Backup and Archive Policy

What: The Backup and Archive Policy establishes an efficient backup and archive process. 

Who: The entire team

Approx. time: Plan an one-hour meeting with the team and assign a person responsible for doing and organizing the backups and archives.

---

This policy aims to set up a structure for managing backups and archives. This work is extremely important for keeping a record of your past projects and for helping you to recover quickly from a cyberattack or accidental data loss. Poor management can cost time and money. Let’s avoid all that and get to work!

In the previous chapters, we explained the difference between an archive and a backup. Now let’s apply all this information. 

Managing backups

To develop your backup policy, we recommend that you consider the following points: 

• Which documents/folders are considered backups and are part of your regular operations?
• Do the backups contain sensitive data? Which ones?
• Where are the different types of data stored?
• Have you applied the “3-2-1” strategy? 
  • For which data, folders, or documents?

• Are the contents of all the devices backed up regularly?
• What is stored on a cloud service?
  • How are the cloud services used?
  • What are your access and backup policies?
  • Do you use the principle of least privilege?

• How do you protect the availability, integrity, and confidentiality of confidential data and documents?
• How do you protect the availability, integrity, and confidentiality of restricted data and documents?
• Is the retention of the data regulated? (See the regulations under PIPEDA.)
• Who is responsible for verifying that the data is complete and well organized?
• What changes do you need to make?

Managing archives

• Which documents are considered archives?
• Do the archives contain sensitive data?
• Where are they stored?
• Are there one (or several) encrypted copy (or copies)?
• Are the archives stored on cloud services?
• Who is responsible for verifying that the data is complete and well organized?Is the retention of the data regulated? (See the regulations under PIPEDA.)

---

Checklist

• Establish a backup schedule.
• Assign one or two people to be responsible for managing the backups and archives.
• Establish a terminology and identical organization for all the storage locations.
• Compile a list of all the storage locations and their respective contents.
• Apply the security measures based on the security policy (passphrase, encryption, etc.).
• Test the backup and recovery plan in case of a cyberattack.