February 10th, 2022

Backups and Testing Backups - WST

It is the guidance and typically the examiner’s expectation that institutions follow the CIA triad of “confidentiality, integrity, and availability of all iterations of data.” And part of this responsibility is to ensure that backups are applied not just to critical systems, but all systems, including non-critical environments, e.g., training systems, testing environments, data at rest, etc. These backups should be tested on a regular basis. These backups should also be first encrypted, and then replicated to offsite locations, whether by logical or physical methods.

The backups referred to are not limited to your local infrastructure or production systems. They should include any cloud-based resources. “Cloud-based you say?” Yes, it’s just someone else’s hardware. Thus, the SOC reports and vendor reviews for those practical solutions hosted and maintained by your MSPs should also include backup solutions that satisfy the recommendations above. And it’s your board of directors’ responsibility—either directly or by approved and monitored proxy—to ensure all backups, whether institution owned or through MSPs, meet at a minimum the standards of “confidentiality, integrity, and availability.” After all, we can outsource the solutions and processes, but we can’t outsource the risk.

If you’d like a lengthier take on this subject, especially as it pertains to cloud- and MSP-based solutions, take a look at the blog post accompanying this WST at https://10dsecurity.com/blog-backups-and-testing-backups.html.

As always, if you have questions or would like to chat about your backup practices, give us a call. We’re here to help.



Authored by: Mike Smith, AWS CCP

You May Want to Read More:

The Scope of SARs - Something Old and Something New - WST

January 28th, 2021

Did you know that filing Suspicious Activity Reports...

In with the new year, out with the Flash - WST

January 21st, 2021

The writing has been on the wall for a while now ...

Back to Basics: Understanding Risk Concepts - WST

January 15th, 2021

People often make judgements and decisions about risk...

Keep your institution off the evening news.


Contact Us