Policy Number: 
IT-17
Date Drafted: 
12/30/2002
Date Posted for Review: 
05/06/2003
Approved Date: 
11/02/2005
Revision Date: 
10/28/2005
Revision Date: 
02/12/2013
Description: 
Minimum requirements for the creation and retention of computer data backups.

All electronic information which is a "UI record" as defined in the University Operations Manual Chapter 17.3 Records Management Program (hereafter referred as UI records for the purpose of this policy) must be copied onto secure storage media on a regular basis (i.e., backed up), for the purpose of disaster recovery and business resumption. This policy outlines the minimum requirements for the creation and retention of backups. Special backup needs which exceed these minimum requirements, should be accommodated on an individual basis.

Scope:
Data custodians are responsible for providing adequate backups to ensure the recovery of electronic information (includes UI Records and software) in the event of failure. These backup provisions will allow University business processes, including the research enterprise to be resumed in a reasonable amount of time with minimal loss of data. Since failures can take many forms, and may occur over time, multiple generations of backups should be maintained.
Federal and state regulations pertaining to the long-term retention of information (e.g., financial records) will be met using separate archive policy and procedures, as determined by the Business Owner of the information, and in accord with the Records Management Program. Long-term archive requirements are beyond the scope of this policy.

Policy Statement:

  • Backups of all UI records and software must be retained such that computer operating systems and applications are fully recoverable. This may be achieved using a combination of image copies, incremental backups, differential backups, transaction logs, or other techniques.
  • The frequency of backups is determined by the volatility of data; the retention period for backup copies is determined by the criticality of the data. At a minimum, backup copies must be retained for 30 days.
  • At least three versions of UI Records must be maintained.
  • At a minimum, one fully recoverable version of all UI Records must be stored in a secure, off-site location. An off-site location may be in a secure space in a separate University building, or with an off-site storage vendor approved by the Information Security and Policy Office. The practice of taking backup media to the personal residence of staff persons is not acceptable. (See Appendix A for a list of approved off-site storage facilities.)
  • Derived data should be backed up only if restoration is more efficient than creation in the event of failure.
  • All UI Record information accessed from workstations, laptops, or other portable devices should be stored on networked file server drives to allow for backup. UI Record information located directly on workstations, laptops, or other portable devices should be backed up to networked file server drives. Alternatively, UI Record information located directly on workstations, laptops, or other portable devices may be backed up using a 3rd party vendor approved by the Information Security and Policy Office. (See Appendix A for a list of approved desktop backup services.) Convenience records and Non-records, or other information which does not constitute a UI Record does not carry this requirement.
  • Required backup documentation includes identification of all critical data, programs, documentation, and support items that would be necessary to perform essential tasks during a recovery period. Documentation of the restoration process must include procedures for the recovery from single-system or application failures, as well as for a total data center disaster scenario, if applicable.
  • Backup and recovery documentation must be reviewed and updated regularly to account for new technology, business changes, and migration of applications to alternative platforms.
  • Recovery procedures must be tested on an annual basis.

Related Policies, References and Attachments:
University Operations Manual, Records Management Program (Chapter 17.3)
Roles and Responsibilities for Information Security
Institutional Data Access Policy
How to register your system(s) in the Uiowa System Registry (USR)
Disaster Recovery and Business Continuity Planning

This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.

They are incorporated into the University of Operations Manual (http://opsmanual.uiowa.edu/) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://opsmanual.uiowa.edu/community-policies/acceptable-use-information-technology-resources)

Appendix A:  Approved Facilities and Services:

Off Site Storage Facilities: Advantage Records Management & Storage (any UI system) (http://www.advantagerms.com)
Desktop Backup Services: Departmental File Servers Connected (Iron Mountain, Inc.)