This procedure outlines the frequency and type of data backups. It also addresses the length of time that backups must be retained.
The procedure applies to all devices that hold or accumulate data in the support of College operations, to include telecommunications, network applications, desktop units, notebooks, and other digital media.
The Systems and Network Administrator or designee is responsible for making and retaining an adequate number of data backups to serve as “safety” copies.
Data backups will be made of all devices that contain or collect data, to include at a minimum:
- Servers and internal disks
- Storage Area Networks
- Telecommunications switches (PBX)
- Networking equipment that stores a configuration
Types of Data
- Personal data are not to be stored on College equipment. Critical data for College operations must be stored on network drive (server) so that it is included in scheduled backups.
- Tape number labeling is required which included business critical, legal and similar data types. Care must be taken to ensure the data is securely stored.
- Non-critical data must be identified. Non-critical data is not required to be retained for a period of time. Typically, this data is deleted after 13 months. Tape number labeling is required.
Data Backup Frequency
- Daily back-ups are retained for one week.
- Weekly back-ups (Full) are retained for 30 days.
- Monthly back-ups (Full) are retained for 1 year.
- One-year back-ups (Full) are retained for 7 years.
- All back-ups are rolled up from previous operations
Retention periods are in accordance with the General Retention Schedules for Community Colleges provided by the Arizona State Library: Archives and Public Records division, or as may otherwise be required by law, state or federal regulation.
Data backups will be transported off site weekly after the backups are created.
Once every calendar quarter, the Systems and Network Administrator, or designee will audit the off-site storage process to ensure that:
- Media is kept in a climate-controlled environment during transit.
- The storage facility is secure.
- The storage facility is climate controlled.
- The data center security is appropriate for media going out and for media coming in.
- There is a documented chain of custody for backup media from the point it leaves the data center until it is returned.
Data that has outlived its usefulness to the College, and whose age exceeds the legal limits for retention, must be properly destroyed. The following conditions apply:
- The media must be rendered permanently unreadable. This will be primarily accomplished through physical destruction.
- When data is destroyed, it must be documented as by who, by what means, when, and what the data consisted of.