BCR-08: Backup

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following item from the previous version: BCR-11: Retention Policy.

Control Statement

Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and availability of the backup, and verify data restoration from backup for resiliency.

Implementation Guidance

Implementation of backups and/or other means of data preservation (e.g., replication) should follow the following guidelines.

  1. The scope, frequency, and duration of cloud data retention should comply with:

Applicable laws Contractual agreements with the cloud customers The cloud provider’s business requirements

  1. The backup approach, including the physical location of backup files, should comply with the privacy and data protection laws and regulations applicable to the data collected.
  2. The data backup process should be monitored by employing technical and organizational safeguards. At a minimum, malfunctions should be examined and eliminated promptly by qualified employees to support compliance with the retention’s scope, frequency, and duration.
  3. Backup and restoration procedures should be periodically tested and the results documented to ensure data can be successfully restored. Tests should be designed so that the reliability of the backup media and the restoration time (RPO, RTO) can be established with sufficient certainty. Any errors and identified improvements (corrective and preventive actions) should be addressed promptly.
  4. Restorations should be carried out only after they have been approved by authorized persons (according to contractual agreements with cloud customers or the internal policies of the cloud provider).
  5. The cloud service provider, when appropriate, should be able to disclose the exercise results to the cloud services customer as part of the assurance of business continuity and resilience.

Additional guidance is also available in the NIST Special Publication 800-53 (Rev. 4) CP-9 INFORMATION SYSTEM BACKUP (latest revision).

Auditing Guidance

  1. Examine the policy for identifying data for which a backup is required.
  2. Examine the requirements for the security of such backups.
  3. Evaluate the effectiveness of the backup and restore.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.