7.7. PERIODIC BACKUPS
As mentioned in the Insurance Coverage section, procedures should be in place to perform periodic (daily, weekly, monthly) backups of system software, application programs, and data as well as storage and rotation of the backup media (e.g., magnetic tapes, disks, compact disks [CDs]) to a secure off-site location. Daily backups are usually necessary only for data since the application programs and system software do not change significantly. Full backups of the entire system, including system software, application programs, and data should be performed weekly or monthly, depending on the number and types of changes that have been made. Full system backups should also be performed on completion of a major upgrade or significant changes to the operational and security parameters of a system.
Logs should be maintained to document that backups have been performed and that the backup media have been transported to the off-site location. The auditor should visit the off-site storage facility to evaluate the adequacy of its physical security controls. If the off-site storage facility is a vendor, the contract should be examined to ensure that the vendor agrees to reimburse the client organization for any losses or damages that occur as a result of the backup media's being lost or stolen while under the control of the vendor.
Most off-site storage vendors require each client organization to supply a list of authorized individuals who are allowed access to the organization's ...
Get Auditing Information Systems, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
