Backups - WST

As enforced by guidance and in some cases regulation, the expectation exists that institutions follow the CIA triad of “confidentiality, integrity, and availability of all iterations of data.” This fundamental concept can and should be applied to backups.

To maintain confidentiality, all backups should be first encrypted, before any replication or copies are made. This prevents threat actors from compromising the backed-up data. Encryption keys and password should be stored in a manner that requires access control and documentation to retrieve those password or keys, and that they are accessible when needed. Encryption can be applied logically to the backup data, or at a physical level on the storage device to ensure confidentiality.

Integrity requires institutions create and maintain backups of critical data according to set standards (frequency, retention, copies, location, testing, etc.).

An immutable, offline, or secured copy should be created and readily available to address ransomware incidents. Creating an immutable, simultaneously written copy also supports the guidance and regulatory requirements for transactional information, customer documentation, communications, security event log data, etc. Like encryption, creating an immutable copy prevents unwanted modification or tampering of this data.

Backups of the backup system and backup metadata should also be created. Many automated backup solutions have a feature that meets this need. Smaller institutions with affordability concerns should keep a backup log, whether written or digital, of when the backup was made, the backup contents, systems or data coverage, and where the storage device was transferred for safekeeping offsite.

The institution should ensure backup availability, and the unrestricted ability to restore data promptly. Incorrectly assessed needs for backup frequency could not only affect the institution’s ability to respond to assessed recovery needs, but also the ability to respond to regulatory requests for reportable data in a timely fashion. For example, if the institution is subject to Sarbanes-Oxley, there are further availability requirements for the CEO’s and CFO’s ability to produce financial reporting in a timely manner or when there are material changes to an institution’s financial condition.

As noted above, backups of the backup system can also ensure availability of restorable data should the backup system itself have an incident. This may also affect requirements for the ongoing maintenance of legacy backup solutions if changes to the backup infrastructure are made and data is not transferred.

The concepts above are not limited to the institution’s local infrastructure or production systems and should include any cloud-based resources managed by the institution. If the backups are managed by an MSP or the cloud vendor, then vendor risk assessments and due diligence activities should demonstrate that any given vendor’s policies, standards, procedures, etc., align with the institution’s policies, standards, and procedures, and any risk mitigations or acceptance.

Consideration should also be given to backups of non-critical data and systems. The institution’s Data Classification policy should help determine requirements for different degrees of data criticality and sensitivity and how backups are created, whether considered critical or not.

References:
FFIEC Architecture, Infrastructure, and Operations Booklet
FFIEC Information Security Booklet
FFIEC Cybersecurity Assessment Tool
FFIEC Technology Risk Examination (InTrex) Program
CSBS Ransomware Self-Assessment Tool
Sarbanes-Oxley Act (SOX) sections 302 and 409

As always, if you have questions or would like to chat about your backup practices, give us a call. We’re here to help.

Authored by: Mike Smith, CBISO