Tarleton Office of Innovative Technology Solutions (OITS)
Backup Recovery Standard

Effective: February 11, 2020

Revised: April 25, 2025

Procedure Summary

Routine electronic backups of data and systems are a requirement to enable the recovery of data and applications in case of events such as natural disasters, system disk drive failures, corruption, data entry errors, or system operations errors. The purpose of this standard is to establish the process for the backup and storage of electronic information.

This standard applies to Tarleton State University information resources that contain mission critical information. It provides a set of measures that will mitigate information security risks associated with the backup and recovery of information. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures are to be determined by the information resource owner or their designee. In accordance with Texas Administrative Code (TAC) Chapter 202 – Information Security Standards. As per TAC §202.72, an information resource owner that decides not to implement some or all of the standards provided in this SAP must justify and document such exceptions based on information security risk management decisions and/or business functions. The information resource owner must then report any exceptions to these standards to the designated information security officer (ISO)/chief information security officer (CISO).

This SAP applies to all university staff responsible for the support and operation of university information resources that contain mission critical information.

Please see the Tarleton Security Controls Catalog, specifically the Contingency Planning (CP) family, for additional information and requirements.

Procedures and Responsibilities

The frequency and extent of backups shall be determined by the importance of the information, potential impact of data loss/corruption, and risk management decisions by the data owner.
Mission critical information backup and recovery processes for each system, including those for offsite storage, shall be documented and reviewed periodically. Additionally, mission critical data shall be backed up on a scheduled basis and stored off-site in a secure, environmentally safe, locked facility.
Physical access controls implemented at offsite backup storage locations shall meet or exceed the physical access controls of the source systems. Additionally, backup media must be protected in accordance with the highest sensitivity level of information stored.
Processes must be in place to verify the success of the information resource backups.
Backups shall be periodically tested to ensure that they are recoverable.
Backup media must have identifying criteria that can be readily identified by labels and/or a bar-coding system, which should include, but is not limited to the:
- system name;
- creation date;
- sensitivity classification of mission critical or confidential information based on applicable electronic record retention regulations; and
- departmental information resource contact information.

Definitions

Information Resources (IR): the standards, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.

Information Security Officer (ISO) / Chief Information Security Officer (CISO): responsible for administering Tarleton’s information security functions and reports to the information resources manager (IRM).

Mission Critical Information: information that is defined by the university or information resource owner to be essential to the continued performance of the mission of the University or division/unit. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, noncompliance with regulations or legal obligations, or closure of the university or division/unit.