Backup Management Policy
1. Background and Purpose:
The purpose of this policy is to define controls to safeguard MRC against loss of data and to recover from a hardware failure, data corruption, disaster or a security incident. This policy establishes an effective and consistent approach for appropriately protecting the confidentiality, integrity and availability of information assets in accordance with their importance to MRC.
A well thought out policy is essential for Melbourne Racing Club, its subsidiaries and related entities (“MRC”) to ensure MRC’s meets its business continuity objectives and the legal, regulatory and contractual requirements.
2. Scope
This policy applies throughout MRC. It applies to all employees of MRC, whether permanent, temporary, casual, part-time or on fixed-term contracts employees who create, manage or use data that is owned, managed or stored by MRC. The policy also applies to anyone, including third parties, who manage or have responsibility for systems or data stored on systems within MRC.
Additionally, this policy applies to all those within MRC who have responsibilities for management and/or co-ordination of services which may be provided externally by a third party in a cloud-based environment.
3. Policy
This policy defines specific controls for implementing a consistent and effective approach to backing up essential data, software and system assets, in order to provide MRC with recovery capabilities in case of loss or corruption of data occurs.
3.1. Roles and Responsibilities
- IT department is responsible for maintaining the backup solution infrastructure, performing backup and restoration as per business need or user request and performing restoration tests;
- Data custodians are responsible for ensuring that appropriate backup schedules are arranged with MRC’s IT department. Additionally, MRC staff with responsibility for production and management of data must ensure business critical data under their control is included in the MRC Backup plan;
- All users within MRC have responsibility for the management and protection of data under their control. They should ensure that all business data is stored on a recognised MRC server or MRC provided assets; for example data stored on MRC SharePoint.or Teams.
- Users / Data owners/Custodians are responsible for initiating and performing restoration tests including verification of integrity and usability of their data.
3.2. Backup Criteria
MRC must use the below criteria for defining the backup requirements:
- Business requirements;
- Security requirements;
- Criticality of the data;
- Frequency of the backup;
- Recovery time constraints;
- Retention of backup; and
- Legal, regulatory and contractual requirements.
Additionally, MRC should consider backing up the following:
- Operating system files;
- Application files;
- Data files;
- Configuration files;
- Database; and
- Application and/or Security Logs.
3.3. Backup Process for servers
- The servers and other systems that are part of the backup plan must be maintained in either the Configuration Management Database or the inventory register of all assets;
- Backup methods and frequency must be based on functional owner or the asset owner’s requirement;
- In the absence of a requirement from functional or asset owners, backup schedules should be decided by the General Manager of Technology;
- Backups must be checked for their completeness and integrity;
- Backup retention requirements must be defined based on business as well as legal, regulatory and contractual requirements;
- Backup methods and schedule must be maintained in the day to day backup schedule;
- Backup schedule must be monitored daily for successful and failed jobs. Failed jobs must be re-initiated by the responsible team;
- A backup record must be kept, including what data has been backed up, when the backup has been performed, and which media contains the backup and where it is physically located.
3.4 Backup Process for User Data
- All users must ensure that important organisational data is stored on a recognised MRC data server and not on personal computers or workstations as these are not backed up. E.g. MRC Sharepoint.
3.5 Recovery
- Recovery of data from backups may be required in the following scenarios:
o When users lose data or have their data corrupted;
o When data on the IT system (application/database etc) gets corrupted;
o As part of restoration tests;
o After a system failure or a disaster.
- Recovery procedures for the restoration of data must be maintained and up to date;
- Testing of recovery procedures must be undertaken yearly to ensure that backup data can be restored in an emergency or disaster situation;
- A record of backup and recovery testing must be maintained;
- Data restoration from backup is subject to the retention and granularity periods defined for that particular classification of data by the functional /asset owners or the IT department.
