M.7) Perform automated and manual backups

Category:        Periodic

Responsible:   CSR, PSR, CTO

Effort:              2 hours initially, 15min for manual backups

Based on:       BSI IT Grundschutz M 6.20 / M 6.22 / M 6.32 / M 6.33 / M 6.35 / M 6.36 / M 6.37 / M 6.38 / M 6.49

This online survey showed that already around 88% of Internet and software startups perform data backups and that this is the most used information security measure. While 88% is a very high number, it doesn’t really give information on how exhaustive and practicable startups back up their data. The following points should be considered for data backups:

  • PSR, CSR and CTO should identify all the data which needs to be backed-up.
  • PSR, CSR and CTO should define where backups are stored. It is good practice to store it in different locations and on different devices.
  • PSR and CTO should define the product backup strategy.

Result: How often automated database backups need to be performed and if data redundancy should be part of the product. This highly depends on the type of application and consequences if user data is lost.

Example: While it might be okay for the running app Runtastic to loose the user data of the last 24 hours (the users might be annoyed, but won’t switch the app because of this incident) it can be fatal and expensive if online storage services (like Google Drive) or financial applications lose data. So while Runtastic just needs to backup their database every 24 hours, Google Drive might implement data redundancy into their product by default by storing every file twice and in different locations.

  • CSR and CTO should define the corporate backup strategy. How often should corporate data be backed up?
  • PSR, CSR and CTO should define how long backups are stored. Backups do not need to be stored forever, but in some cases (like financial documents) they must be stored at least for several years.

Example: If database backups need to be automatically performed every 12 hours, huge amounts of data will be generated by the backups. Therefore the CTO might decide that the backups will only be stored for 14 days and should be automatically deleted afterwards. Additionally the CTO requires the PSR to manually backup the database and an existing automated database backups every first Monday of a month to a physical hard drive. The CTO defines that the manual backups need to be stored for 10 years.

  • Backups should be stored in encrypted form
  • Backups should be automated, so they are not forgotten
  • From time to time manual backups should be performed
  • It is necessary to test if backups can be restored

If cloud storage services like Owncloud are used, the data will be automatically stored redundant on the server and on the computers of employees. This is a good backup method, but it is recommended to perform backups also for cloud storage services.




The information contained in this website is for general information purposes only. You can find more information about the accuracy of the information on the disclaimer and terms and conditions pages.