canada does not guarantee a successful certification from use of this template. Organizations are not obliged to use this template and may provide the certification requirement(s) in a documented format best suited for them.

Backup policy

Revision history

Instructions: it is a best practice for organizations to ensure their policies are reviewed and updated regularly. Document what changes are made, when, and by whom.]

This backup and recovery plan has been modified as follows:

Date	Version	Modification	Modifier
2021-01-01	1.0	Plan created	Dylan smith

Scope

[instructions: identify who in your organization will be responsible for the execution of this policy.

Identify which systems to be included in this policy.

Insert your scope statement or if appropriate, use the provided example.]

This policy shall apply to all identified organization systems, data, and information systems at [organization name].

Backup

Instructions: determine which information in your organization is essential or non-essential. Factors to take into consideration include your business type, size, sector, customer requirements, industry regulations, etc.

Insert your backup statements below or if appropriate, use the examples provided.]

All systems at [organization name] containing essential business information are identified.
Essential systems will have both onsite and offsite backup. Exceptions are permitted with documented justifications. Non-essential systems may also be backed up.
Essential systems have offline backups. Exceptions are permitted with documented justifications.
Essential systems shall be restorable within [x] business days. Non-essential systems shall be restorable within [x] business days.
All backups and recovery processes are tested and verified [frequency].
Access is restricted solely to the individuals responsible for backup, testing, or restoration activities.

Encryption

Instructions: determine how encryption will be applied to your backup activities.

Insert your enforcement statements below or if appropriate, use the example provided.]

All backups, whether onsite, offsite, or offline are stored in an encrypted state.

Enforcement

Instructions: determine who in your organization will be responsible for the implementation of the backup plan.

Insert your enforcement statements below or use the example provided.]

It is the responsibility of [organization name or it team] to ensure the requirements outlined above are implemented. They are the sole personnel permitted to access, restore, test, and manage company backups

Identify business information and systems

Instructions:

Identify and list business data and information systems essential to the organization. Use the table below if preferred.
Identify non-essential systems, information and data repositories which should be included in your backup schedule and plan.
Determine backup locations and frequency, verify against minimum requirements as outlined in the policy section.]

Note: sample text is provided for reference

Hardware/information and data repositories

Id	Device type	Model	Owner	Backup sources	Onsite backup	Offsite backup	Offline backup	Essential? (y/n)
1	Laptop	Latitude 7410	John doe	C:\users	\\nas\backup nightly	Onedrive Weekly	Monthly	Y
2	Laptop2	Macbook air 2020	John doe	/users	\\nas\backup nightly	Onedrive Weekly	Western digital hdd Monthly	Y

Software

Id	Vendor	Software and version	Owner	Backup sources	Onsite backup	Offsite backup	Offline backup	Essential? (y/n)
1	Kaspersky	Total security 2021	John doe	Config.ini	None downloadable	None Downloadable	Bu-mec3	N
3	Intuit	Quickbooks payroll	John doe	Company.qbm	Bu-mec1	Bu-mec2	Bu-mec3	Y
4	Microsoft	Office 365	John doe	Onedrive\exec onedrive\finance	Bu-mec1	Bu-mec2	Bu-mec3	N

Establish key backup details

Instructions: for the systems identified above, identify key backup details (consult with technical experts as necessary). Below are some examples for guidance.]

Backup location and frequency

Id	Location	Backup device	Backup type	Frequency	Levels & retention	Encryption mechanism	Data compression
	\\nas\backup head office	Nas	Onsite	Nightly 1a.m. Automated	Keep seven days of backup. Purge everything older than seven days. Within the seven-day backup, execute one full backup and six incremental backups.	Encrypted storage device.	No
	Onedrive o365 cloud	Cloud	Offsite	Every sun 4a.m. Automated	Keep four most current weeks of full weekly backups. Purge everything older than four weeks.	Generations are encrypted	Compressed prior to uploading to onedrive
	Offline – storage facility 111 avenue drive	External hd	Offline	First of every month at 1a.m.	Keep 12 most current months of full backups for seven years. Purge all backups older than seven years.	Encrypted storage device. Generations are encrypted	Compressed prior to storing to wd drive.

Identify exceptions

Instructions: document any exceptions and include the justification.]

Essential systems backup exceptions

System

Exception

Justification

Access restriction

Instructions: determine how access will be restricted for the systems (hardware and software) and back up locations identified in this plan.]

Access restrictions