Requirement:
The cybersecurity requirements for backup and recovery management must include at least the following:
Sub-Controls:
2-9-3-1:
Requirement:
Scope and coverage of backups to cover critical technology and information assets.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of backups management at the organization and must be approved by the representative
- Define the scope of backups for all critical information and technology assets in the organization, including but not limited to:
- Databases
- Applications
- Servers
- Network Devices
- Define specialized technologies for backup
- Determine the period required to backup all information and technology assets according to sensitivity and classification
- Implement backup to all critical information and technology assets in the organization
- Review the organization backups periodically, to include the aforementioned scope and any information and technology assets that have been identified by the organization
Expected Deliverables:
- Documents indicating the identification and documentation of the requirements of this ECC in the policies or procedures of the organization approved by the representative
- A report of periodic backups as per the defined duration for all asset domains
2-9-3-2:
Requirement:
Ability to perform quick recovery of data and systems after cybersecurity incidents
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of backups management at the organization and must be approved by the representative
- Identify appropriate procedures to recover data and systems after exposure to cybersecurity incidents, by but not limited to:
- Define the scope of backup recovery, which may contain all devices, systems, and servers, and classify them according to their importance and criticality
- Determine the recovery period according to classification and importance of specified scope
- Use specialized technologies for data and system recovery
- Calculate the period required to recover all backups for all assets domain to ensure rapid recovery of backups in the event of a cyber security incident
Expected Deliverables:
- Documents indicating the identification and documentation of the requirements of this ECC in the policies or procedures of the organization approved by the representative
- Report on specific procedures for recovery of backups
2-9-3-3:
Requirement:
Periodic tests of backup's recovery effectiveness
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of backups management at the organization and must be approved by the representative
- Plan for periodic inspection of backup recovery effectiveness must be developed
- Ensure the effectiveness of recovery procedures by conducting a periodic backup recovery test to ensure the ability to recover data and systems according to the period specified in the procedures and according to the period calculated to complete the recovery of backup copies
Expected Deliverables:
- Documents indicating the identification and documentation of the requirements of this ECC in the policies or procedures of the organization approved by the representative
- Backup effectiveness test reports showing the difference between the expected duration and the test duration to recover all backups
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.