State Government Enterprise IT Standards
|Purpose:||To prevent the loss of all operational and historic electronic data in the custody of the State by ensuring timely backup and data restoration capability in case of disaster.|
The State of Iowa is dependent on electronic data to conduct internal and external government business. The nature of State business conducted through electronic means varies from routine, non-critical to critical information used in emergency disaster efforts. Iowa’s citizens hold State government to the highest standard for data availability, retention and restoration of backup data to operational status in the shortest time possible.
As stewards of citizen information, State government is accountable for exercising effective data backup best practices. State of Iowa agencies are responsible for the following: determining the criticality of data through risk management methods, data backup schedules, data backup capability, security of data backup media, data storage requirements, offsite storage requirements, and data restoration schedules based on agency disaster and contingency plans.
Each agency is encouraged to incorporate data backup and data restoration into business plans and development plans. For the purposes of knowledge transfer, a data backup system example that is currently in use is provided for adaptation to agency needs (see illustration).
Submit proposed changes to this standard to the TGB Standards Advisory Group at any time for consideration.
For the purpose of this standard, all State of Iowa agencies, boards or commissions operating electronic information systems containing State electronic data will establish and follow written electronic data backup procedures compliant with the practices established within this standard.
Data backup procedures serve the following functions: identify risks to essential State business data, establish the conduct of timely essential electronic data backup based on acceptable cost-benefit analysis, identify security measures for data backup based on cost-benefit analysis, establish approved State offsite storage facilities based on cost benefit analysis, and establish a standard data backup routine for technicians to follow.
Agencies will be required to come into compliance within 180 days of March 1, 2009. The Technology Governance Board TGB has authority to determine entity compliance or non-compliance of this standard. Failure to comply with this standard will result in a review by the TGB.
This document will be reviewed at least every two years and updated as needed.
Selected terms used in the Data Backup Standard are defined below:
- Acceptable Risk – is derived from the organization management’s legal and regulatory compliance responsibilities, threat profile, business drivers and impacts.
- Cost-Benefit Analysis – is the process that allows IT managers to balance the operational and economic costs of protective measures.
- Contingency Plan – is a plan devised for a specific situation when things could go wrong. Contingency plans are often devised by governments or businesses who want to be prepared for anything that could happen.
- Data Backup – refers to making copies of data that may be used to restore the original data after a data loss event.
- Essential Data – data essential to running State operations.
- Risk Management – is a structured approach to managing uncertainty related to a threat, a sequence of human activities including: risk assessment, strategies development to manage it, and mitigation of risk using managerial resources.
- Agency – means any agency as listed in Iowa Code Chapter 8A Section 201 paragraph 4.
Data Backup Standard:
It is the Data Backup Standard of Iowa that:
- Each agency will write a local policy using risk management methodology and cost benefit analysis to identify State electronic data for backup.
- Data backup shall be used for the purpose of disaster recovery only. This standard does not satisfy the requirements set forth by the records management or records retention laws or policies.
- Each agency will ensure data backup costs are kept to a minimum by conducting procurement of data backup hardware and software in accordance with current procurement standards IAC 11-105.10 (8A). Collaboration between agencies is strongly encouraged to minimize the number of unique systems and implementations to reduce costs for taxpayers.
- Each agency will establish and follow written procedure for the conduct of data backup addressing the following areas:
- data backup hardware
- software configuration
- technician training
- technician data backup procedures
- data identified for back-up
- data backup schedules
- vendor support
- security measures
- data backup media requirements
- approved off-site storage facilities
- restoration plans
- restoration schedules
- technician restoration procedures
- emergency procurement plans.
- Each agency will establish metrics for minimum acceptable condition (coercivity, retentivity, rewrites, and optical longevity) of storage media before committing backup data to storage.
- Each agency will test data backup and restoration procedures, hardware and software applications to ensure compliance with current State of Iowa IT Security Standards.
- Each agency will ensure data backup recovery plans are exercised once a year to ensure technicians are proficient with data backup and restoration of failed systems. The restoration exercise must consider risk and not interfere with current operations.
- To prevent possible data breach each agency will ensure backup data is sufficiently encrypted before leaving the physical security controls of the agency.
- Each agency conducting data backup for other agencies will establish agreements with each other in accordance with current State of Iowa IT standards and TGB guidelines to detail:
- lines of communication
- security reviews
- lines of communication
- security reviews
- audit log analysis
- security incident reporting/response
- contingency plans
- change management
- security plan maintenance
- planned disconnection
- emergency disconnection
- restoration of interconnection
- data restoration
- data backup systems policy
- data integrity
- expected behavior of the data backup service(s).
- Each agency will write local policy requiring detailed data backup systems topology and architecture is created and regularly updated for contingency planning and disaster recovery purposes.
- To comply with Iowa data breach notification laws, agencies will ensure procedures are in place to enforce data backup policies.
- Each agency will ensure data backup systems remain compatible with existing technology per the guidance of the TGB.
- Waivers to this operational standard may be granted in accordance with Iowa Administrative Code Chapter 25, Section 11-25.6(8A).
Approval by the Technology Governance Board:
This standard was approved by the board at the February 12, 2009 TGB meeting. The standard was released for a public comment period of ten working days. No comments from the public were received during this period.
Approval by the Department of Administrative Services Director:
This standard was approved by Ray Walton, DAS Director on March 19, 2009.
This standard is in effect until revised or rescinded.