Are Your Backups Compliant

How the ACSC White Paper relates to you ?

Recently ACSC (Australian Cyber Security Centre) released information regarding the Essential Eight Maturity Model, which is a compliance discussion to be implemented in relation to multiple security factors.

We are in particular concerned about the information in that maturity model regarding daily backups. Our focus initially is on backups because they are your last line of defence against any cyber security event.

For the full brief on this paper, please refer to this website.

https://acsc.gov.au/publications/protect/essential-eight-maturity-model.htm

For your convenience, we have extracted the information relevant to this discussion. This paper released by the Australian Cyber Security Centre has significant implications for all future management of on-site backup and recovery. 

If your backup system falls into the category where your backups are sent to a NAS or USB that has the potential to be hacked or can be re-written, essentially this WILL NOT meet any compliant level any longer. While legacy backup systems implemented over many years served their purpose, today’s rapidly changing landscape in terms of cybersecurity is meaning we need to constantly re-asses.

ACSC Has named 3 Maturity levels

To assist organisations in determining the maturity of their implementation of the Essential Eight, three maturity levels have been defined for each mitigation strategy. The maturity levels are defined as:

• Maturity Level One: Partly aligned with intent of mitigation strategy
• Maturity Level Two: Mostly aligned with intent of mitigation strategy
• Maturity Level Three: Fully aligned with intent of mitigation strategy.

Maturity levels ONE is described as:

• Backups of important information, software and configuration settings are performed monthly.
• Backups Compliant for between one to three months.
• Full backup and restoration processes are tested at least once.

Maturity levels TWO is described as:

• Backups of important information, software and configuration settings are performed weekly.
• Backups are stored offline, or online but in a non-rewritable and non-erasable manner.
• Backups are stored for between one to three months.
• Full backup and restoration processes are tested at least once.
• Partial backup and restoration processes are tested on an annual or more frequent basis.

Maturity levels THREE is described as:

• Backups of important information, software and configuration settings are performed at least daily.
• Backups are stored offline, or online but in a non-rewritable and non-erasable manner.
• Backups are stored for three months or greater.
• Full backup and restoration processes are tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur.
• Partial backup and restoration processes are tested on an annual or more frequent basis.

In order to grade your maturity level, you need to re-assess your daily backups and get your business inline with Maturity level three.

If you are running a backup & DR system that does not meet the Maturity Level 3 grade, your Backup & DR system needs to be retired and replaced by a compliant system. It is up to you, the client  as the responsible person for your data to assess or instruct us assess this for you.

Concept Technology Centre  no longer support, monitor or perform data recovery on a non compliant system’s. Any current maintenance regime will require a compliant system for us to work with something as important as Data Backups & DR.

For Maturity level 3, you will also need to accompany your backup system with a BCP, which includes change control to meet the following criteria.

• Full backup and restoration processes are tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur.

• Partial backup and restoration processes are tested on an annual or more frequent basis.