MENU
L3Harris Commons

IT Data Backup Policy

Applies to:Original Policy Date:Date of Last Review:Approved by:
Florida Tech Campus August 2024 August 2024 Dr. John Nicklow, President

Policy Owner: Chief Information Officer (CIO)

Policy Purpose

Data backup is essential for comprehensive disaster recovery planning. It safeguards against data loss due to physical disasters, data corruption, resilient system error propagation, hardware or software failures, and other incidents that may jeopardize data integrity. The backup requirements outlined in this policy are designed to ensure that business operations, teaching and learning activities, research projects, and university functions can be resumed promptly, based on criticality, with minimal data loss.

Policy Scope

This Data Backup Policy applies to:

  • IT infrastructure and other services facilitating Information Systems.
  • Cloud or Third-Party hosted infrastructure and other services facilitating Information Systems.
  • Information Systems processing or storing Florida Institute of Technology (Florida Tech) data, including desktop devices and workstations.
  • Processes, policies, and procedures related to preparing for recovery or continuation of technology infrastructure, systems, and applications critical to Florida Tech after a disaster or outage.
  • Colleges, departments, units, or research projects maintaining or responsible for Unit-Critical systems or data.

Policy Statement

The Backup Administrator(s) are responsible for ensuring the secure backup of data according to the procedures outlined in this policy. This includes maintaining alignment with the IT Disaster Recovery Plan and ensuring that backup and recovery practices support business continuity and minimize data loss.

Definitions

  • Information System: Includes all devices capable of receiving email, browsing websites, or managing data, such as servers, network infrastructure, computers, tablets, and more.
  • Essential IT Service: Systems critical to the University, integral to the IT Disaster Recovery Plan, including infrastructure supporting University operations.
  • Mission Critical Service: Systems critical to University missions included in the IT Disaster Recovery Plan.
  • Unit Critical Service: Systems critical to colleges, units, centers, institutes, or departments included in departmental IT Disaster Recovery Plans.
  • Non-Critical IT Service: Services with a Recovery Time Objective (RTO) of three (3) days or more, deemed non-essential.
  • Record: Defined under Florida Statutes as various forms of documents, books, papers, electronic mail, and more.
  • Recovery Time Objective (RTO): Maximum allowable downtime for IT system or service recovery.
  • Recovery Point Objective (RPO): Acceptable data loss timeframe.

Procedure

Backup controls encompass procedures for implementing, monitoring, protecting, and testing backup and recovery procedures for IT systems and services, including user-level, system-level, and security-related documentation.

  • Document backup and recovery processes, including off-site storage, reviewed during required IT Disaster Recovery Plan tests or as needed for system changes.
  • Back up data stored or processed based on relevant Business Impact Analysis schedules.
  • Encrypt backups.
  • Determine backup frequency and scope based on business impact analysis and Recovery Point Objective (RPO).
  • Ensure physical access controls at off-site backup storage meet or exceed those of original sites.
  • Test backup and recovery procedures per the following schedule:
    • Essential IT systems or services: Every two (2) years
    • Mission-Critical or Unit-Critical IT systems or services: Every three (3) years
    • Non-Critical IT systems or services: Every five (5) years
  • Inventory and reconcile electronically backed-up systems or services annually against business impact analysis and RPO.
  • Conduct Security Assessments for all backup software or technology per the IT Cybersecurity Policy.

Roles and Responsibilities

Backup Administrator(s)

  • Responsible for the overall procurement, development, integration, modification, and operation of Information Systems.
  • Maintain resilient infrastructure and document backup and restoration processes for essential and mission-critical data and associated IT systems.
  • Maintain a backup job inventory and align with Recovery Point Objective (RPO) requirements.
  • Conduct annual tests of backup and recovery procedures.
  • Report on backup and restoration process documentation status to IT GRC as part of security assessments.

Enforcement

Violations of this policy may result in disciplinary action, including termination of access privileges. Non-compliance may also lead to legal or regulatory penalties. 

Edit Page