IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 6.33 Development of a data backup policy
Initiation responsibility: IT Security Management
Implementation responsibility: Head of IT Section; IT Security Management;
staff responsible for the individual IT
applications
The procedure of data backup is determined by a large number of factors,
including the IT system, volume of data, frequency of modification of the
data, and requirements concerning availability. The data backup policy
attempts to find a solution which takes these factors, as well as profitability,
into account.
There are numerous technical possibilities of data backup. However, their
selection is always determined by the aforementioned factors. For this reason,
the decisive parameters of the IT system and their related applications need to
be determined first and documented clearly. Subsequently, a suitable
procedure must be developed and documented. Finally, the procedure must be
implemented by the agency/company management.
In order to ensure that the data-backup system functions correctly, the data
backup policy must involve the restorability of data by means of practical
exercises (c.f. S 6.41 Training data reconstruction)
The results should be listed as part of the data backup policy, and updated
according to requirement. An example of a data backup policy is shown in the
following table of contents:
Table of contents - Data Backup Policy
1. Definitions
- Application data, system data, software, protocol data
- Full backup, incremental backup
2. Threat scenario as motivational background
- Dependence of the institution on the data stock
- Typical threats like usage by untrained personnel, joint usage of data
stocks, computer viruses, hackers, power failure, hard disk errors.
- Causes of damage specific to individual institutions
- In-house cases of damage
3. Influential factors of an IT system
- Specifying the data to be backed up
- Data availability requirements of the IT applications
- Effort required for data reconstruction without data backup
- Data volumes
- Modification volumes
- Modification times
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000