Backups and Archiving
World Backup Day is March 31st – a whole day to help remind us to ensure our valuable information is properly protected and available should the need arise. Obviously, valid backup and recovery is a foundational component of incident response and information security. An incident could be a system malfunction, user error or adversarial maliciousness.
In the context of information security, our charge is to protect the confidentiality, integrity and availability (CIA) of important data. Backups and archiving play a part in each – availability of a system can rely on the existence of recovery options. Certainly, the backups themselves must also be protected from unauthorized access and modification.
NIST SP 800-171
In protecting controlled unclassified information (CUI), ensuring timely and valid backups is an important part of the process. Interestingly, NIST SP 800-171 doesn’t directly specify that a backup strategy be defined and implemented. However, the protection of CUI backups is mentioned in the media protection control family. This brings up an important consideration, the guidelines used for the protection of CUI are not absolute or all encompassing; we still need to holistically secure the systems and data that we use and ensure our security plans fully address organizational needs. An old security adage: Compliant doesn’t mean Secure.
An appropriate backup strategy is an important part of protecting all important business information and systems. Protecting the backup information should include locating the backups away from the systems in use. If an event is significant enough to somehow damage the operational systems, we wouldn’t want that same incident to render the backups unusable as well. A rainstorm might flood a data center, or a ransomware attack might encrypt all active data and connected system data.
NIST Compliant Services
At Assured Bridge, we help meet NIST SP 800-171 compliance objectives by regularly backing up your stored CUI. These backups are both encrypted to protect confidentiality and integrity, and stored separately to ensure availability. We also execute rehearsal restorations to validate the backups can be effectively restored should the need arise.
For World Backup Day, closely review your inventory of sensitive and valuable information and enable backups to somewhere safe. Watch our Twitter feed for more hints and tips.
References cited in this post:
- World Backup Day http://www.worldbackupday.com
- NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
- Compliance is not Synonymous with Security https://www.securityweek.com/compliance-not-synonymous-security