Which regulation governs data backup retention ?

TheMSsForum.com: The Microsoft Software Forum

I work for a 5,000 public institution and I would like to confirm whether
there are regulations that dictates data backup should be performed on tapes
and stored off-site ? How often back-up should be performed ?
The discussion here is that a co-worker would like to adopt disk-to-disk
backups in the data center (what I agree) and perform only backups on remote
locations connected via fiber for DR purposes.

My point is that backing up to remote locations don't cover threats against
cyberattack or virus outbreaks. I mean, in my view in addition to a data
backup in disk, there are still reasons to perform a data backup in a
portable medium such as tape to assure that such data is clean and out of
range of virus or cyber-attack events.

In addition, if it is determined that a data backup to tape is necessary,
such co-worker would like to perform a tape backup only once a month.

Does Sarb-Oxley handles such data backup requirementss ? Please advise.
Let me know what you think.
Top

Re: Which regulation governs data backup retention ? by Joe

Joe
Wed Jan 26 23:16:15 CST 2005

You really should contact your institution's lawyers. No info here would be good
enough to make this decision as it wouldn't stand up anywhere if a court didn't
agree.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Marlon Brown wrote:
> I work for a 5,000 public institution and I would like to confirm whether
> there are regulations that dictates data backup should be performed on tapes
> and stored off-site ? How often back-up should be performed ?
> The discussion here is that a co-worker would like to adopt disk-to-disk
> backups in the data center (what I agree) and perform only backups on remote
> locations connected via fiber for DR purposes.
>
> My point is that backing up to remote locations don't cover threats against
> cyberattack or virus outbreaks. I mean, in my view in addition to a data
> backup in disk, there are still reasons to perform a data backup in a
> portable medium such as tape to assure that such data is clean and out of
> range of virus or cyber-attack events.
>
> In addition, if it is determined that a data backup to tape is necessary,
> such co-worker would like to perform a tape backup only once a month.
>
> Does Sarb-Oxley handles such data backup requirementss ? Please advise.
> Let me know what you think.
>
>
Top

Re: Which regulation governs data backup retention ? by Roger

Roger
Wed Jan 26 23:07:06 CST 2005

I do not think SOX dictates backup procedures and policies,
although it does have implications for the securing of these
when they hold covered private data.

Check your state laws however. Here (at one of the 10 largest
North American Us) the state laws once implied that due to the
public records and sunshine laws, backups of things like email
had to be retained (retained. period. as in forever).

Onsite and offsite, each have their uses and advantages. Both
may fail to protect against some data losses if the retention policy
and the backup frequency are not coordinated (and that assumes
the backups are all usable when needed).

If you are speaking of an AD environment, monthly full is by no
means anywhere close to adequate. In the off-the-shelf settings
a backup cannot be older than 60 days if it is to be of use for AD
authoritative restore.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Marlon Brown" <marlon_brown@hotmail.com> wrote in message
news:OzgUh3$AFHA.2792@TK2MSFTNGP15.phx.gbl...
>I work for a 5,000 public institution and I would like to confirm whether
> there are regulations that dictates data backup should be performed on
> tapes
> and stored off-site ? How often back-up should be performed ?
> The discussion here is that a co-worker would like to adopt disk-to-disk
> backups in the data center (what I agree) and perform only backups on
> remote
> locations connected via fiber for DR purposes.
>
> My point is that backing up to remote locations don't cover threats
> against
> cyberattack or virus outbreaks. I mean, in my view in addition to a data
> backup in disk, there are still reasons to perform a data backup in a
> portable medium such as tape to assure that such data is clean and out of
> range of virus or cyber-attack events.
>
> In addition, if it is determined that a data backup to tape is necessary,
> such co-worker would like to perform a tape backup only once a month.
>
> Does Sarb-Oxley handles such data backup requirementss ? Please advise.
> Let me know what you think.
>
>


Top