3.2.15 Backup and Recovery

The purpose of this policy is to ensure that necessary records and documents are adequately protected and maintained and to outline Information Technology’s backup, restoration and retention policy for the server and administrative data systems in use at Piedmont.  

2.0 Overview

One of the most critical functions an IT organization can undertake is ensuring a structured and highly formalized data backup policy and procedures are in place. Backups are vital for any organization, especially considering today's growing regulatory compliance landscape and the ever-increasing cyber security threats which businesses face on a daily basis. A well thought out, efficient, and reliable backup and recovery strategy is essential for ensuring the confidentiality, integrity, and availability (CIA) of critical data. 

3.0 Policy

The University requires that all administrative data on IT managed servers is backed up according to the following best practices:  

• All University systems, applications, and administrative data must be backed up on a technically practicable schedule suitable to the criticality, integrity, and availability requirements, as defined by the data owner. 
• Retention period of backups should be proportionate to the criticality, integrity, and availability needs of the data. Backup copies are retained for 60 days unless there is a need for specific systems to be held for a longer period.
• Records must be kept detailing the backup environment (what data is backed up and where it is backed up). 
• Backup schedules must be maintained and periodically reviewed. 

1. Incremental backups are run nightly. They are then sent offsite to Wasabi cloud immutable storage.
2. Full backups are run weekly. They are then sent offsite to Wasabi cloud immutable storage. 

• Backups of confidential or sensitive information will be encrypted. 
• In order to validate backup files and procedures, a restore from backup must be performed at least twice a year.   They are documented via a helpdesk ticket.
• Backup and recovery documentation must be maintained and periodically reviewed and updated to account for new technology, business changes, and migration of applications to alternative platforms. 
• Backup media must be clearly labeled. 

Statutory regulations pertaining to the long-term retention of information (e.g., financial records, PII or other confidential data) will be met using separate archive policy and procedures, as determined by the Business Owner of the information. Long-term archive requirements are beyond the scope of this policy. Please refer to the Data Classification, Handling, Retention and Destruction Policy for specific departmental data requirements. 

This policy will defer to administrative data retention and destruction schedules outlined in the Data Classification, Handling, Retention and Destruction Policy. This Backup Policy will not extend any data retention beyond what is defined by the data owners.  

Appendix A – Revision Table