Backing Up Your Files and Data

University business must not be exposed to undue and unnecessary risk as a result of inadequate backup arrangements.

University information security policy makes various statements about backups including this strategic summary:

University business must not be exposed to undue and unnecessary risk as a result of inadequate backup arrangements.

Information, whether stored on paper, or electronically on computer equipment, is exposed to various risks. For example, information may be stolen, destroyed or irreparably corrupted. Computer hard drives are very reliable; however, they do fail eventually. Floods, fires and thefts at the University are rare; however, they can and do happen occasionally. People sometimes erase, overwrite and discard information by mistake.

Consequently it is essential that backups are available to help reduce the impact that an information loss would have on any University teaching, research or administration activities.

How well backups mitigate risk in practice will depend on how they are implemented. In addition it is important that information owners understand what to expect from the backup arrangements implemented by those who manage their information.

Contents

Important things to consider

  • Who will be responsible for ensuring backups are run to plan
  • What to back up
  • The backup regime to use. This will include frequency of backups and whether to use only full backups or combine full backups with differential or incremental backups. The cost and effort involved in frequent backups is to be weighed up against the data changes made since last backup that might be lost should a recovery from backup be necessary.
  • Whether to keep full backups in addition to the latest full backup.
  • Where to store backups. It is desirable for backups to be held securely and for them to be somewhere unlikely to be affected by an incident affecting the live data.
  • Recovery from backups should be tested periodically (taking care to ensure that the recovery procedure does not accidentally destroy more recent files). The intention is to help discover any problems with the restore procedure before it needs to be used for real.
  • Backup media must be securely disposed of, when no longer required, in a way that ensures that information will not be disclosed to unauthorised persons.
  • It should be noted that use of mirrored disks (and other disk arrays that offer resilience against a drive failure) does not avoid the need for making backups. For example if data is accidentally corrupted or deleted on a mirrored drive, having two identical copies of the drive is little compensation.
  • Information that is help on central servers managed by IT Services are regularly backed up. This includes all files and emails held within your CFS account (on Z: and X: drives but not your local PC drive).

Information Managers

Those responsible for managing information, especially computer system managers, are required to be proactive in working with information owners to ensure that backup security requirements, expectations and limitations are clearly understood.

Computer system managers should ensure that backup arrangements are:

  • published, agreed with users of the system where appropriate
  • reliably implemented and that users are informed promptly should there be any problems with, or changes to, the backup arrangements

Planning and implementing backups can be complicated, IT Services staff with experience of operating backup systems may be able to review plans and offer advice.

Information Owners or Custodians

The information owner or custodian is responsible for checking, or seeking assurance, that the backup arrangements for the computer facility or service being used are suitable. Staff identifying potentially inadequate backup arrangements, for information which the University has responsibility, must inform their line manager.

Mobile Devices (Laptops, Smartphones, USB drives)

Mobile devices can fail, be lost or stolen. Users of mobile devices should ensure that any information of importance for University business, whether or not it is encrypted, is also backed up regularly. Mobile devices usually support a method for backup or synchronisation with a PC.

Staff working from Home

Staff must ensure that adequate backup procedures are implemented for any University information held offsite. (It would normally, however, be preferable to remotely access data that is held onsite and already subject to routine backup).

University Policy

This communication is based on the Information Security Policy documents:
Information Handling Policy (ISP-S7)
Mobile Computing Policy (ISP-S14)
System Management Policy (ISP-S11) 
Teleworking Policy (ISP-S15)
Use of Computers Policy (ISP-S9)

Share this page:

Request Information

To make a Data Subject Access Request, or a Freedom of Information Request, please contact IAS directly.