11: Data Recovery
Threats Addressed:
Control Statement
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]
Subcontrols
11.1: Establish and Maintain a Data Recovery Process
Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
11.2: Perform Automated Backups
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data.
11.3: Protect Recovery Data
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements.
11.4: Establish and Maintain an Isolated Instance of Recovery Data
Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services.
11.5: Test Data Recovery
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.