Posted on

World Backup Day and NIST SP 800-171

world backup day and nist sp 800-171

Backups and Archiving

World Backup Day is March 31st – a whole day to help remind us to ensure our valuable information is properly protected and available should the need arise. Obviously, valid backup and recovery is a foundational component of incident response and information security. An incident could be a system malfunction, user error or adversarial maliciousness.

In the context of information security, our charge is to protect the confidentiality, integrity and availability (CIA) of important data. Backups and archiving play a part in each – availability of a system can rely on the existence of recovery options. Certainly, the backups themselves must also be protected from unauthorized access and modification.

NIST SP 800-171

In protecting controlled unclassified information (CUI), ensuring timely and valid backups is an important part of the process. Interestingly, the NIST SP 800-171 framework doesn’t directly specify that a backup strategy be defined and implemented. However, the protection of CUI backups is mentioned in the media protection control family. This brings up an important consideration, the guidelines used for the protection of CUI are not absolute or all encompassing; we still need to holistically secure the systems and data that we use and ensure our security plans fully address organizational needs. An old security adage: Compliant doesn’t mean Secure.

An appropriate backup strategy is an important part of protecting all important business information and systems. Protecting the backup information should include locating the backups away from the systems in use. If an event is significant enough to somehow damage the operational systems, we wouldn’t want that same incident to render the backups unusable as well. A rainstorm might flood a data center, or a ransomware attack might encrypt all active data and connected system data.

NIST Compliant Services

At Assured Bridge, we help meet NIST SP 800-171 compliance objectives by regularly backing up your stored CUI. These backups are both encrypted to protect confidentiality and integrity,  and stored separately to ensure availability. We also execute rehearsal restorations to validate the backups can be effectively restored should the need arise.

For World Backup Day, closely review your inventory of sensitive and valuable information and enable backups to somewhere safe. Watch our Twitter feed for more hints and tips.

References cited in this post:

With over 30 years of experience, Daniel Bjorklund is a dedicated information security practitioner and innovator. He serves as a principal at Assured Bridge, helping to mature and guide compliance-as-a-service and managed security service provider operations. Dan is also Chief Technologist at Sabine Solutions - a defense contractor, and owns a small cybersecurity consulting firm: Community Cyber. He is active in the startup and entrepreneurial communities in the Augusta, GA area, helping set firm cybersecurity foundations for new companies and efforts.

Dan is a current CISSP and holds a Master of Science degree in Information Assurance and Security and a Bachelor of Science degree in information technology. When not hunched in front of a computer, Dan can often be found above 3000 feet avoiding highway traffic, flying his airplane as a licensed pilot. He and his wife enjoy outdoor activities, biking, fishing and sightseeing in the Southeastern United States.