Regularly perform complete, comprehensive, and resilient data backups as organizationally defined.
Ensure systems and data are backed up at an interval that enables an organization to restore the system or data in accordance with business requirements. A complete backup ensures that all of the files necessary to reconstruct a system are backed up. Comprehensive backups cover all of the systems defined by the organization as necessary for business effectiveness and/or continuity. You should complete the backups based on a regular schedule that satisfies the needs of your organization. Ensure that your backups are resilient to physical disaster and malicious attack (e.g., ransomware). One approach is to store at least one system backup off-site and offline. Example You are in charge of IT operations for your organization. As part of your responsibilities, you manage the system that performs backups of your systems' data. You do this to meet the business objectives of your organization. Meeting these objectives will help you manage the loss of data, data availability, or the integrity of data in the event of a cyber-incident. For example, you may conduct incremental backups nightly and full system backups every Friday evening after business hours. You store your full system backups offline at a different location than your other systems. Doing this provides added protection of your backups from a cyber-event or physical disaster that may impact your organization.
CIS CONTROLS V7.1 The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it. When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted data. When the attackers are discovered, it can be extremely difficult for organizations without a trustworthy data recovery capability to remove all aspects of the attacker’s presence on the machine. This practice is based on the following CIS controls: ● 10.1 Ensure that all system data is automatically backed up on a regular basis. ● 10.2 Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. ● 10.5 Ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination.
CIS Controls v7.1 10.1, 10.2, 10.5
NIST 800-53 Rev 4 CP-9, CP-9(3)
CERT RMM v1.2 KIM:SG6.SP1
RE.3.139.[a] the organization automates its backups where feasible;
RE.3.139.[c] backup schedules and selection lists reflect documented organization requirements; and
RE.3.139.[b] the organization has defined its requirements for the length of time needed to restore resources from backup (recovery time objectives (RTO)), the amount of time between backups (recovery point objectives (RPO)), and the length of time backups need to be retained;
RE.3.139.[d] key systems are backed up in a manner that enables rapid recovery, such as imaging.