DS4.9:
DS 4.9 Offsite Backup Storage
Control Objective:
Store offsite all critical backup media, documentation and other IT resources necessary for IT recovery and business continuity plans. Content of backup storage needs to be determined in collaboration between business process owners and IT personnel. Management of the offsite storage facility should respond to the data classification policy and the enterprise’s media storage practices. IT management should ensure that offsite arrangements are periodically assessed, at least annually, for content, environmental protection and security. Ensure compatibility of hardware and software to restore archived data and periodically test and refresh archived data.
Applicability:
- Sarbanes-Oxley
- HIPAA
- GLBA
- PCI
- FISMA
- NIST SP 800-66
- Ditscap
- Control Exception
- User Defined
Risk Association Control Activities:
- 1. Risk: Controls provide reasonable assurance that policies and procedures that define required acquisition and maintenance processes have been developed and are maintained, and that they define the documentation needed to support the proper use of the applications and the technological solutions put in place.
- a. SOX.1.4 The organization has policies and procedures regarding program development, program change, access to programs and data, and computer operations, which are periodically reviewed, updated and approved by management.
- a. SOX.1.4 The organization has policies and procedures regarding program development, program change, access to programs and data, and computer operations, which are periodically reviewed, updated and approved by management.
- 1. Risk: Controls provide reasonable assurance that policies and procedures that define required acquisition and maintenance processes have been developed and are maintained, and that they define the documentation needed to support the proper use of the applications and the technological solutions put in place.
- 2. Risk: Mission critical data is not available to restart applications due to systems failure.
- a. SOX.2.3.1 Up-to-date backups of programs and data should be available in emergencies.
- 2. Risk: Mission critical data is not available to restart applications due to systems failure.
- 3. Risk: The ability to change data on back up tapes is not restricted.
- a. SOX.2.3.2 Confidential information on backed up system and transaction data is properly protected.
- 3. Risk: The ability to change data on back up tapes is not restricted.
- 4. Risk: Unauthorized or inappropriate personnel have access to data via backup tapes.
- a. SOX.2.3.3 Confidential information on backed up system and transaction data is properly protected.
- 4. Risk: Unauthorized or inappropriate personnel have access to data via backup tapes.
- 5. Risk: Up-to-date backups of programs and data may not be available when needed.
- a. SOX.2.3.4 Procedures exist and are followed to periodically test the effectiveness of the restoration process and the quality of media backup.
- 5. Risk: Up-to-date backups of programs and data may not be available when needed.
- 6. Risk: Production processes and associated controls operate as intended and support financial reporting requirements.
- a. SOX.2.3.5 User-developed systems and data are regularly backed up and stored in a secure area.
- a. SOX.2.3.5 User-developed systems and data are regularly backed up and stored in a secure area.
- 6. Risk: Production processes and associated controls operate as intended and support financial reporting requirements.
- 7. Risk: Computer equipment may be compromised by accidental damage.
- a. SOX.2.6.1 Physical storage of computer equipment should be appropriately protected to prevent the risk of accidental damage (e.g., fire, flood, smoke, water, dust, vibration, chemicals, and radiation).
- 7. Risk: Computer equipment may be compromised by accidental damage.
- PCI-3.2.1 Do not store the full contents of any track from the magnetic stripe (on the back of a card, in a chip, etc.)
- PCI-3.2.2 Do not store the card-validation code (Three-digit or four-digit value printed on the front or back of a payment card (e.g., CVV2 and CVC2 data))
- PCI-3.2.3 Do not store the PIN Verification Value (PVV).
Implementation Guide:
Process Narrative
Insert a description of the process narration that is applicable to the existing control statement this narrative refers to.
Process Illustration
Insert a process diagram, flowchart or other visual representation here to illustrate the process narrative.
File:Someimage.jpg
Control Commentary
Insert a description of the control that is applicable to the existing control statement this commentary refers to.
Control Exception Commentary
Insert a description of the control exception that is applicable to the existing control statement this commentary refers to.
Evidence Archive Location
Insert Evidence Description Here.
Control Status and Auditors Commentary
Describe the condition of the applicable control and its effectiveness. Set the color icon to a redlock.jpg, yellowlock.jpg or greenlock.jpg.
File:Redlock.jpg
Remediation Plan
Insert remediation plan, applicability, or any information that indicates what needs to be done.
Supplemental Information:
- ITIL Service Delivery
- ITIL IT Service Continuity Management
- ITIL 7.3.2 Stage 2 - Requirements analysis and strategy definition
- ISO 7.1 Secure areas
- ISO 7.2 Equipment security
--Mdpeters 08:26, 23 June 2006 (EDT)