Backup Policy¶
| Owner | Classification | Review Date | Status |
|---|---|---|---|
| CDO Office | Internal | April 2027 | Active |
| Field | Details |
|---|---|
| Document Type | Policy |
| Document Reference | SP-BP-003 |
| Version | 1.2 |
| Owner | CISO |
| Classification | Confidential |
| Review Cycle | Annual |
Introduction¶
This policy defines Simpaisa's requirements for the backup of information assets to ensure that data can be recovered following a loss event, system failure, or disaster. Regular and tested backups are essential to maintaining business continuity and protecting the organisation's information assets.
This policy applies to all information systems, applications, databases, and data assets owned or managed by Simpaisa.
Documentation¶
Document Control¶
This policy is maintained under document control. All changes to this policy must be approved by the CISO and version-controlled accordingly.
Records¶
Records of backup activities, including completion status, errors, and restoration tests, shall be maintained and retained in accordance with Simpaisa's records retention requirements.
Distribution¶
This policy shall be distributed to all IT staff responsible for backup operations and to relevant management stakeholders.
Privacy¶
Backup data shall be subject to the same privacy and confidentiality controls as the original data. Access to backup media and systems shall be restricted to authorised personnel only.
Responsibility¶
The IT team is responsible for implementing and maintaining backup procedures in accordance with this policy. The CISO is responsible for oversight and policy compliance.
Policy¶
All critical and important information assets shall be backed up in accordance with the backup schedule defined in this policy. Backup procedures shall ensure that data can be restored within the defined recovery time objectives (RTO) and recovery point objectives (RPO) for each system.
Backup Frequency and Storage¶
| Data Type | Frequency | Destination | Method |
|---|---|---|---|
| Critical Data | Daily | Cloud | Automated cloud backup |
| Transactional Data | Daily | AWS | Automated AWS backup |
| Source Code (Bitbucket) | On every commit | Bitbucket Repository | Automated repository backup |
| Documents | Monthly | Lock and Key (secure physical storage) | Manual/automated document backup |
| PDC (Primary Domain Controller) | Daily | Backup Server | Automated server backup |
| CCTV Footage | Rolling 1 month retention | NVR (Network Video Recorder) | Continuous recording with auto-overwrite |
| Firewall Configuration | Weekly | SharePoint | Automated configuration export |
Backup Verification and Testing¶
-
Backup completion status shall be monitored and logged daily
-
Backup restoration tests shall be conducted at least quarterly for critical systems
-
Restoration test results shall be documented and reviewed by the IT Manager
-
Any backup failures shall be investigated and resolved promptly
Backup Security¶
-
Backup data shall be encrypted in transit and at rest
-
Access to backup systems and media shall be restricted to authorised IT personnel
-
Off-site backup media shall be stored in a secure location with appropriate physical access controls
-
Cloud and AWS backup access credentials shall be managed in accordance with the Access Control Policy
Retention¶
Backup retention periods shall align with Simpaisa's data retention requirements and applicable regulatory obligations. Backups shall be retained for a minimum of:
-
Daily backups: 30 days
-
Weekly backups: 12 weeks
-
Monthly backups: 12 months
-
Annual backups: 7 years (for financial and regulatory data)
Enforcement¶
Compliance with this policy is mandatory for all IT staff and system administrators. Non-compliance may result in disciplinary action in accordance with Simpaisa's HR policies.
Any exceptions to this policy must be formally documented, risk-assessed, and approved by the CISO.