Policy on backup and archiving of data held on IS systems

1. Introduction

This policy forms part of the University’s Information Security Policy.  The overarching Information Security Policy together with its sub-policies can be found at https://www.aber.ac.uk/en/infocompliance/policies/security/

This policy is primarily concerned with backup of systems and data in relation to business continuity and disaster recovery contexts. Best efforts will be made to restore data e.g. for user deleted files.  Unless specifically stated otherwise, the policy relates to on-site storage.

1.1 Objectives

The University, and Information Services specifically, are expected to:

  • take responsible ownership and stewardship of all data held on its systems;
  • follow legal, regulatory and compliance needs;
  • ensure the appropriate levels of confidentiality are applied to data
  • ensure the integrity of data (that data is accurate, complete and up-to-date);
  • ensure the availability of data ( that data is accessible whenever it is required by appropriate members of the University).

Secure defences and effective data management procedures are at the forefront of protecting the University’s data, and Information Services will work with Estates and other services departments to ensure that all necessary mitigating factors are employed to ensure the above objectives.  These include effective continuity of power supply, air conditioning and fire suppression systems.

However, in order to accomplish the above objectives, secure, reliable and robust backup and storage facilities are also required and need to be effectively managed. The policy below sets out the basic retention principles and periods for data held on Information Services’ main systems.

1.2 Scope

This policy covers all data held by Information Services systems, which may include:-

  • research data,
  • learning and teaching data,
  • administration and management information data
  • Centrally-held user data

It does not cover data held by individuals, on local servers managed by Departments or Institutes, individual PCs in staff offices, or data stored on removable devices owned by Departments or Institutes.

It should be noted that backup policies relating to third party solutions (e.g. Panopto, Office 365) are reliant on specific agreements and may differ from those applied by Information Services

2. Core Policy

2.1  Information Services centrally stores and backs up the key data and data sets upon which the University relies. Backup procedures and archiving retention periods correspond to sector best practice, to overlying legal requirements and are also shaped by local requirements informed by the University’s business objectives, those being, primarily, research, learning and teaching, and associated administrative requirements.

2.2  The University maintains backups of data, logging information, and applications and systems software held on central administrative, academic and infrastructure servers. Data are backed-up daily (or following every working day in the case of some administrative backups), with backups held remote from the original copies on disk on computers in separate data centres. At least weekly in any case all data are backed up to tape. Tapes are kept in fire safes remote from the servers they back up.

2.3   Below is a summary of the backup/archiving details:

  • Backups of all AU data are performed daily.
  • Backups are retained for 60 days before being deleted.
  • Full backups are taken weekly by using synthetic backups, incremental backups are taken daily.
  • Backups run overnight, minimising impact of service provision during the day.
  • Backups are retained in 2 different locations.
  • Backups are stored in secure locations, and limited number of authorised personnel have access.
  • Requests for backup data from 3rd parties must be approved by the Director of Information Services in consultation with the Data Protection Officer.
  • Backup of data held within system have data backup routines which ensure database integrity is retained.  Currently this means some systems are taken off‐line in order to backup the data on a daily basis.
  • Business Information Systems follow key policies as above, but core systems data relating to Human Resources, Finance, Payroll and Students (AStRA) is kept for longer. Database data files of all live databases are backed up in such a way that a database can be restored to any point in time within the past month. Exports from all live databases are kept for at least 18 months, as a mixture of dailies, weeklies, monthlies.  Thereafter annuals are kept.

2.4 Service recovery and testing

  • Restores are performed on a regular basis, as needed.
  • Test restores of several key system will be performed annually, during the month of July. This test will be to make sure that staff know the required procedures, and to validate the integrity of the backups.
  • Records of all test restores will be maintained for audit and other purposes.

2.5 Recovery Time Objectives

  • Following a significant outage, Information Services will aim to have any given service recovered within 1 working week at a maximum. Given the nature of the outage, this may be shorter or longer than specified.