MedStack Technology Compliance Policies

Backup

Create and maintain integrous backups

• Why
  • Protect data against accidental or malicious deletion and media and access failure.
  • Provide a basis for restoration in case of system failure.
• Make complete, exact copies
  • Dump entire database servers using official tools.
  • Encrypt and sign backup archives.
  • Restrict the ability to modify backup files (for example, use write-only access for servers creating backups).
• Maintain confidentiality in backups
  • Restrict access to backup files to superadmins and customer administrators.
  • Ensure that temporary files are on encrypted drives.
• Maximize availability, durability and retrievabilty
  • Protect backups against media failure, power spikes or outages, fire, flood, or other natural disaster, viruses, hackers, and improper acts by employees and others.
  • Store backups in a separate physical environment to mitigate loss of an environment.
  • Make redundant copies of backups to mitigate the loss of physical media.

Automatically create point-in-time backups

• For virtual machines
  • hourly (expires after one day)
  • daily (expires after one week)
  • weekly (expires after 4 weeks)
  • monthly (never expires)
  • After a backup expires, permanently delete it.
• For managed databases
  • based on the schedule and retention time provided by the cloud service provider

Automatically validate backup management

• Monitor the backup lifecycle automatically.
• Test backup restoration.
• Log all backup activity.

Restrict access to backups

• Our employees
  • superadmins
• Customers
  • The customer is responsible for restricting the access of their personnel and systems to the backups and keys.

Enforcement

• Responsible party: All information technology managers and supervisors
• sanctions: standard

References