PURPOSE:
This Backup Policy outlines the standards and procedures for backing up Idaho College of Osteopathic Medicine (ICOM) critical data and systems. The purpose of this policy is to ensure the availability and recoverability of essential institutional information assets in the event of data loss, system failures, disasters, or other disruptive events. This policy aims to minimize data loss, reduce downtime, and ensure business continuity, supporting the institution's mission and compliance obligations.
SCOPE:
This policy applies to all critical data and systems owned, leased, or managed by ICOM, including but not limited to:
- Data:
- Student records and academic data
- Financial data
- Protected Health Information (PHI)
- Research data
- Institutional business records
- Databases
- Critical application data
- Configuration data for essential systems
- Systems:
- On-premises servers (if applicable)
- Endpoint devices (desktops, laptops, servers, mobile devices) - focusing on locally stored critical data (if any)
- Network infrastructure devices (configuration backups)
- SaaS Applications (with specific focus on data backup and export)
This policy applies to all individuals responsible for managing, using, or having custody of critical data and systems, including but not limited to:
- IT Department
- Data Owners
- Data Custodians
- System Administrators
- Departmental Staff responsible for data management
DEFINITIONS:
- Backup: A copy of data or systems made for the purpose of recovery in the event of data loss or system failure.
- Critical Data and Systems: Information assets and IT systems that are essential for the continued operation of ICOM and the achievement of its mission. The loss or unavailability of these assets would have a significant negative impact on the Institution.
- Data Integrity: The accuracy, completeness, and consistency of data. Backups aim to preserve data integrity.
- Disaster Recovery (DR): The process and procedures for recovering IT infrastructure, systems, applications, and data after a disruptive event or disaster. The Backup Policy supports the overall Business Continuity and Disaster Recovery Plan.
- Offsite Backup Storage: A location for storing backup data that is geographically separate from the primary data location. This is crucial for protection against site-wide disasters.
- Recovery Point Objective (RPO): The maximum acceptable amount of data loss, measured in time, from a disruptive event. It represents the point in time to which data must be recovered.
- Recovery Time Objective (RTO): The maximum acceptable length of time that a system or application can be down after a disruption before negatively impacting the business. It represents the targeted time within which services must be restored.
- SaaS Application (Software as a Service): A software delivery model in which software is hosted by a vendor and made available to customers over a network, typically the internet, usually on a subscription basis. Backup responsibilities for SaaS data are often shared between the vendor and the institution.
- Service Level Agreement (SLA): A contractually agreed-upon set of metrics that define the expected level of service provided by a vendor, including aspects like uptime, performance, and data recovery capabilities.
- Backup Media: The physical or virtual storage used to store backup data (e.g., tapes, disks, cloud storage).
- Backup Retention: The period of time for which backup data is stored before being overwritten or deleted, based on legal, regulatory, and business requirements.
- Restore: The process of retrieving and recovering data or systems from a backup.
POLICY:
Identification of Critical Data and Systems: The Information Technology Office, in collaboration with Data Stewards, will identify and classify critical data and systems that require regular backup. This classification will be based on data sensitivity, business impact, and recovery time objectives (RTOs) and recovery point objectives (RPOs).
Backup Frequency and Scheduling: Critical data and systems will be backed up with sufficient frequency to meet established RPOs. Backup schedules will be determined based on data criticality and change frequency, with more frequently changing and critical data backed up more often.
Backup Media and Storage: Backups will be stored on reliable and appropriate media, ensuring data integrity and security. Backup storage solutions will be geographically diverse from primary data locations to protect against site-wide disasters. Consideration will be given to:
- On-site backup storage (for rapid restores, if applicable and secure)
- Off-site backup storage (for disaster recovery)
- Cloud-based backup solutions (for scalability and off-site protection)
- Vendor-provided backup solutions for SaaS applications (understanding vendor responsibilities)
Backup Retention: Backup data will be retained for a defined period based on legal, regulatory, and business requirements, as described in the Data Retention Schedule. Retention periods will be documented and consistently applied.
Backup Validation and Testing: Backup processes will be regularly tested and validated to ensure backups are successful, complete, and restorable. Restore testing will be conducted at least annually for critical systems and data to verify recovery procedures and meet RTOs. Test results will be documented and reviewed.
Backup Security: Backup data must be protected with appropriate security controls to maintain confidentiality and integrity. This includes:
- Physical security of backup media and storage locations.
- Logical access controls to backup systems and data.
- Encryption of backup data both in transit and at rest (where feasible and applicable).
Backup for SaaS Applications: Recognizing that data within SaaS applications is primarily the vendor's responsibility for infrastructure backup, the institution will:
- Vendor Due Diligence: As part of SaaS vendor selection and onboarding, thoroughly evaluate the vendor's backup and disaster recovery practices, service level agreements (SLAs), and data recovery capabilities following the Third-Party Vendor Management Policy.
- Data Export and Extraction: If possible and feasible, establish procedures for regularly exporting or
extracting critical data from SaaS applications in a usable format, as a secondary backup measure and
for data portability and archival purposes. [Specify frequency and methods for data export - e.g.,
weekly data exports to secure institutional storage]. - Vendor Backup Verification: Periodically request and review documentation from SaaS vendors demonstrating their backup procedures, retention policies, and disaster recovery testing. Disaster Recovery Integration: This Backup Policy is a component of the institution's overall Business Continuity and Disaster Recovery Plan. Backup and restore procedures will be aligned with disaster recovery objectives and procedures.
Roles and Responsibilities: Clear roles and responsibilities for backup activities will be defined and assigned, including:
- Data Stewards: Identifying critical data, defining RTO/RPOs, and participating in data validation.
- System Administrators: Implementing and managing backup schedules, monitoring backup jobs, performing restores, and maintaining backup infrastructure.
- Information Technology Office: Overseeing backup security, policy compliance, and coordinating disaster recovery planning.
POLICY EXCEPTIONS:
Exceptions to this policy may be granted in limited circumstances by the Chief Information Officer, with appropriate justification and compensating controls documented.
ENFORCEMENT:
Enforcement of this Backup Policy is the responsibility of all managers, supervisors, Data Stewards, and System Administrators, under the overall direction of the Chief Information Officer. Violations of this policy, particularly those that jeopardize data recoverability or business continuity, may result in disciplinary actions, up to and including termination of employment or access privileges. Regular audits of backup practices and restore testing will be conducted to ensure policy compliance.
POLICY REVIEW AND UPDATES:
This Backup Policy will be reviewed and updated at least annually, or as needed to reflect changes in technology, regulations, institutional risk assessments, business needs, or best practices in data backup and recovery. The Information Technology Office is responsible for coordinating policy reviews and updates.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 7/8/25
Last Reviewed: 7/8/25
Review Requirement: Annual