3.3.10 Data Backup and Recoverability
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 | Status: In-Force |
Effective from 2021-11-04 - Nov 03 2021
To view other versions open the versions tab on the right
Principle
Data backup management strategy along with backup and restoration procedures should be defined, approved and implemented to ensure reliability, availability, and recoverability of data of the Member Organizations.
Control Requirements
| 1. | Data backup management strategy should be defined, approved and implemented. | |
| 2. | The data backup management policy should consider the following, but not limited to: | |
| a. | alignment with SAMA Business Continuity Management Framework; | |
| b. | implementation of replication, backup and recovery capabilities; | |
| c. | data storage; | |
| d. | data retrieval; and | |
| e. | data retention as per the legal, regulatory and business requirements. | |
| 3. | Backup and restoration procedures should be defined, approved and implemented. | |
| 4. | The effectiveness of the backup and restoration procedure should be measured and periodically evaluated. | |
| 5. | Member Organizations should define its backup and restoration requirements considering the following, but not limited to: | |
| a. | legal and regulatory requirements; | |
| b. | business requirements in line with agreed 100 (Recover Point Objective); | |
| c. | type of backups (offline, online, full, incremental, etc.); and | |
| d. | schedule of the backup (daily, weekly, monthly, etc.). | |
| 6. | Member Organizations should ensure the following information are backed up at minimum: | |
| a. | applications; | |
| b. | operating systems software; | |
| c. | databases; and | |
| d. | device configurations. | |
| 7. | In case of replication of data between primary and disaster recovery site, Member Organizations should ensure that all replication issues are timely resolved such that data at the disaster recovery site are in sync with the primary site as per the agreed recovery point objective (90) and recovery time objective (RTO). | |
| 8. | Member Organizations should ensure that RTOs for critical services such as payment systems, customer related services, etc. are adequately defined considering the high availability of the supporting operations and minimum disruption in the event of disaster. | |
| 9. | Member Organization should ensure sufficient investment are made from people, process and technology perspective to achieve the targeted RTOs. | |
| 10. | Member Organizations should implement alternate mechanism for backup redundancy (e.g. transaction dumps in addition to full database backup). | |
| 11. | Member Organizations should conduct periodic testing and validation of the recovery capability of backup media. | |
| 12. | Backup media should be appropriately labelled. | |
| 13. | Backup media including USB disks, containing sensitive or confidential information should be encrypted before transportation to offsite for storage. | |