Subcontrol 10.4

[adammontville]

Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network [traffic]. This includes remote backups and cloud services.

Measures

How important encryption, E = [0, 1]
M1 = (SUM i to N (baked i / capacity i)) / N
M2 = (SUM i to N ((baked i / capacity i) * E i)) / N

Metrics/KEI

Importance of back up =  M2/ M1

We can't do anything about the physical security, but again:

1. Backup software is installed
2. Backup software is appropriately configured

I don't think we want to test whether it's actually encrypted, though. And, the bit about "over the network" should ensure that HTTPS (or other similar protocol) is being used.

[wmunyan]

Ask IT if theres a setting in our backup software to encrypt the backups automatically? How do we protect our backups in transit?

[wmunyan]

Inputs:

• The list of endpoints configured for periodic backup
• The organization's backup configuration policy

Assumptions:

• Backup software (either OS or 3d party) is installed and appropriately configured on endpoints identified in Input 1

Operations:

• Interrogate the organization's backup configuration policy to determine if backups are configured to be encrypted
• Compare each endpoint's backup configuration with available configuration policy.

Measures:

• M1 = 1 if an endpoint's backup configuration policy ensures the backup is encrypted
• M2 = The total number of endpoints configured for periodic backup

Metrics:

• Coverage Ratio: (SUM of M1 from 1..M2) / M2