Securities
Information Backup Policy (A.12.3.1)
Objectives
Business Information and services are a vital part of any organization and should be protected. Simply saving information is not enough; performing backups of all application critical information within Breezy will help prevent business downtime and/or loss of data and services. Without adequate backups, failure due to computer malfunction, human error, and natural disasters could cause unrecoverable interruptions.
- The objective of this policy is to safeguard the Breezy information assets, prevent loss of data due to accidental deletion or corruption, and facilitate the timely restoration of information and business process(es) should a system failure occur.
- In order to protect Breezy information assets and information systems, this Information Backup Policy is to protect both the company and individual users.
- Backup of Breezy’s data files, and the ability to recover such data, is a top priority. Management is responsible for ensuring backup operation frequency and recovery procedure(s) align with the professional standards and product goals of Breezy HR and the Applicant Tracking System.
Scope
The Breezy HR Information Backup Policy shall apply to all information assets, information systems and other resources provided by Breezy for the purpose of supporting the Applicant Tracking System from Breezy HR.
Policy
General Requirements
Backups of Breezy servers and data must be retained to the degree that server operating systems and applications are fully recoverable with limited data or service level agreement loss. This may be achieved using a combination of snapshots, copies, incremental backups, differential backups, transaction logs, replication, or other techniques.
Breezy employs two types of storage, object and block, for all storage needs. In general, object storage shall be fulfilled by Amazon S3 object storage service and block storage fulfilled by Amazon Elastic Block Store volumes, employing appropriate scalability, data availability, security, encryption, lifecycle, and performance property values to meet or exceed Breezy contractual obligation service levels. Exceptions to this policy must be approved by the Technology Director via submission of a completed Threat and Risk Management Form following proper change management.
Information system owners must ensure adequate backup, system recovery, and testing procedures are in place to ensure recovery from loss of service level in a safe and expeditious manner. Application critical object storage buckets, noted via cross-region replication name/tag, shall employ cross-region replication to ensure rapid recovery from a loss of service in their normal S3 operations region. Application critical object storage buckets shall also apply a daily inventory configuration to ensure a physical inventory report is available in the Breezy inventory and analytics storage. Application critical object storage shall receive quarterly audits, via random statistical sampling, of existing inventory to the replication destination. Application critical block storage volumes shall be backed up on a nightly schedule. Application critical block storage recovery and test shall occur daily, migrating the previous night's production backup into the development environment, to proof and audit safe and expeditious recovery every day.
Management must ensure safeguards are in place to protect the integrity of data during the recovery and restoration of data, especially where such data may replace more recent data. Application-critical object storage shall employ versioning and replication as safeguards to the integrity of object storage, while block storage shall employ encrypted backups and snapshots to ensure data integrity.
Storage media/services used for the archiving of information must be appropriate to expected longevity. The format in which data is stored must be carefully considered, especially where proprietary formats are involved. Amazon S3 object storage and Elastic Block Store services shall be employed to meet or exceed data durability and availability service levels in support of Breezy service level contractual obligations. Object storage is retained, currently, indefinitely due to the relatively low cost of storage. Block storage retention is 30 days, to align with Breezy contractual obligations per ISMS Clause 4.
Business information should not be stored on laptops or portable computers. As a remote workforce, all business information should be stored in the cloud (either in a company cloud drive or a company-owned personal cloud drive).
Definitions
Backup - The procedure for making extra copies of information stored on disparate servers and computers in case the original is lost or damaged.
Restore - The process of returning to a former condition using a backup.
Cross Region Replication - Process by which an object created or updated in, for example, us-east-1 is immediately replicated to another region for backup.
Responsibilities
- The Technology Director is responsible for ensuring this Information Backup Policy remains current and is aligned with Breezy business activities and security objectives.
- All Breezy employees, contractors, and third-party vendors are responsible for the compliance of all information backups detailed within the scope of this policy.