Backup & Recovery Policy

Purpose

This policy explains how system backups and recovery procedures are managed within the SOC environment. The goal is to ensure data can be restored after failure, incident, or cyberattack, and that critical systems can return to normal operations quickly and securely.

Scope

Applies to:

• SOC Analysts
• System Administrators
• Personnel involved in backup or recovery tasks

Covers all backup and recovery processes for:

• Servers
• Databases
• Virtual machines
• Configuration files
• Security logs (including Wazuh)
• System images
• Any critical SOC infrastructure

Policy Rules

1. Backup Requirements

• Daily backups: Logs, configuration files, operational data
• Weekly backups: Full system images and server snapshots
• Monthly backups: Offsite or cold-storage full backups

3-2-1 Rule must be followed:

• 3 copies of all critical data
• Stored on 2 different media types
• With 1 copy stored offsite or offline

Backup Security Requirements:

• Backups must be encrypted at rest and in transit.

2. Backup Access and Permissions

Access is restricted to:

• System Administrators
• SOC Leads
• Backup/Recovery Personnel

Backup account requirements:

• Must use MFA
• Must use strong, unique passwords
• No shared credentials
• All access must be monitored and logged

3. Backup Storage Requirements

Backups may be stored on:

• SAN/NAS
• Approved cloud backup systems
• Offline or cold-storage media

Backup storage must be:

• Encrypted
• Firewalled
• Version-controlled
• Monitored for integrity

Backups must be protected from deletion or corruption using retention or write-once controls.

4. Recovery Procedures

Recovery must follow documented and tested processes, including:

1. Identify incident or system failure
2. Validate backup integrity
3. Select correct restore point
4. Restore data or system images
5. Verify successful recovery
6. Document actions in SOC logs and incident records

Only authorized administrators may perform recovery actions.

5. Testing Backups & Restores

• Restore testing must occur every 3 months
• Full disaster recovery tests for critical systems occur annually
• Failed tests must be documented and corrected immediately
• All test logs must be archived for auditing

6. Logging and Monitoring

The SOC must log:

• Backup creation events
• Backup failures
• Access to backup storage
• Restore operations
• Changes to backup schedules
• Backup deletion or overwrite attempts

Suspicious backup-related activity must generate alerts.

7. Reviewing Backup Configurations

Backup and recovery configurations must be reviewed:

• Every 6 months
• When system roles or requirements change
• Immediately after major incidents
• When new servers or critical systems are added

8. Handling Backup or Recovery Failures

If a backup fails or a recovery is not possible:

• Notify SOC Leads
• Attempt restoration from an alternate restore point
• Document the issue thoroughly
• Investigate the cause
• Update backup plan to prevent recurrence
• Inform management of critical failures

9. Consequences for Violations

Possible consequences include:

• Loss of system privileges
• Removal from SOC duties
• Academic consequences per course policy

Negligence that endangers SOC data or system availability is treated seriously.

10. Exceptions

Exceptions must:

• Be formally documented
• Include a valid reason
• Be approved by SOC management/instructor
• Include compensating controls

11. Policy Updates

This policy is reviewed at least annually or when:

• Backup technologies change
• New systems are introduced
• Major incidents expose weaknesses