Data Storage and Backup & Recovery
Standard and Process
See the specific requirements in the Data Storage and Backup & Recovery Standard in the University Policy Library. The following supplements the requirements in University policy.
Data (including databases) must be stored to comply with regulations or contractual agreements related to data storage and to maintain the confidentiality, integrity, and availability of the data.
Storing or transferring University private data to a vendor or non-University internet site/system requires an approved University contract.
Any incidental and unintended storage of files in the browser or other cache files on personally owned computers and media; or email/email attachments must be deleted as soon as possible.
Use encryption to protect the data.
Staff and faculty traveling internationally must not transport export-restricted data or software outside of the U.S. The Office of the General Counsel and the Office of International Programs can provide guidance. University private data should be removed from laptops, devices, or media before traveling. Store the minimum data necessary for the trip. All other files should be securely deleted (old email, old files, etc). A departmental travel or rental computer should be used. For current international travel requirements, see the official US travel site.
Backup & Recovery of Data
Data (including databases) must be recoverable based on business needs. The physical security of backups must be maintained and periodically reviewed to meet compliance or regulatory requirements.
The extent (e.g., full or differential backup) and frequency need to take into account the legal or contractual obligations and the criticality to the continued operation of the University.
Backup testing includes monitoring the backup and restoration time. Perform the testing on test media and not on the original media in case the backup or restoration process fails and causes irreparable data damage or loss.
Operational procedures need to include monitoring the execution of backups, addressing failures of scheduled backups, and documenting the actions taken.
Technical staff are responsible for working with users, data owners, data custodians, and service owners to
- develop data storage options for University data;
- work with users, data owners, data custodians, and service owners on where to store data;
- develop and review data backup and recovery plans and procedures for University data;
- designate facilities or locations for storing backups.
Users, data owners, data custodians, and service owners are responsible for working with Technical staff to
- understand and follow the data storage requirements for the data they store;
- understand and follow the data backup plan, secure storage practices and recovery options for the data they store.
Data owners are responsible for publicly available information.
See the Information Security policy appendices for additional information security standards that also apply.
- This standard is based on the principles of ISO/IEC 27002:2013.
- Official US Travel site
- NIST 800-171 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations