Last updated: July 3, 2018
- The data backup policy provides comprehensive documentation of the applicable regulations in the company and measures taken for data backup. It also serves as evidence to third parties that the leg- ally required availability control is carried out correctly.
Responsibilities in the company
- Companies have to provide for IT security and data backup.
- Corporate management is directly responsible for this and is per- sonally liable where applicable.
- General legal conditions
- The law requires certain controls via technical and organizational measures, both with processing data for one’s own purposes and with commissioned data processing; in this context, an availability control applies in particular.
- Verification of the controls or technical and organizational meas- ures is, inter alia, to be provided to customers within the scope of commissioned data processing.
- Human error: incorrect operation/accident, sabotage, attack
- Technical disruptions: technical malfunction, hardware failure, line disturbance
- Force majeure, accidents, catastrophes: water, fire, etc.
- Significant to existentially threatening effects on companies pos-
- Data backup procedures, options
- Incremental backup
- Differential backup
- Minimum technical and organizational regulations
- Data backup must be performed responsibly and competently
- No accidental bypassing of authorization models by data backup
- Confidentiality and obligation to data protection
- The nomination of people responsible for each task area
- Determine need for confidentiality, integrity and availability
- Technical implementation
- Create data backup plan
- Determine the retention period and number of generations
- Coordination with the emergency-prevention policy
- Sufficient documentation and logging: especially backup data, backup scope, backup parameters.
- Arrange the recovery procedure
- Create an inventory directory
- Ensure the evaluation of logs
- Tests on data reconstruction/restoration and emergency drills
- Set up necessary controls, especially access control
- Implement the protection requirements for confidentiality, integrity and availability
- Implement the protection requirements for confidentiality, integrity and availability Specify and secure transport routes
- Allocate capacities: throughput, volume, the quantity of data-stor- age devices
- Implement requirements for seamless backup (mobile computers,
PDA/MDA, databases, open files, system data, log data, etc.)
- Especially ensure access control, access-permission control, transmission control, input control and separation control, also with regard to data backup sets.