Systems Backup Policy

1.Introduction

This policy forms part of the University’s Information Security Policy. The overarching Information Security Policy together with its sub-policies can be found at https://www.aber.ac.uk/en/infocompliance/policies/security/

This policy is primarily concerned with the backup of systems and data in relation to business continuity and disaster recovery contexts. Best efforts will be made to restore data e.g. for user deleted files. Unless specifically stated otherwise, the policy relates to on-site storage.

1.1 Objectives

The University, and Information Services specifically, are expected to:

  • take responsibility, ownership, and stewardship of all data held on its systems
  • follow legal, regulatory and compliance needs
  • ensure the appropriate levels of confidentiality are applied to data
  • ensure the integrity of data (that data is accurate, complete, and up-to-date)
  • ensure the availability of data (that data is accessible whenever it is required by appropriate members of the University).

Secure defenses and effective data management procedures are at the forefront of protecting the University’s data, and Information Services will work with Estates and other services departments to ensure that all necessary mitigating factors are employed to ensure the above objectives. These include effective continuity of power supply, air conditioning and fire suppression systems.

However, to accomplish the above objectives, secure, reliable, and robust backup and storage facilities are also required and need to be effectively managed. The policy below sets out the basic retention principles and periods for data held on Information Services’ main systems.

1.2 Scope

This policy covers all data held by Information Services systems, which may include: -

  • research data,
  • learning and teaching data,
  • administration and management information data
  • centrally-held user data

It does not cover data held by individuals, on local servers managed by Departments or Institutes, individual PCs in staff offices, or data stored on removable devices owned by Departments or Institutes.

It should be noted that backup policies relating to third party solutions (e.g. Panopto, Office 365) are reliant on specific agreements and may differ from those applied by Information Services.

2. Core Policy

2.1 Information Services centrally stores and backs up the key data and data upon which the University relies. Backup procedures and archiving retention periods correspond to sector best practice, to overlying legal requirements and are also shaped by local requirements informed by the University’s business objectives, those being, primarily, research, learning and teaching, and associated administrative requirements.

2.2 The University maintains backups of data, logging information, and applications and systems software held on central administrative, academic and infrastructure servers. Data is backed-up daily, with backups held remote from the original copies on disk on computers in separate datacenters. All administrative and infrastructure systems are backed up to tape on a weekly basis.

2.3   Below is a summary of the backup/archiving details:

  • Backups of all AU (Aberystwyth University) data are performed daily
  • Backups are retained for 90 days before being deleted
  • Full backups are taken weekly by using synthetic backups, incremental backups are taken daily
  • Backups run overnight, minimising the impact of service provision during the day
  • Backups are retained in 3 separate physical locations
  • Backups are stored in secure locations, and limited number of authorised personnel have access
  • Requests for backup data from 3rd parties must be approved by the Director of Information Services in consultation with the Data Protection Officer
  • Business Information Systems follow key policies as above, but core systems data relating to Human Resources, Finance, Payroll and Students (AStRA) is kept for longer
  • database data files of all live databases are backed up in such a way that a database can be restored to any point in time within the past month. Exports from all live databases are kept for at least 18 months, as a mixture of dailies, weeklies, monthlies.  Thereafter annuals are kept

2.4 Service recovery and testing

  • Restores are performed on a regular basis, as needed
  • Test restores of several key systems will be performed annually, during the month of July. This test will be to make sure that staff know the required procedures, and to validate the integrity of the backups
  • Records of all test restores will be maintained for audit and other purposes

2.5 Recovery Time Objectives

  • Following a significant outage, Information Services will aim to have any given service recovered within 1 working week at a maximum. Given the nature of the outage, this may be shorter or longer than specified

These Regulations are maintained by Information Services, were last reviewed in June 2022 and are due for review in August 2023