3.6 Storage of Backup Data
- Backed up data must be stored online as well as offline;
- Backups should not be stored in the same building as the live data or system. MRC should strive to ensure geographically diverse locations between the primary data/systems and their backup;
- Online data must be stored using the storage technology that is part of the backup infrastructure;
- All Backup media must be clearly labelled;
- Offline data written on backup media must be stored at the secure offsite facility. The frequency of storage and recycling of media should be decided based on the recovery objectives;
- Inventory of the backup media must be maintained along with details such as when the backup media was created, taken offsite, approvals obtained, brought back onsite, rotation cycle etc; Backup media must be transported securely by offsite storage vendor or by MRC.
3.7 Security of Backup
- Logical and Physical access to backups must be restricted and provided to authorised individuals only;
- Backups must be protected from accidental overwriting by using the same level of protection as for live data and by defining criteria for reuse (rotation) of backup media;
- Security of the backup data must be maintained at the same level as production data with controls such as authentication, access restrictions, auditing, encryption of confidential information and integrity checks;
- Security controls must be considered against environmental and physical threats;
- Environmental conditions like dust, humidity, fire etc. should be considered while selecting backup location;
- Physical security of backup devices and media must be considered in order to prevent damage, theft and/or vandalism;
- For critical applications, a copy of the backup must be stored off-site and/or replicated SAN and/or in the Disaster Recovery (DR) site;
- Security controls must be considered during transit (offsite location transport and/or replication to Disaster Recovery (DR) site);
- Backup media must be stored in accordance with the manufacturer specifications.
3.8 Backup Technology
- Certain types of backup media, such as magnetic tapes, have a limited functional lifespan. After a certain time in service the media can no longer be considered dependable. When backup media is put into service the date must be recorded on the media. The media must then be retired from service after its time in use exceeds manufacturer specifications;
- IT department must maintain a compatibility register and appropriately upgrade the infrastructure or replace the stored backup media to ensure mechanisms exists to recover data from the stored media, when the requirement arises.
4. Applicability of Other Policies
- Disaster Recovery Policy;
- Systems Handling Policy;
- Information Security Policy; Risk Management Policy.
5. Key Legislation, Acts & Standards
- ISO/IEC 27002:2023 standards – Information Technology security techniques – Code of practice for information security controls – https://www.iso.org/standard/75652.html;
- ISO/IEC 27001:2022 standards- Information Technology – Security Techniques – Information security management systems –Requirement – https://www.iso.org/standard/82875.html;
- Detailed business record-keeping requirements - https://www.ato.gov.au/Business/Recordkeeping-for-business/Detailed-business-record-keeping-requirements;
- Australia Cyber Security Centre (ACSC) – Guidelines for System Management – March 2023 – https://www.cyber.gov.au/acsc/view-all-content/advice/guidelines-system-management.
6. Enforcement
Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities are suspected, MRC may report such activities to the applicable authorities. If any provision of this policy is found to be unenforceable or voided for any reason, such invalidation will not affect any remaining provisions, which will remain in force.
7. Review
This Policy is recommended to be reviewed in biennially.[1]
8. Further assistance
For advice and assistance on policy matters please direct your enquiries to MRC’s IT Department via itsupport@mrc.net.au.
9. Glossary of Terms/Definitions:
Term
Definition
Backup
Backup copies are created at defined intervals and regularly tested.
Backup media
Any storage devices that are used to maintain data for backup purposes. These are often magnetic tapes, CDs, DVDs, or hard drives.
SAN
A storage area network (SAN) or storage network is a computer network which provides access to consolidated, block-level data storage. SAN can create an image copies by mirroring a production disk to another disk inside the storage array. That way, backups can be made without impacting the performance of the production disk
Storage
Secure data storage by implementing controls
Term
Definition
User Data
Any MRC member, customer, staff member, partner, contractor or any other person whose data is in the possession of MRC.
[1] Review date is recommended only. Should this Policy have not been reviewed or updated by its review date, this Policy shall still remain in force and does not expire.