Introduction
This policy is part of the medDigital ISMS and must be fully complied with.
There is always a risk that systems and/or procedures will fail resulting in loss of access to information, data and systems, despite the implementation of best practice. This policy will will help ensure that information and data is backed up and restored securely in the most efficient and secure manner possible.
IT Systems
- The IT team are responsible for providing system support and data backup tasks and must ensure that adequate backup and system recovery practices, processes and procedures are followed inline with data retention policies.
- All backup and recovery procedures are documented, regularly reviewed and made available to trained personnel who are responsible for performing data backup and recovery.
- Backups must be encrypted inline with the Cryptography policy.
- Backups must be scheduled, automated and auditable.
- Access to backups must be restricted to authorised personnel.
- Quarterly tests must be carried out to ensure the backup and recovery procedures are working as expected. The outcome of these tests should be stored in M:\IT\Compliance\Backup Tests.
Personnel Responsibilities
Employees and contractors also have a responsibility to ensure data is securely maintained and is available for backup.
In accordance with the Physical Security Policy, data must not be stored on the local drive of any computer. The M: drive must be used. Local drives are NOT backed up and are therefore at risk of damage, corruption or loss.
Restoration
Restoration of core IT systems must be performed by authorised personnel only.
Redundancy
All Core IT systems must be highly available and have no single point of failure. Where possible, load balancers, multiple availability zones/datacenters
should be utilised to help ensure that a data center disaster does not impact operations.