+OPS-06 Data Backup and Recovery - Policies and Procedures
---+OPS-06.01B
---+OPS-06.01AS
---+OPS-06 Supplementary Information - Complementary Customer Criteria
|
1. Übersicht
OPS-06 Data Backup and Recovery - Policies and Procedures
-
| Bezeichnung |
Standard |
|
OPS-06.01B
|
Policies and procedures for regular backup or replication and regular restore of cloud service customer data, cloud service derived data and cloud service provider data according to the sensitivity of the data are documented, communicated and provided in accordance with SP-01 regarding the following aspects:
1. The extent and frequency of data backups and the duration of data retention are consistent with the contractual agreements with the cloud service customers and the cloud service provider's operational continuity requirements for Recovery Time Objective (RTO) and Recovery Point Objective (RPO);
2. Data is backed up in encrypted, state of the art form;
3. Secure storage, transfer, management and disposal of backup data;
4. Access to the backed-up data and the execution of restores is performed only by authorised persons;
5. Tests of data restore procedures by the cloud service provider (cf. OPS-08); and
6. If part of the contractual agreement: Execution of actual data restore requests or restore tests initiated by the cloud service customer.
The policies and procedures include conditions for those parts of cloud service provider data that do not require a backup. For those parts of cloud service provider data, this subcriterion is not applicable.
Particularly within IaaS and PaaS service models, responsibility for backup and recovery of cloud service customer data often remains with the customer and is therefore not part of the contractual agreements between cloud service provider and cloud service customer.
If the data backup of cloud service customer data is not part of the contract, this criterion is not applicable for cloud service customer data, but it is still applicable for cloud service derived data and cloud service provider data. The extent to which the criterion is applicable to the cloud service is presented in the system description.
The data backup policies and procedures specifiy which type of data backup is to be carried out (e.g. scope, frequency and duration) and specify which data shall also be backed up in special cases (e.g. pure use of compute nodes without data storage). When backing up data, one has to distinct between *backups* and *snapshots* of virtual machines. Snapshots do not replace backups but can be part of the backup strategy to achieve Recovery Point Objectives (RPO) if they are additionally stored outside the original data location. The business requirements of the cloud service provider for the scope, frequency and duration of the data backup result from the business impact analysis (cf. BCM-02) for development and operational processes of the cloud service. If different data backup and recovery procedures exist for cloud service customer data and cloud service provider data, both variants are in scope for tests of controls according to this criteria catalogue.
Existing contractual agreements prior to a C5 attestation do not need to be updated to incorporate the requirements specified in this criterion. Instead, new contractual agreements should be designed to ensure that specified requirements are clearly defined and agreed upon with cloud service customers.
Parts of cloud service provider data that do not require a backup include, but are not limited to, parts of cloud service provider data than can be built from scratch without a backup.
|
|
OPS-06.01AS
|
Policies and procedures for at least daily backup or replication and at least daily restore of cloud service customer data, cloud service derived data and cloud service provider data according to the sensitivity of the data are documented, communicated and provided in accordance with SP-01 regarding the following aspects:
1. The extent and frequency of data backups and the duration of data retention are consistent with the contractual agreements with the cloud service customers and the cloud service provider's operational continuity requirements for Recovery Time Objective (RTO) and Recovery Point Objective (RPO);
2. Data is backed up in encrypted, state of the art form;
3. Secure storage, transfer, management and disposal of backup data;
4. Access to the backed-up data and the execution of restores is performed only by authorised persons;
5. Tests of data restore procedures by the cloud service provider (cf. OPS-08); and
6. If part of the contractual agreement: Execution of actual data restore requests or restore tests initiated by the cloud service customer.
The policies and procedures include conditions for those parts of cloud service provider data that do not require a backup. For those parts of cloud service provider data, this subcriterion is not applicable.
Particularly within IaaS and PaaS service models, responsibility for backup and recovery of cloud service customer data often remains with the customer and is therefore not part of the contractual agreements between cloud service provider and cloud service customer.
If the data backup of cloud service customer data is not part of the contract, this criterion is not applicable for cloud service customer data, but it is still applicable for cloud service derived data and cloud service provider data. The extent to which the criterion is applicable to the cloud service is presented in the system description.
The data backup policies and procedures specifiy which type of data backup is to be carried out (e.g. scope, frequency and duration) and specify which data shall also be backed up in special cases (e.g. pure use of compute nodes without data storage). When backing up data, one has to distinct between *backups* and *snapshots* of virtual machines. Snapshots do not replace backups but can be part of the backup strategy to achieve Recovery Point Objectives (RPO) if they are additionally stored outside the original data location. The business requirements of the cloud service provider for the scope, frequency and duration of the data backup result from the business impact analysis (cf. BCM-02) for development and operational processes of the cloud service. If different data backup and recovery procedures exist for cloud service customer data and cloud service provider data, both variants are in scope for tests of controls according to this criteria catalogue.
Existing contractual agreements prior to a C5 attestation do not need to be updated to incorporate the requirements specified in this criterion. Instead, new contractual agreements should be designed to ensure that specified requirements are clearly defined and agreed upon with cloud service customers.
|
|
OPS-06 Supplementary Information - Complementary Customer Criteria
|
Cloud service customers ensure with suitable controls that the contractual agreements made with the cloud service provider regarding the scope, frequency and duration of data retention meet business requirements. The business requirements are assessed as part of the business impact analysis (cf. BCM-02).
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|