108 3.2 Information Security Preventative Controls
that your backup procedures enable an efficient restore to the most recent
backup state, such as the end of the previous business day, for each of your
key systems. It is also imperative that you safeguard the backup tapes or
disks for such systems. Typically, this is done through an offsite storage
facility. In many cases, critical business data are replicated or stored in a
different region to ensure continuation or resumption of business in the
case of a catastrophic disaster. You should also perform a restore on a peri-
odic basis to ensure that these procedures continue to support a timely
recovery, and modify your procedures if the results indicate it is necessary.
Eliminate procedures that are too general, requiring ad hoc decisions that
could cause problems, and ensure that the procedures consider the specific
environment involved.
The corruption or loss of data following an interruption to normal pro-
cessing can disrupt operations and delay business processing. You should
always create backup files periodically throughout general working hours to
enable a rapid recovery to an earlier version, if needed. It is also important
to ensure that recovery from transaction processing systems disruptions is
fully tested to verify that transactions cannot be lost.
3.2.2 Backing up Data on Portable Computers
Data of significant value held on a laptop computer may be lost, due to
an internal system failure. It is important that data held on portable com-
puting devices be backed up as a means to protect against loss. All com-
puter systems, including portable computers and their associated data
files, must have agreed backup and restore procedures for the data files. It
is important to require and enforce the user of a portable computer to be
personally responsible for backing up stored data and synchronizing it
with the central system.
3.2.3 Managing Backup and Recovery Procedures
End-of-day backup files are critical in maintaining the ability to restore
either the whole system or selected data files to a specified end-of-day posi-
tion. The procedures used to initiate such a recovery must be clearly docu-
mented and tested, because the information security implications of an
inappropriate or incorrect file restore are significant. If the restore proce-
dures have not been tested, a partial or invalid restore can corrupt the
entire system, which may partly or significantly have a negative effect on
(and possibly terminate) business operations. Inadequate or nonexistent
backup procedures may compromise an organization’s business processes