Backups and Testing Backups - WST

It is the guidance and typically the examiner’s expectation that institutions follow the CIA triad of “confidentiality, integrity, and availability of all iterations of data.” And part of this responsibility is to ensure that backups are applied not just to critical systems, but all systems, including non-critical environments, e.g., training systems, testing environments, data at rest, etc. These backups should be tested on a regular basis. These backups should also be first encrypted, and then replicated to offsite locations, whether by logical or physical methods.

The backups referred to are not limited to your local infrastructure or production systems. They should include any cloud-based resources. “Cloud-based you say?” Yes, it’s just someone else’s hardware. Thus, the SOC reports and vendor reviews for those practical solutions hosted and maintained by your MSPs should also include backup solutions that satisfy the recommendations above. And it’s your board of directors’ responsibility—either directly or by approved and monitored proxy—to ensure all backups, whether institution owned or through MSPs, meet at a minimum the standards of “confidentiality, integrity, and availability.” After all, we can outsource the solutions and processes, but we can’t outsource the risk.

If you’d like a lengthier take on this subject, especially as it pertains to cloud- and MSP-based solutions, take a look at the blog post accompanying this WST at https://10dsecurity.com/blog-backups-and-testing-backups.html.

As always, if you have questions or would like to chat about your backup practices, give us a call. We’re here to help.

Authored by: Mike Smith, AWS CCP