Backup Policy

Doc Ref: AIB-IS-POL-08

Version: 1.0

Disclaimer: No Part of this document may be reproduced or transmitted in any form or by any means,
electronic, manual, photocopying, recording or by any information storage and retrieval system, without
prior written permission of AXIS INSURANCE BROKERS.

Restricted
AIB-IS-POL-08 Backup Policy

Document Control

Document Information

Document Title Backup Policy

Classification Restricted

Document Review and Version Control

Version Revision Section

Date Author Reviewer
No. Description Updated

First Adam
V 1.0 14/09/2023 Draft Sufyan Areed
Release Ahmed

First Adam
V 1.0 02/10/2023 Approved Sufyan Areed
Release Ahmed

Draft Verification

Name Designation Signature Date of Verification

Sufyan
Sufyan Areed CTO
Areed 02/10/2023

Approvals

Name Designation Signature Date of Approval

Sufyan
Sufyan Areed CTO
Areed 02/10/2023

Version 1.0 Restricted Page

AIB-IS-POL-08 Backup Policy

Abbreviations

Term Description

ADHICS Abu Dhabi Health Information and Cyber Security Standard

AIB Axis Insurance Brokers

CEO Chief Executive Officer

CISO Chief Information Security Officer

CIA Confidentiality, Integrity, Availability

ISMS Information Security Management System

HIIP Healthcare Information Infrastructure Protection Workgroup

HIE Health Information Exchange

AAA Authenticity, Accountability and Auditability

IPR Intellectual Property Rights

IT Information Technology

ISGC Information Security Governance Committee

PII Personally Identifiable Information

HR Human Resource

QA Quality Assurance

NDA Non-Disclosure Agreement

Version 1.0 Restricted Page

AIB-IS-POL-08 Backup Policy

Table of Contents

1. Introduction............................................................................................................................................................. 4

2. Scope....................................................................................................................................................................... 4

3. Purpose....................................................................................................................................................................4

4. Roles And Responsibilities........................................................................................................................................4

5. Backup Policy...........................................................................................................................................................5

5.1. BACKUP REQUIREMENT........................................................................................................................................5

5.2. BACKUP SCHEDULE..............................................................................................................................................6
5.3. BACKUP MEDIA HANDLING AND STORAGE...............................................................................................................7
5.4. BACKUP RECOVERY AND TESTING...........................................................................................................................8
5.5. BACKUP MEDIA DISPOSAL.....................................................................................................................................8

1. Appendix - Backup Schedule....................................................................................................................................9

6. Policy Compliance, Enforcement, And Violations.....................................................................................................9

7. Reference.................................................................................................................................................................9

Version 1.0 Restricted Page

 AIB-IS-POL-08 Backup Policy

1. Introduction
The unprecedented growth and dependency on digital information have necessitated an efficient approach
to data backup and recovery. Practicing regular backup of digital communication, data, and other electronic
files is an essential IT practice to ensure against the loss of valuable information.

2. Scope
This policy is applicable to all users of Axis Insurance Brokers’ information, Information Technology (IT)
equipment, systems, assets, resources and information processing facilities.

3. Purpose
The purpose of this policy is to ensure that backup is performed properly and the ability to restore a system
to its current state (as of the date of the most recent back-up) in case of system failure, or to restore
individual files inadvertently deleted or lost. It is essential that certain standard practices be followed to
ensure that the information is backed up on a regular basis.

4. Roles and Responsibilities

Roles Responsibilities
 Responsible for defining the criticality of the information, defining the
Recovery Point Objective, Recovery Time Objective and periodicity and
extent of the backup.
 Approve the backup procedure related to the systems/data in their
Business / User Owner business line and coordinate with IT Department to back up the data as
per the defined procedures.
 Users are responsible for backing up the critical data, to a central server
where the data is backed up regularly, located on their computers.
 Approve the data restore requests. Any data restore request related to
department data must be approved by the department manager.

 Performing the backup periodically as defined by the business owners.

