+OPS-08 Data Backup and Recovery - Regular Testing
---+OPS-08.01B
---+OPS-08.02B
---+OPS-08.03B
---+OPS-08.04B
---+OPS-08.05B
---+OPS-08.01AC
---+OPS-08.02AC
---+OPS-08 Supplementary Information - Complementary Customer Criteria
|
1. Übersicht
OPS-08 Data Backup and Recovery - Regular Testing
-
| Bezeichnung |
Standard |
|
OPS-08.01B
|
Restore procedures are tested regularly, at least annually. The tests include cloud service provider data and, if contractually agreed upon, cloud service customer data and cloud service derived data.
If the data backup has not been contractually agreed between the cloud service provider and the cloud service customer, this criterion is not applicable. The cloud service provider transparently presents this situation in the system description.
The use of cloud service customer data in backup and restore procedures as described in the basic criterion is a carefully considered exception. This exception does not extend to general software development or other testing environments and the use of cloud service customer data for testing is restricted specifically to backup and restore procedures.
|
|
OPS-08.02B
|
The tests allow an assessment as to whether the contractual agreements as well as the specifications for the maximum tolerable downtime (Recovery Time Objective, RTO) and the maximum permissible data loss (Recovery Point Objective, RPO) are adhered to (cf. BCM-02).
If the data backup has not been contractually agreed between the cloud service provider and the cloud service customer, this criterion is not applicable. The cloud service provider transparently presents this situation in the system description.
|
|
OPS-08.03B
|
Cloud service customer data is only restored in environments that are subject to the same access restrictions as the production environment.
If the data backup has not been contractually agreed between the cloud service provider and the cloud service customer, this criterion is not applicable. The cloud service provider transparently presents this situation in the system description.
If cloud service customer data is restored in an environment with differing access restrictions, the confidentiality of the data may be affected.
|
|
OPS-08.04B
|
Performed restore tests are thoroughly documented. This also includes the documentation of the safe disposal of the restored data.
If the data backup has not been contractually agreed between the cloud service provider and the cloud service customer, this criterion is not applicable. The cloud service provider transparently presents this situation in the system description.
|
|
OPS-08.05B
|
Deviations from the specifications are reported to the responsible personnel or system components so that these can timely assess the deviations and initiate the necessary actions.
If the data backup has not been contractually agreed between the cloud service provider and the cloud service customer, this criterion is not applicable. The cloud service provider transparently presents this situation in the system description.
|
|
OPS-08.01AC
|
At the customer's request, the cloud service provider informs the cloud service customer of the results of the restore tests.
If the data backup has not been contractually agreed between the cloud service provider and the cloud service customer, this criterion is not applicable. The cloud service provider transparently presents this situation in the system description.
|
|
OPS-08.02AC
|
Restore tests are included in the cloud service provider's business continuity management.
If the data backup has not been contractually agreed between the cloud service provider and the cloud service customer, this criterion is not applicable. The cloud service provider transparently presents this situation in the system description.
|
|
OPS-08 Supplementary Information - Complementary Customer Criteria
|
Cloud service customers ensure with suitable controls that they actively request information on the results of restore tests from the cloud service provider. Customers assess the effectiveness of applied data recovery strategies and integrate insights into their own emergency plans in alignment with their business needs and security standards.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|