MOENCO Backup and

Recovery Policy

January 2020

Page 1
 MOENCO Backup & Recovery Policy

DOCUMENT REVISION HISTORY

Version Date Sections Affected Description

V1 August 2014 All MOENCO Backup and
Recovery Policy
V2 August 2015 MOENCO Backup and
Recovery Policy
V3 January 2018 All MOENCO Backup and
Recovery Policy
V4 January 2019 N/A MOENCO Backup and
Recovery Policy
V5 January 2020 N/A MOENCO Backup and
Recovery Policy
 MOENCO Backup & Recovery Policy

Contents
Page

Chapter 1 - Introduction ................................................................................................................ 6

1.1 Purpose ............................................................................................................................. 6

1.2 Audience ........................................................................................................................... 6

1.3 Scope .................................................................................................................................................7

Chapter 2 - Process ....................................................................................................................... 8

Chapter 3 – Backup and Recovery Policy Statement ............................................................... 9

Chapter 4 - Schedule Backups .................................................................................................. 11

4.1 Default Schedule Backup (Business Data)................................................................................ 11

4.2 Backup of System State Data ...................................................................................................... 11

4.3 Storage Location and Retention Period ..................................................................................... 12

4.4 Backup Verification ........................................................................................................................ 13

4.5 Definition of Retention Periods .................................................................................................... 13

4.6 Systems Management .................................................................................................................. 14

4.7 Media Management....................................................................................................................... 14

4.8 Storage, Access, and Security .................................................................................................... 15

4.9 Retirement and Disposal of Media .............................................................................................. 15

4.10 Degradation of Service ............................................................................................................... 15

4.11 Disaster Recovery Considerations .......................................................................................... 16

Chapter 5 – Enforcement ........................................................................................................... 17

Page 5
 MOENCO Backup & Recovery Policy

Chapter 1 - Introduction

System and business data are a crucial component of MOENCO business, and they
should be protected by implementing a backup and recovery plan. Backing up files
can protect against accidental loss of business data, database corruption, hardware
failures, and even natural disasters. It is the IT Departments responsibilities to make
sure those regular backups are performed, and that backup media are stored in a
secure location.

1.1 Purpose
The purpose of this backup policy is as follows:

 To safeguard the information assets of MOENCO.

 To prevent the loss of data in the case of accidental deletion or corruption of
data, system failure, or disaster.
 To permit timely restoration of information and business processes should
such events occurred.
 To manage and secure backup & restoration processes and the media
employed within these processes.

1.2 Audience

These guidelines are intended for:

 MOENCO’S IT Division
 MOENCO Branch Offices
 MOENCO’S Database Administrators
 MOENCO’s IT System Administrators
 MOENCO’s IT Network Administrators
 Contractors who are allowed to access MOENCO’s IT resources.

Page 6
 MOENCO Backup & Recovery Policy

1.3 Scope

The scope of this policy extends to the back-up of all-important information, data,
and system state data regardless of the form it takes - including the recovery of IT
systems and supporting infrastructure.

Page 7
 MOENCO Backup & Recovery Policy

Chapter 2 - Process

Responsibility for maintaining a full set of up-to-date backups remains with the IT
department. Any issues with maintenance of a complete set of backups will be
escalated to the IT Manager. The IT Department provides policy-based, system
level, and network-based backups of all centrally hosted systems. Backup policies
are implemented on per system and site basis that define:

• Selections: what information is to be backed up on systems?

• Priority: relative importance of information for purposes of the ordering of

backup jobs.

• Type: the frequency and amount of information to be backed up within a

set of backup jobs.

• Schedule: the schedule to be used for backup jobs.

• Duration: the maximum execution time a backup job may take prior to its
adversely affecting other processes.

• Retention Period: the time period for which backup images created during
backup jobs are to be retained.

Page 8
 MOENCO Backup & Recovery Policy

Chapter 3 – Backup and Recovery Policy Statement

There is always a risk that systems and/or procedures will fail resulting in loss of
access to information, data and systems, despite the implementation of best
practice.

