Skip to content

Procedure P4-004K: Backup and Recovery

Revision 0. Effective date: November 6, 2024

View PDF

  1. Purpose and Scope
  2. Definitions
  3. Procedure
  4. Policies/ Rules, Procedures, Guidelines, Forms and other Related Resources
  5. References
  6. Contacts
  7. History

  1. Purpose and Scope‌

    1. Purpose.

      The purpose of this Backup and Recovery Procedure is to outline the Asset backup and recovery process for all University administrative units, including colleges, divisions, departments, and centers.

    2. Scope.

      The scope of this procedure is all University administrative units, including colleges, divisions, departments, and centers, and all members of the University community, including students, staff, faculty, other permanent or temporary employees, contractors, research collaborators, vendors, and third-party agents.

      This procedure supports Section K, titled Backup and Recovery, of the University of Utah Information Security Policy 4-004.

  2. ‌Definitions‌

    The definitions provided in Policy 4-004 apply for this procedure. In addition, the terms below apply for the limited purpose of this procedure.

  3. ‌Procedure‌

    1. For the Assets for which they are responsible, IT managers shall:

      1. create a backup and recovery plan that, at a minimum, includes:

        1. all federal, state, and local laws, regulations, and statutes, as well as contractual obligations applicable to the Asset, including retention requirements;

        2. backup schedule;

        3. physical storage location;

        4. the appropriate Information System Media (e.g., external hard drives, network-attached storage (NAS), and cloud storage);

        5. the order in which data should be restored; and

        6. documentation for the entire backup and recovery process, including step-by-step instructions, ensuring all IT Technicians who will implement the plan have access to the documentation and any other relevant information.

      2. at least annually, assess and update the backup strategy to accommodate changes in data volume, storage options, and/or technological advancements to ensure the effectiveness of the backup and recovery plan; and

      3. in consultation with the applicable data owner, determine the backup frequency based on the prevalence of data changes and the acceptable level of data loss.

    2. IT Technicians shall implement the backup and recovery plan by following these steps:

      1. maintain a current and accurate Asset inventory;

      2. select the appropriate backup method, which could include full backups, incremental backups, and differential backups;

      3. implement automated backup processes to ensure regular and consistent backups, utilizing backup software or built-in operating system tools to schedule and automate the backup process;

      4. make the backup immutable to ensure data integrity;

      5. safeguard the backup data by employing Encryption techniques to protect it from Unauthorized Access;

      6. at least quarterly, perform tests to ensure that Information Assets can successfully be restored from the backups to guarantee their effectiveness in case of data loss or system failure;

      7. store at least one copy of the backups in an off-site location (e.g., cloud storage) to mitigate the risk of data loss due to physical damage or disasters affecting the primary location; and

      8. at least weekly, monitor the backup process to ensure it runs smoothly without any errors or interruptions and review backup Logs and reports to identify and promptly address any issues.

    3. For more specific implementation requirements, please access Procedure P4- 004L and Procedure P4-004J.


      Sections IV- VII are for user information about this procedure.


  4. ‌Policies/ Rules, Procedures, Guidelines, Forms and other Related Resources‌

    1. Policies/ Rules.

      1. Policy 4-004: University Information Security Policy

    2. Procedures, Guidelines, and Forms. [ reserved ]

    3. Other Related Resources.

  5. ‌References‌

    1. Procedure R4-004J: Log Management and Monitoring

    2. Procedure P4-004L: Media Handling

  6. ‌Contacts‌

    The designated contact officials for this Regulation are:

    1. Policy Owner(s) (primary contact person for questions and advice): Chief Information Security Officer

    2. Policy Officer(s): Chief Information Officer

      See Rule 1-001 for information about the roles and authority of policy owners and policy officers.

  7. ‌History‌

    Revision History.

    1. Current version. Revision 0.

      1. Approved by Chief Information Security Officer with effective date of November 6, 2024.

    2. Renumbering

      1. Not applicable

Last Updated: 12/19/24