This Control provides a set of procedures for implementing, monitoring, protecting, and testing of backup and recovery procedures for high impact information resources (user level, system level, and system documentation including security-related documentation). Operational backups shall not be used as a mechanism for meeting records retention requirements.


  • This Control applies to high impact university information resources, Essential IT Services, and additional resources as noted. The intended audience is all information resource owners or designees who are responsible for the support and operation of high impact information resources. Based on risk management considerations and business functions, the information resource owner may determine that it would be appropriate to apply the requirements of this Control to information resources not meeting the definition of high impact.


  • 1

    Backup and recovery processes for each high impact information resource, including those for off-site storage, shall be documented and reviewed periodically.

  • 2

    Data stored or processed on moderate or high impact information resources shall be backed up on a scheduled basis according to the relevant Business Impact Analysis.

    • 2.1

      Backups for data stored on a high impact information resources shall be stored off-site in a secure, environmentally safe facility accessible only to authorized Texas A&M University representatives.

    • 2.2

      Backups for data stored on a high impact information resource shall contain at least one immutable copy which may not be deleted unless the retention period has expired.

  • 3

    The frequency and extent of backups shall be determined by the potential impact of data loss or corruption and, risk management decisions by the information resource owner

  • 4

    Physical access controls implemented at off-site backup storage locations shall meet or exceed the physical access controls of the original site. In addition, backup information resources must be protected in accordance with the most restrictive classification of data that is being transmitted or stored. (For example if data classified as confidential is combined with data classified at a lower level then the protection for all the backed up files must be at the confidential level.).

  • 5

    Where the original data source is required to be encrypted, the backup shall also be similarly encrypted.

  • 6

    Processes must be in place to maintain the confidentiality, integrity, and availability of information resource backups.

  • 7

    The backup process should ensure that the entire volume(s) or system of data stored from the originating information resource(s) is recoverable (i.e., ensure that an entire volume or system can be restored and not just one file). Backup and recovery procedures shall be tested at least annually to ensure that they are viable.

  • 8

    All electronically backed up information resources shall be sufficiently identified and inventoried to enable staff to retrieve and protect data as needed.