All U-M institutional data must be backed up. All U-M units and research programs at UM-Ann Arbor, UM-Dearborn, UM-Flint, and Michigan Medicine are required to develop and document backup plans as part of their Disaster Recovery Management planning and their compliance with Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12). This will also help to minimize data loss after an IT incident (for example, Ransomware Mitigation).
Required Backups
Backups are required for:
- All systems deemed mission-critical.
- All data that originates from within U-M that cannot otherwise be easily reconstructed within the Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) specified below.
- All systems and workstations handling university data classified as Restricted, High, or Moderate.
- For data classified as Restricted or High:
- RPO: 0–24 hours
- RTO: 24–48 hours
- Backup encryption: Required at rest and in transit
- For data classified as Moderate:
- RPO: 0–24 hours
- RTO: 7–30 days
- Backup encryption: Recommended
- For data classified as Restricted or High:
- All applications that have been heavily modified or customized for use by U-M.
- Third-party provider services or systems that process, store, or maintain sensitive university data or that manage a mission-critical system.
Recommended Backups
Backups are highly recommended for individual faculty and staff workstations, particularly if those workstations contain data that has value as intellectual property and cannot otherwise be recreated in a timeframe satisfactory to the owner. Backups are recommended for systems and workstations handling university data classified as Low:
- RPO: 0–24 hours
- RTO: 1 month or non-recoverable
- Backup encryption: Optional
Document Your Backup Procedures
Units must document their procedures for systems requiring backups, which should be reviewed and updated regularly. Documentation should include:
- RTOs and RPOs
- Backup location
- Type of storage/media used for backups
- Frequency of backups
- Backup retention protocol
- Backup testing (verification)
- Media replacement or changes to type of backup
- Roles and responsibilities
Unit Responsibilities
U-M units and research programs are required to:
- Identify primary responsibility within the unit or research program for data backup to ensure timeliness and accountability.
- Classify institutional data based on U-M data classifications and determine the backup method that will allow them to meet the guidelines for that system and/or data.
- Encrypt backups containing data classified as Restricted or High, both in transit and in storage. For backups containing data classified as Moderate, encryption is recommended.
- Validate backups and make sure they are able to meet the desired RTOs and RPOs.
- Ensure contracts with U-M vendors comply with backup and disaster recovery guidance to protect access to U-M mission critical data or systems. This includes providing U-M access to review documented disaster recovery plans and test results.
ITS Backup Services Available
Backup of U-M data must be to a U-M device, server, or UM-contracted-for cloud service, not a personally owned device. Information and Technology Services (ITS) offers Backup and Storage services that units can use to meet their backup requirements. Two services are specifically designed to meet your backup needs:
- MiBackup provides automatic, scheduled, remote data backup for files located on servers that are managed by units, faculty, staff, and students.
- Desktop Backup can be used to automatically backup critical data stored on individual workstations that is not stored elsewhere. Remember to select an appropriate backup option when ordering an ITS service, such as MiServer.
You are responsible for knowing the backup policies and procedures of cloud services you use to store U-M data. If you are using a UM-contracted-for service, check the Sensitive Data Guide to make sure it complies with U-M and legal requirements for your data type.
Backup Best Practices
Information Assurance recommends the following best practices for your backup procedures:
- Store the most recent full backup of the system off-site in case of disaster.
- Run one full backup of your systems or data at least once a week.
- Run differential or incremental backups daily—if feasible—on highly dynamic systems.
- Run backups before or after critical milestones to allow recovery to critical points in time, i.e., end-of-month processing; year-end processing; before major system upgrade.
- Schedule backups for times when the system is not in use, if possible, to ensure that all files are captured and performance issues are avoided.
- Test system restoration using the backups on a regular basis.
- Securely erase or destroy no-longer-needed data backups by following the guidance at Erasing UM-Owned Devices.
Applicable University Policies
You are responsible for complying with the policies and standards below. The requirements on this page help you meet that responsibility.