Maintain backups necessary to restoring material operations. The backups shall be adequately protected from unauthorized alterations or destruction.
Procedures for the back-up or copying, with sufficient frequency, of documents and data essential to the operations of the covered entity and storing of the information offsite.
include procedures for the maintenance of back-up facilities, systems and infrastructure as well as alternative staffing and other resources to enable the timely recovery of critical data and information systems and to resume operations as soon as reasonably possible following a cybersecurity-related disruption to normal business activities.
routinely test ability to restore its critical data and information systems from backups.
Highlight the importance of establishing Recovery Time Objectives and Recovery Point Objectives for each data source to minimize downtime, cost, and loss of data.
The corresponding NIST CSF 2.0 subcategory is PR.DS-11: Backups of data are conducted, protected, maintained, and tested (formerly PR.IP-4)
Corresponding requirements in Revised Proposed 2nd Amendment to Regulation 23 NYCRR 500:
Highlight the importance of establishing Recovery Time Objectives and Recovery Point Objectives for each data source to minimize downtime, cost, and loss of data.