Operance Backup Policy
Last Updated 6th January 2023
1 Purpose
The purpose of this document is to ensure that a consistent process is adopted for the backup of data, libraries and critical devices. This is to achieve:
a) Backups are in place to facilitate system recovery to cater for the eventuality of a major disaster or hardware failure
b) Backups are in place to facilitate application recovery to cater for the eventuality of application investigation and the ability to re-generate documents for meeting local statutory requirements and business requirements.
2 Scope
This document is applicable to Operance and covers application customer data including database items, file storage, and “Golden Thread” ledger data.
3 Backup Policy
3.1 Backups must be made on a regular basis that will ensure the continuity of processing and service in the event of an interruption.
3.2 All backups must be recorded, uniquely identified, stored securely, and subject to secure disposal procedures.
3.3 Copies of backup files must be kept in a different region (off-site) for cloud services in a secure location at all times. Backup copies must be transferred to the alternate region regularly, preferably at least once daily.
3.4 Security of backup storage must be maintained in compliance with the Physical Security/Environmental Controls Standards.
3.5 There should be periodic testing of backup media at both on- and off-site locations (at least once a year) to ensure that backups are in useable condition for recovery and that their contents are as documented. Backup media found to be unreadable or otherwise unavailable must be reported to the Chief Technology Officer.
3.6 All movements of backup files must be monitored and logged. Only authorised staff may move backups to anywhere other than the primary and off-site locations.
3.7 Copies of backup files moved to or from off-site storage locations must be provided with defined and agreed levels of security and encryption during transportation and storage.
3.8 The retention period of backup must be sufficient to restore data in line with our SLAs concerning service recovery.
3.9 When service architecture and/or providers are changed, consideration should be given to the backup media and data formats to ensure that they can still be restored.
3.10 Access to backup media must be capable of being retrieved within a time scale documented in the computer disaster recovery plan
4 Restoration
4.1 Authorisation to restore data from backup media that would overwrite existing production data must be obtained from the Data Owners.
4.2 In the event of system failure, an escalation procedure must be in place and made aware to all relevant parties.
4.3 Recovery and restart procedures must be established and easily accessible to relevant parties.
4.4 Source documents, reports and backup media for the reconstruction of a system must be identified and documented.
4.5 Restoration of a previous configuration to any points in time within either statutory requirements or company requirements whichever is the greater should be established and documented.
4.6 Restoration of the current configuration must be within agreed recovery timescales.
5 Enforcement
5.1 All staff are required to comply with this security policy and associated procedures. Disciplinary actions including possible termination may be taken against any staff members who fail to comply with Operance’s security policies or circumvent/violate any security systems and/or protection mechanisms.
5.2 Staff having knowledge of personal misuse or malpractice of IT Systems must report immediately to management and IT Security.
5.3 Operance staff must ensure that our contractors and others parties authorised by the Operance to use its internal computer systems, comply with this policy.
5.4 Where the role of the service provider is outsourced to a vendor, the outsourced vendor should ensure compliance with this policy.