Virtual Server: ITS Customer Backup Policy (non-ITS Backup Solution)

Summary

This is a summary of the ITS Customer Backup Policy if customers choose NOT to have their servers backed up by ITS and have their own backup solution.

Body

This is a summary of the ITS Customer Backup Policy if customers choose NOT to have their servers backed up by ITS and have their own backup solution. ITS now requires backups for all Virtual Servers. For customers seeking a backup solution outside of ITS, these are the required guidelines.

What are the guidelines for customers who do not want to use enterprise backup (ie. backup to an external drive connected to a user’s desktop)?

The customer should first determine what kind of Institutional Data will be backed up.
- If data is Public or Restricted, then the following are RECOMMENDED.
- If data is Sensitive or Regulated, then the following are REQUIRED.

Ensure Regular Automated Backups:
Ensure that all system data is automatically backed up on a regular basis. (CIS Control 10.1)

Example: Daily incremental backups with one full backup, and 30 day retention, depending on your data retention storage policy.

Perform Complete System Backups:
Ensure that all of the organization's key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. (CIS Control 10.2)

Example: Backup all data as well as application configuration files to ensure a quicker recovery.

Protect Backups:
Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network. This includes remote backups and cloud services. (CIS Control 10.4)

Backups should be BOTH physically secured and encrypted.

Ensure Backups Have At least One Non-Continuously Addressable Destination:
Ensure that all backups have at least one backup destination that is not continuously addressable through operating system calls. (CIS Control 10.5)

The backup destination should not be a device on an open network, and it should be properly secured via permissions and access controls.
Example backup scenario if NOT choosing backups from ITS
- Purchase an additional virtual server and set it up as a storage repository for backups.
- The backup solution should have a means of encrypting data in transit and in storage for sensitive or regulated data.
  - An SSL certificate may need to be obtained, depending on how the backup solution works.
- Local backups
  - Complete the backups locally on your own workstation or external hard drive. Note that ITS may only provide best-effort support with setting up physical devices.
  - Customer will need to ensure the device can be secured and protected physically and over the network (i.e., access control rules).
  - Minimum security standards still apply.

What if a customer decides to backup to the cloud (Google, AWS, etc.)?

The customer will be responsible for vetting third-party risk and constructing backup services that meet the minimum security standards and backup requirements, as applicable.
Consult with Data Governance (https://datagov.intranet.hawaii.edu/) before using a third-party cloud backup service.
- The additional Data Governance requirements for third-party IT services will also be required for the customer to complete.

Additional References for Further Reading

ITS Minimum Security Standards - https://www.hawaii.edu/infosec/minimum-standards/
CIS Controls - https://www.cisecurity.org/controls/cis-controls-implementation-groups/
NIST 800-171 - https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

Details

Article ID: 20253

Created

Wed 3/4/26 1:10 PM

Modified

Fri 3/6/26 9:45 PM