 Testing the backup periodically and reporting any issues related to the
IT Operations restoration process.
IT Custodian  Maintaining the logs of the backup and restore activities.
 Ensure the retention of the backup as per the business, legal and
regulatory requirements

 Assist the business owners in defining the recovery point objective and
IT Manager recovery time objectives of the systems and data.
 Assist the business owners in defining the frequency of the backup,

Version 1.0 Restricted Page

 AIB-IS-POL-08 Backup Policy

frequency of restoration tests and retention period.

5. Backup Policy
Definitions
Archive: The saving of old or unused files onto magnetic tape or other offline mass storage media for
the purpose of releasing on-line storage room.

Backup: The saving of files onto magnetic tape or other offline mass storage media for the purpose of
preventing loss of data in the event of equipment failure or destruction.

Disaster: An occurrence resulting in hardware or system failures or a natural or man-made catastrophe.

Restore: The process of bringing off line storage data back from the offline media and putting it on an
online storage system such as a file server.

Recovery Point Objective (RPO): describes the acceptable amount of data lost measured in time or
quantifies the permissible amount of data loss in case of disruption

Recovery Time Objective (RTO): describes the maximum time acceptable to the business to be without
the system/ function/ data or earliest point in time within which the critical business operations must
resume after a disaster

5.1. Backup Requirement

1. The availability of the information shall be ensured as per the business requirements.
2. To ensure the availability, backups of the data shall be performed as per agreed frequency and stored
securely.
3. The extent and frequency of backups shall reflect the business requirements of the Axis Insurance
Brokers.
4. The business owner shall define the frequency and extent of the backups; based on the importance of
the data and the acceptable risk (recovery point objectives and recovery time objectives)
5. Appropriate backup procedures must be in place to ensure that all critical information is backed up
periodically. The backup and restore procedures for each system shall be documented separately or
per group of systems and reviewed periodically.
6. Access to the backed-up data shall be restricted to the authorized users only.
7. The latest versions of the software, application software, and application configuration shall be backed
up initially after the implementation and immediately after any changes.

Version 1.0 Restricted Page

AIB-IS-POL-08 Backup Policy

8. Backups of the operating system software shall be performed according to the agreed frequency
and/or events. The type of mode of the backup (Operating System Media, System State backup, system
image backup) shall be documented in the corresponding backup procedure.
9. It is the responsibility of the user to backup important business data stored in the personal computer.
10. The information in the backup media must be examined regularly for recoverability to ensure that the
media can be relied upon during emergencies. To verify the accessibility of backup media, mock
restoration tests shall be carried out. The periodicity of the restoration tests shall be included in the
associated backup procedure.
11. The backup shall be stored in a remote location, significantly away from the primary data centre and
business location. The backup location should have the same level of physical security and
environmental controls as the main site. The offsite location of the backed-up data shall be
documented in the associated procedure.
12. The format in which the data is stored must be carefully considered, especially where proprietary
formats are involved. The storage media used must be appropriate to its expected longevity to meet
the business, legal and regulatory requirements.
13. Appropriate restore procedures must be in place and the restore procedures for each critical system
shall be documented and tested according to the defined periodicity.
14. The data shall be archived when not in use and to meet legal and regulatory requirements.
15. Wherever required to meet the business, legal and I or regulatory requirements the backups shall be
protected by use of cryptography such as encryption. Such requirements shall be documented in the
associated backup procedures.
16. At least two generations of backup tapes must be stored off-site, in a physically secure and fireproof
environment. Records of backup logs must be stored in a similar fashion to the backup tapes.
17. Obsolete backups/ archives shall be disposed securely.
18. Information / data Backup requirements of all information systems within Axis Insurance Brokers shall
be identified and documented.
19. The IT department shall record and maintain the backup requirements for all information systems. The
details shall include information/data to be backed up, backup frequency, storage media, retention and
disposal.

