Systems Backup Policy

1.Introduction

This policy forms part of Aberystwyth University’s (AU) Information Security Policy

 

This policy is primarily concerned with the backup of systems and data in relation to business continuity and disaster recovery contexts. Best efforts will be made to restore data e.g. for user deleted files. Unless specifically stated otherwise, the policy relates to on-site storage.

1.1 Objectives

The University, and Information Services specifically, are expected to:

  • take responsibility, ownership, and stewardship of all data held on its systems
  • follow legal, regulatory and compliance needs
  • ensure the appropriate levels of confidentiality are applied to data
  • ensure the integrity of data (that data is accurate, complete, and up-to-date)
  • ensure the availability of data (that data is accessible whenever it is required by appropriate members of the University).

Secure defenses and effective data management procedures are at the forefront of protecting the University’s data, and Information Services will work with Estates and other services departments to ensure that all necessary mitigating factors are employed to ensure the above objectives. These include effective continuity of power supply, air conditioning and fire suppression systems.

However, to accomplish the above objectives, secure, reliable, and robust backup and storage facilities are also required and need to be effectively managed. The policy below sets out the basic retention principles and periods for data held on Information Services’ main systems.

1.2 Scope

This policy covers all data held by Information Services systems, which may include: -

  • research data,
  • learning and teaching data,
  • administration and management information data
  • centrally-held user data

It does not cover data held by individuals, on local servers managed by Departments or Institutes, individual PCs in staff offices, or data stored on removable devices owned by Departments or Institutes.

It should be noted that backup policies relating to third party solutions (e.g. Panopto, Microsoft  365) are reliant on specific agreements and may differ from those applied by Information Services.

 

2. Core Policy

2.1 Information Services centrally stores and backs up the key data and data upon which the University relies. Backup procedures and archiving retention periods correspond to sector best practice, to overlying legal requirements and are also shaped by local requirements informed by the University’s business objectives, those being, primarily, research, learning and teaching, and associated administrative requirements.

2.2 The University maintains backups of data, logging information, and applications and systems software held on central administrative, academic and infrastructure servers. Data is backed-up daily, with backups held remote from the original copies on disk on computers in separate datacenters. All administrative and infrastructure systems are backed up to tape on a weekly basis.

 

2.3   Below is a summary of the backup/archiving details:

  • Backups of AU data, as defined in 1.2 above, are performed daily
  • Backups are retained for a minimum of 90 days before being deleted
  • Backups are run overnight, where possible, minimising the impact of service provision during the day
  • Backups are retained in at least 3 separate physical locations
  • Backups are stored in secure locations, and limited number of authorised personnel have access
  • Decisions relating to requests for backup data will be taken by IS staff in consultation with the Director of Information Services and the AU Data Protection Officer

2.4 Service recovery and testing

  • Restores are performed on a regular basis, as needed
  • Test restores of several key systems will be performed annually. This test will be to make sure that staff know the required procedures, and to validate the integrity of the backups
  • Records of all test restores will be maintained for audit and other purposes

These Regulations are maintained by Information Services, were last reviewed in August 2023 and are due for review in August 2025