Fayetteville Policies and Procedures  925.0 

Backup and Recovery Systems

  1. Overview
    This policy provides general guidelines to ensure University of Arkansas data and systems settings are stored in on-site and off-site locations and can be recovered in the event of an equipment failure, willful destruction of data, or natural or manmade disaster.  

  2. Purpose
    The purpose of this policy is to ensure university data and systems are backed up and recoverable according to Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) set by individual units.  This policy does not address any applicable data retention or compliance requirements.

  3. Scope
    1. This policy includes all University of Arkansas IT systems, such as file servers, firewalls, network switches, and applications. IT systems do not include individual workstations and devices.  
    2. The teams responsible for IT systems are accountable for managing the infrastructure, backup, and recovery of data and systems.
    3. Persons responsible for university data are obligated to develop and document the RTOs, RPOs, and backups of the data.
    4. Due to the nature of backup technology, mission critical data that requires high availability cannot be protected by backups only.  Implementation of a backup strategy should consider how much data loss can be tolerated and how much recovery time will be acceptable.

  4. Definitions
    1. University data: Data related to the mission of the university, including faculty, staff, student, and university business.
    2. Recovery Time Objective (RTO): The maximum length of time allowed between an unexpected failure or disaster and the resumption of normal operations and service levels. The RTO defines the point in time after a failure or disaster at which the consequences of the interruption become unacceptable.
    3. Recovery Point Objective (RPO):  The prudent frequency of backups, considering cost and the likely impact of data lost during an emergency or event.  
    4. Appropriate backup plans:  System and procedures to back up a unit’s data in compliance with this policy and the responsible unit’s RTOs and RPOs.

  5. Policy
    1. General Requirements
      1. University systems are backed up in a manner sufficient to restore any or all data and systems to the agreed upon RTO and RPO.
      2. Randomized backups and data restoration should be tested at least annually to ensure that the backup systems are sufficient and reliable.
      3. Backup systems and backup media should protect the confidentiality, integrity, and availability of stored data.
      4. University units that do not have their own compliant backup systems should work with the Office of the Chief Information Security Office (CISO) to develop backup systems and procedures.
      5. Each unit will maintain written procedures that enable unit personnel to recover university data and/or systems in the event of an emergency.
      6. University data should be stored in locations that are backed up.
    2. Responsibilities
      1. Each unit is responsible for establishing RTOs and RPOs in conjunction with data users and owners for all university data that is collected, stored, or maintained by the unit
      2. Backup administrators and data stewards should verify that there are appropriate backup plans for data that is used by the unit but is collected, stored, or maintained by others.
      3. Unit backup administrators are responsible for implementing backup systems and processes to ensure that RTOs and RPOs can be met for all data collected, stored, or maintained on unit information systems. Backup administrators are responsible for documenting backup system operation and testing recovery capability. The unit’s IT leadership and the Office of the CISO are responsible for implementing systems and specifications to facilitate unit compliance with this policy.
      4. IT Services is available to assist departments in complying with these requirements.

  6. Reporting and Addressing Suspected Violations
    Anyone who has reason to believe that another person has violated this policy shall report the matter promptly to the Office of the CISO (Chief Information Security Officer) and/or their supervisor or department head. Failure to report a suspected violation is a violation of this policy. After a suspected violation of this policy has been reported or discovered, the issue will be handled as soon as possible to mitigate any harm to the university and its affiliates.

  7. Enforcement
    A Violation of this policy may result in loss of access and disciplinary action up to and including termination. For additional information, see the Code of Computing Practices. Code of Computing Practices | VCFA | University of Arkansas (uark.edu)

  8. Exemptions
    Exemptions from this policy must be approved. Any questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Office of the CISO. Please see the Exemption policy.

  9. References
    NIST Special Publication 800-53 Revision: Security and Privacy Controls for Information Systems and Organizations, https://doi.org/10.6028/NIST.SP.800-53r5 

June 20, 2022