Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]
Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.