Regular Backups
This page provides a template and guidance to assist organisations in documenting their approach to regular backups, as per the Essential Eight Maturity Model, associated with their system(s) built on ASD's Blueprint for Secure Cloud.
Estimated reading time: 4 minutes
Instruction
The Essential Eight sections of a System Security Plan (SSP) should document the Essential Eight Maturity levels associated with implementation of a system. As with other sections of the SSP, information in this section should be documented according to the relevant controls outlined in ASD’s ISM and the SSP Annex.
All template text refers to a typical implementation of a system built using the Blueprint, and includes reference to organisational policies, processes and technical configurations to be implemented in addition to the technical controls that may be configured using guidance from the Blueprint. Any implementation implied by the below text should not be considered as prescriptive of how the organisation must scope, build, document, or assess its system.
When completing the below template, organisations should insert and update information where relevant to ensure it accurately represents the Essential Eight Maturity levels associated with implementation of their system. When complete, remove any instructional boxes throughout.
Blueprint guidance
For applicable government organisations to meet the minimum requirements established under the Protective Security Policy Framework (PSPF) maturity model, these organisations must implement Maturity Level Two for each of the below components of ASD’s Essential Eight Maturity Model.
As with implementation of ISM controls, the Blueprint does not itself achieve any particular Essential Eight Maturity levels, but rather assists organisations in designing and building systems to achieve their desired maturity level based on their own operating context.
Applicability
The Regular Backups mitigation strategy is applicable to mitigating the risk of losing system availability or important <SYSTEM-NAME> data as part of a ransomware attack, or other form of destructive attack, and ensuring that in the event of such an attack, <SYSTEM-NAME> services and data can be quickly restored.
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Maturity Level
| Targeted: | <TARGET-LEVEL> |
| Currently Assessed: | <ASSESSED-LEVEL> |
Implementation
Performing backups
Essential Eight guidance
All maturity levels require that backups of data, applications and settings are:
- performed and retained in accordance with business criticality and business continuity requirements
- synchronised to enable restoration to a common point in time
- retained in a secure and resilient manner.
Blueprint guidance
While the Blueprint does not provide specific guidance on performing data backups, the section below is provided for organisations to describe their specific implementation, including where this is included within the authorisation boundary of system(s) built using the Blueprint.
<DESCRIBE APPROACH TO PERFORMING BACKUPS AS APPROPRIATE>
Restoring from backups
Essential Eight guidance
All maturity levels require that the organisation performs disaster recovery exercises that include testing the restoration of data, applications and settings from backups to a common point in time.
Blueprint guidance
While the Blueprint does not provide specific guidance on performing disaster recovery exercises or otherwise restoring from data backups performed, the section below is provided for organisations to describe their approach to implementing and testing restoration procedures.
<DESCRIBE APPROACH TO RESTORING FROM BACKUPS AS APPROPRIATE>
Hardening backups
Essential Eight guidance
Required hardening for backups is determined by the following table:
| Account Type | Restriction Applied | ML1 | ML2 | ML3 |
|---|---|---|---|---|
| Unprivileged Accounts: | Cannot access backups belonging to other accounts: | Yes | Yes | Yes |
| Prevented from modifying and deleting backups: | Yes | Yes | Yes | |
| Cannot access their own backups: | - | - | Yes | |
| Privileged accounts (excluding backup administrator accounts): | Cannot access backups belonging to other accounts: | - | Yes | Yes |
| Prevented from modifying and deleting backups: | - | Yes | Yes | |
| Cannot access their own backups: | - | - | Yes | |
| Backup administrator accounts: | Prevented from modifying and deleting backups during their retention period: | - | - | Yes |
Blueprint guidance
While the Blueprint does not provide specific guidance on hardening data backups, the section below is provided for organisations to describe their specific implementation, including where this is included within the authorisation boundary of system(s) built using the Blueprint.
<DESCRIBE APPROACH TO HARDENING BACKUPS AS APPROPRIATE>
Related information
Security & Governance
- System Management
- Essential Eight: Patch Applications
- Essential Eight: Patch Operating Systems
- Essential Eight: Regular Backups
- System Administration Process
Design
Configuration
External links
- ASD’s Essential Eight
- Microsoft’s Service Trust Portal
- Microsoft’s Guidance for meeting ASD’s Essential Eight - Regular Backups