Description
The organization conducts backups of user-level and system-level information (including system state information) contained in the information system [Assignment: organization-defined frequency] and protects backup information at the storage location.\n
Supplemental Guidance
The frequency of information system backups and the transfer rate of backup information to alternate storage sites (if so designated) are consistent with the organization’s recovery time objectives and recovery point objectives. While integrity and availability are the primary concerns for system backup information, protecting backup information from unauthorized disclosure is also an important consideration depending on the type of information residing on the backup media and the FIPS 199 impact level. An organizational assessment of risk guides the use of encryption for backup information. The protection of system backup information while in transit is beyond the scope of this control. Related security controls: MP-4, MP-5.\n
Changes from Rev 4
Title changed from 'Information System Backup' Parameter added for conducting backups of user-level information contained in specific system components Removes restrictive control text ‘at storage locations’ Discussion expanded
Enhancements
\n