CP-9 Information System Backup

Description

System-level information includes, for example, system-state information, operating system and application software, and licenses.

User-level information includes any information other than system level information.

Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes.

Protection of system backup information while in transit is beyond the scope of this Control.

Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.

Applicability

This Control applies to university information resources that contain mission critical information, Essential IT Services, and additional resources as noted.

The intended audience is all information resource owners or designees who are responsible for the support and operation of mission critical information resources.

Based on risk management considerations and business functions, the information resource owner may determine that it would be appropriate to apply the requirements of this Control to information resources not meeting the definition of mission critical.

Implementation

TAMU-CC conducts backups of system-level information (including system state information) and critical user-level information contained in the information system and protects backup information at the storage location, as follows:

  1. Conducts backups of user-level information contained in the information system network storage according to the SLA agreed upon with the data owner;
  2. Conducts backups of system-level information contained in the information system as defined by the business impact analysis;
  3. Conducts backups of information system documentation including security-related documentation consistent with the requirements of the business impact analysis and
  4. Protects the confidentiality, integrity, and availability of backup information at storage locations.
  5. TAMU-CC stores backup copies of information systems that process and/or store sensitive or mission-critical information offline or in a separate facility that is not collocated with the operational system.

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019