This Control provides a set of procedures for implementing, monitoring, protecting, and testing of backup and recovery procedures for mission critical information systems (user level, system level, and system documentation including security-related documentation). Operational backups shall not be used as a mechanism for meeting records retention requirements.


  • This Control applies to university information resources that contain mission critical information, Essential IT Services, and additional resources as noted. The intended audience is all information resource owners or designees who are responsible for the support and operation of mission critical information resources. Based on risk management considerations and business functions, the information resource owner may determine that it would be appropriate to apply the requirements of this Control to information resources not meeting the definition of mission critical.


  • 1

    Mission critical backup and recovery processes for each information resource, including those for off-site storage, shall be documented and reviewed periodically. Additionally, mission critical data shall be backed up on a scheduled basis and stored off-site in a secure, environmentally safe facility accessible only to authorized Texas A&M University representatives.

  • 2

    The frequency and extent of backups shall be determined by the potential impact of data loss or corruption and, risk management decisions by the information resource owner

  • 3

    Physical access controls implemented at off-site backup storage locations shall meet or exceed the physical access controls of the original site. In addition, backup information resources must be protected in accordance with the most restrictive classification of data that is being transmitted or stored. (For example if non-mission critical data files are combined with mission critical data files then the protection for all the backed up files must be at the mission critical level).

  • 4

    Where the original data source is required to be encrypted, the backup shall also be similarly encrypted.

  • 5

    Processes must be in place to maintain the confidentiality, integrity, and availability of information resource backups.

  • 6

    The backup process should ensure that the entire volume(s) or system of data stored from the originating information resource(s) is recoverable (i.e., ensure that an entire volume or system can be restored and not just one file). Backup and recovery procedures shall be tested at least annually to ensure that they are viable.

  • 7

    All electronically backed up information resources shall be sufficiently identified and inventoried to enable staff to retrieve and protect data as needed.