The following steps will help ensure MOENCO’s information and data is backed up
and restored securely in the most efficient manner possible:

1. MOENCO’s IT administrators are responsible for providing system support

and data backup tasks and must ensure that adequate backup and system
recovery practices, processes and procedures are followed in line with
MOENCO’s Backup and Recovery Procedure, Disaster and Recovery
Procedures, and departmental data retention policies.

2. All IT backup and recovery procedures must be documented, regularly

reviewed and made available to trained personnel who are responsible for
performing data and IT system backup and recovery.

3. All data, operating systems/domain infrastructure system state data and

supporting system configuration files must be systematically backed up -
including patches, fixes and updates which may be required in the event of
system re-installation and/or configuration.

4. A recording mechanism must be in place and maintained to record all backup

information such as department, data location, date, type of backup (e.g.
Incremental, Differential, Full etc…) including any failures or other issues
relating to the backup job.

5. Copies of backup media must be removed from devices as soon as possible

when a backup or restore has been completed.

6. Backup media which is retained on-site prior to being sent for storage at a
remote location must be stored securely in a locked safe and at a sufficient
distance away from the original data to ensure both the original and backup
copies are not compromised.

Page 9
 MOENCO Backup & Recovery Policy

7. Access to the on-site backup location and storage safe must be restricted to
authorized personnel only.

8. All backups identified for long term storage must be stored at a remote secure
location with appropriate environmental control and protection to ensure the
integrity of all backup media.

9. Hard copy paper files containing important information and data should be
scanned and stored electronically to ensure digital copies are created which
can be backed up by the MOENCO’s IT systems. Where this may not be
possible, photocopies of paper files must be made and stored in a secure
storage location.

10. Regular tests must be carried out to establish the effectiveness of the
MOENCO’s backup and restore procedures by restoring data/software from
backup copies and analyzing the results. The IT Manager should be provided
with information relating to any issues with the backup testing of their data

11. The Backup administrator should notify the IT Manager when backups fail –
providing information such as the backup job detail and reasons (if applicable)
for the failure. A record must be maintained, detailing the backup job failure
including any actions taken.

12. Backup data/media no longer required must be clearly marked and recorded
for secure disposal and with due environmental consideration.

Page 10
 MOENCO Backup & Recovery Policy

Chapter 4 - Schedule Backups

4.1 Default Schedule Backup (Business Data)

Unless a system supporting an application or business function requires a custom

schedule, systems will be backed up using a default schedule of weekly full backups
and subsequent differential incremental backups prior to the next full backup.

During backups, point-in-time images of information stored in active, permanent

storage (e.g. hard disks) will be copied to magnetic tape or external disk drive or
other media.

Full backups will back up all files specified within a system’s backup policy,
regardless of when they were last modified or backed up. Differential/incremental
backups will back up all files that have changed since the last successful
incremental or full backup.

The media containing a system’s weekly full backup and full set of subsequent
differential-increment backups will comprise its weekly full backup media set.

The IT department will schedule backup windows for systems so as to minimize

disruption to business functions and ensure accomplishment of the weekly full –
daily – differential - incremental policies described above.

4.2 Backup of System State Data

System state data is comprised of the following files:

 Boot files, including the system files, and all files protected by Windows File
Protection (WFP).

 Active Directory (on a domain controller only).

 Sysvol (on a domain controller only).

 Certificate Services (on certification authority only).

Page 11
 MOENCO Backup & Recovery Policy

 Cluster database (on a cluster node only).

 The registry.

 Performance counter configuration information.

 Component Services Class registration database.

The system state data can be backed up in any order. Restoration of the system
state replaces boot files first and commits the system hive of the registry as a final
step in the process.

System state backup and restore operations include all system state data: you
cannot choose to backup or restore individual components due to dependencies
among the system state components. However, you can restore system state data to
an alternate location in which only the registry files, Sysvol directory files, and
system boot files are restored. The Active Directory database, Certificate Services
database, and Component Services Class Registration database are not restored to
the alternate location.

Although it is not possible to change which components of the system state are
backed up, it is possible to back up all protected system files with the system state
data by setting advanced backup options at least on a weekly basis.

4.3 Storage Location and Retention Period

Unless a system supporting an application or business function requires a custom

retention period, IT will maintain 4 weeks of full and incremental backups.

