11: Data Recovery

CSF v2.0 References:

Threats Addressed:

Control Statement

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]

Subcontrols

11.1: Establish and Maintain a Data Recovery Process

Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

11.2: Perform Automated Backups

Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data.

11.3: Protect Recovery Data

Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements.

11.5: Test Data Recovery

Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.