Version 1.0 Restricted Page

AIB-IS-POL-08 Backup Policy

5.2. Backup Schedule

1. The backup Administrator shall regularly perform the backup for each service/ information system
based on the requirement provided by the business process owner or ensure that information/data is
available in the event of failure of information processing systems.
2. The backup Administrator shall ensure that any newly commissioned server into production is included
for the minimum level of data backup or any changes to backup information/data is included in the
backup schedule.
3. In the event of scheduled backup failure, the Backup Administrator shall ensure rescheduling of backup
and shall keep the respective business process owner informed.
4. Backup of systems, applications, devices, etc. shall be taken before and after applying any changes,
such as upgrades, patching, etc.
5. Backup administrator shall identify the root cause for the failure of backup and the same shall be
documented.

5.3. Backup Media Handling and Storage

1. All backup media shall be clearly and uniquely identified in a consistent manner.
2. Backup tapes shall be stored and maintained at an identified offsite location.
3. The offsite location for storage of backup tapes shall be in a separate geographic region with a
significant distance from the onsite location.
4. Offsite backup shall be maintained in a fire-resistant enclosure and shall be covered with appropriate
physical security.
5. Access to backup media while onsite, in transit, or offsite shall be restricted.
6. All backup tapes shall be regularly transported to the offsite storage location.
7. If backup tapes are discovered to be damaged or corrupted, then these tapes must be destroyed.
8. A detailed schedule for the movement of back tapes to offsite location shall be documented and a
record for the movement of tapes to & from offsite location shall be maintained.
9. The movement of backup media to and from offsite locations shall be carried out in a sealed, and
tamper-proof turtle case.
10. The backup media shall be retained for the period in line with data retention requirements.
11. Backup Administrator shall ensure the physical expiry date of backup media is more than the retention
period defined by business process owner.
12. The information/ data shall be backed up and stored in encrypted form in the backup media.
13. Handling of backup media shall be done according to the manufacturer’s recommendations and
guidelines to prevent damage.

Version 1.0 Restricted Page

AIB-IS-POL-08 Backup Policy

14. The IT department shall ensure that separate backup tapes are used for daily, weekly, monthly & yearly
backups.
15. Backup copies of critical data must be maintained at an identified offsite location.
16. All backup media shall be disposed off in a secure manner at the end of their life, according to their
retention period, or if found to be corrupted or damaged, and the disposal procedure must ensure the
following:

 The media is properly degaussed.

 Labels/tags containing reference to Axis Insurance Brokers' internal information are removed
 Tapes and other non-reusable data storage media are physically destroyed.

5.4. Backup Recovery and Testing

1. The backup Administrator shall define and develop a backup restoration test plan.
2. Backup tapes shall be randomly tested for data recovery by the Backup Administrator as per the
backup restoration test plan.
3. Recovery testing shall be done at least once in a year.
4. The backup Administrator shall regularly perform the backup for each service/ information system
based on the requirement provided by the business process owner or ensure that information/data is
available in the event of failure of information processing.

5.5. Backup Media Disposal

1. Backup media shall be disposed after the approval of the business/asset owner, Information Security
(IS) Officer and the IT Manager.
2. IT Manager shall ensure that the data on the media is not accessible by any means after the disposal.
3. All backup media shall be disposed of in a secure manner at the end of their life, or if found to be
corrupted or damaged, and the disposal process shall ensure the following:
• The media is properly degaussed;
• Labels/tags containing reference to Axis Insurance Brokers' internal information are
removed; and
• Tapes and other non-reusable data storage media are physically destroyed.

Version 1.0 Restricted Page

 AIB-IS-POL-08 Backup Policy

1. Appendix - Backup Schedule

Information
Backup Backup Encryption
S.N Item RTO RPO Owner
Periodicity Location Required?
/Custodian

1 Proctora 1 day Daily Full Operating system

4 Hours CTO Yes

6. Policy Compliance, Enforcement, and Violations

Violations of this policy and supporting policies shall result in the initiation of a disciplinary process and may
result in a warning letter / memo, further training (if required), termination of contract or agreement, or
legal actions.

7. Reference

Sr No. ADHICS Standard Control Name

1 AM 4.3 Media Handling

2 PE 1 Protecting Against External and Environmental Threats

3 OM 5 Information Backup

Version 1.0 Restricted Page