After a successful full weekly backup, a copy of the full backup’s images will be
made and stored in a secure, off-site media vaulting location for the period of one
month for disaster recovery purposes.

This will ensure that no more than one week of information would be lost in the event
of a disaster in which centrally hosted systems and backup images are destroyed.

Page 12
 MOENCO Backup & Recovery Policy

After the period of a month has elapsed, the tapes or external hard drives will be
returned to IT and re-used or destroyed.

4.4 Backup Verification

The IT department will ensure that on a daily basis, logged information generated
from each backup job will be reviewed for the following purposes:

 To check for and correct errors

 To monitor duration of the backup job
 To optimize backup performance where possible

The IT department will identify problems and take corrective actions to reduce any
risks associated with failed backups. Test restores from backup tapes/hard discs for
each system will be performed at least every quarter. Problems will be identified and
corrected. This will work to ensure that both the tapes and the backup procedures
work properly.

IT will maintain records demonstrating the review of logs and test restores so as to
demonstrate compliance with this policy for auditing purposes.

4.5 Definition of Retention Periods

The retention periods of information contained within system level backups are
designed for recoverability and provide a point-in-time snapshot of information as it
existed on centrally hosted systems during the time period defined by system
backup policies.

Backup retention periods are in contrast to retention periods for information defined
by legal or business requirements.

Page 13
 MOENCO Backup & Recovery Policy

System backups are not meant for the following purposes:

• To archive data for future reference
• To maintain a versioned history of data

4.6 Systems Management

The IT department will ensure on the basis that all elements of its backup system are
documented and maintained in such a manner as to ensure:

• The integrity and confidentiality of data copied during backup and restore
operations.
• Appropriate access to data maintained within the backup system
• Recoverability in the face of system failure or disaster
• Optimal performance
• Stability

This documentation will be reviewed every two years and revised in the event of any
changes to procedures or software.

Elements of the backup system requiring on-going systems management include,

but are not limited to:

• Client software
• Hardware drivers
• Server software
• Network connectivity & communications
• Storage devices (e.g. tape library)

4.7 Media Management

Media will be clearly labeled, and logs will be maintained identifying the location and
content of backup media.

Page 14
 MOENCO Backup & Recovery Policy

Backup images on assigned media will be tracked throughout the retention period
defined for each image. When all images on the backup media have expired, the
media will be re-incorporated amongst unassigned (available) media until reused.
Periodically and according to the recommended lifetime defined for the backup
media utilized, IT will retire & dispose of media so as to avoid media failures.

4.8 Storage, Access, and Security

All backup media must be stored in a secure area that is accessible only to
designated IT staff or employees of the contracted secure off-site media vaulting
vendor.

Backup media will be stored in a physically secured location such as fire-rated

cabinet or safe when not in use. During transport or changes of media, media will not
be left unattended and data must be encrypted.

4.9 Retirement and Disposal of Media

Prior to retirement and disposal, the IT Manager will ensure the following:

• The media no longer contains active backup images or that any active backup
images have been copied to other media.
• The media’s current or former contents cannot be read or recovered by an
unauthorized party.

With all backup media, the IT Manager will ensure the physical destruction of the
media prior to disposal.

4.10 Degradation of Service

Should a failure or defect of the backup system threaten the recoverability of a

computing system or its information, the IT department will take immediate actions to
correct the situation.

Page 15
 MOENCO Backup & Recovery Policy

Additionally, IT will attempt to warn all users and owners of applications &
information of the failure or defect and the potential scope of information loss.
IT will work with those warned to mitigate potential or actual risks until such time as
full-service can be restored.

4.11 Disaster Recovery Considerations

For any form of disaster occurrence, the IT department enact the procedures as
outlined in MOENCO’s Disaster Prevention and Recovery Plan (DPRP)

Page 16
 MOENCO Backup & Recovery Policy

Chapter 5 – Enforcement

Overall, the IT Department is responsible for the daily, weekly and monthly backup of
systems and business data. A person responsible to execute backup and recovery
procedures, if found to have violated this policy may be subject to disciplinary action,
up to and including termination of employment.

Page 17