|| OFFICIAL |
This policy applies to all persons while conducting/performing work, teaching, research or study activity or otherwise using university resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.
Backup of Data
July 23, 2007
Regular backups are required for all University related data not hosted on the University enterprise systems and classified as sensitive or proprietary or needed during the course of normal operations. Backups of data must be retained in accordance with University, State or Federal retention guidelines as appropriate for the data being backed-up.
Information Technology must conduct regular backups of all data stored on enterprise servers.
REASON FOR POLICY
Backups are an essential part of disaster recovery and business continuity planning and in ensuring the availability of university information.
Backups are an essential part of disaster recovery and business continuity planning. Backups should align with the department's business continuity and disaster recovery plans and be defined for all critical assets based on business need, regulatory requirements and risk. Also see ISO-002 Business Continuity Planning and Disaster Recovery.
Files containing valuable information must be backed up (note that the university network drives may be utilized for this purpose). Note: University network drive backups are maintained for 30 days. Departments, schools or users with longer retention needs are encouraged to backup critical data.
Users are responsible for ensuring that backups or synchronization of sensitive and/or critical information on mobile devices are taken regularly to prevent loss of data.
To the extent software license agreements are not violated, all software is copied and maintained in a secure location. Master copies should be stored securely and not used for ordinary business activities.
Backups must be performed at regular intervals not less than weekly for all department, school, administrative division or university wide valuable information. Smaller university entities and individuals must backup valuable information at regular intervals not to exceed monthly (more often if the information changes frequently).
Backups must be maintained in a secure environment removed from the physical location of the computing device. One generation off-site and one generation should be maintained on-site.
Backups should be encrypted and password protected and must be encrypted if custody of the backups is entrusted to a third party (non-UofL personnel) and the backups contain sensitive information.
Backups related to security incidents must be securely stored off-line until authorities or counsel determine it is no longer needed.
Ability to successfully recover backup files must will be tested periodically, but not less than annually and at the time of any significant hardware or software updates or changes in the system in question.
Backups must be retained in accordance with University retention guidelines to help the University meet all relevant regulatory or institutional requirements. Please see the University Archives & Records Center web site for more information.
Information Technology Division Computing Operations Centers:
Incremental backups of enterprise systems must be done daily
Full backups of enterprise systems must be done weekly.
Copies of backups must be rotated offsite daily for disaster recovery purposes.
Backups must be retained for a minimum of 30 days.
Backup and recovery must be available for 30 days after deletion.
Backups must be created for enterprise disaster recovery purposes.
Backups should not be relied upon for recovery of accidentally deleted files as a matter of routine, although restoration of files accidentally deleted or damaged can be requested by calling the Help Desk at 502-852-7997.
Schools, divisions or other users may subscribe to these enterprise class backup services and are billed on a cost recovery basis.
Valuable Information: Information that has significant value to the University's mission and/or result in possible harm to the University, its staff, clients or students if lost. This information may or may not be sensitive information (see Sensitive Information definition).
Sensitive Information: Information of a confidential or proprietary nature and other information that would not be routinely published for unrestricted public access or where disclosure is prohibited by laws, regulations, contractual agreements or University policy. This includes (but is not limited to) full name or first initial and last name and employee ID (in combination), identifiable medical and health records, grades and other enrollment information, credit card, bank account and other personal financial information, social security numbers, grant reviews, dates of birth (when combined with name, address and/or phone numbers), user IDs when combined with a password, etc. Sensitive information does not include personal information of a particular individual which that individual elects to reveal (such as via opt-in or opt-out mechanisms) (see Information Management and Classification Standard)
Policy Authority/Enforcement: The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.
Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.
This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.
Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council
1.0 / July 23, 2007 / Original Publication
1.1 / July 18, 2011 / Backup retention time changed from 30 days to 15 days per the Strategic Technology Executive Committee
1.2 / January 29, 2013 / Content Update
1.3 / April 1, 2014 / Update backup retention time from 15 to 30 days per Enterprise IT Management.
1.4 / September 29, 2014 / Content Review
2.0 / March 8, 2016 / Content review and update to new template
Reviewed Date(s): March 8, 2016
Vice President for Risk, Audit, and Compliance
RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION
The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.