Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
Why Is This Control Critical?
In the cybersecurity triad -- Confidentiality, Integrity, and Availability (CIA) -- the availability of data is, in some cases, more critical than its confidentiality. Enterprises need many types of data to make business decisions, and when that data is not available or is untrusted, then it could affect the enterprise. An easy example is weather information to a transportation enterprise. When attackers compromise enterprise assets, they make changes to configurations, add accounts, and often add software or scripts. These changes are not always easy to identify, as attackers might corrupt or wipe backup data and logs. This can make restoring to a known, trusted state difficult.
Related Policy Templates
Safeguards (5)
| ID | Title | Function | IG | Checklist Items | Evidence |
|---|---|---|---|---|---|
| 11.1 | Establish and Maintain a Data Recovery Process | Recover |
IG1
IG2
IG3
|
8 | 5 |
| 11.2 | Perform Automated Backups | Recover |
IG1
IG2
IG3
|
8 | 5 |
| 11.3 | Protect Recovery Data | Protect |
IG1
IG2
IG3
|
10 | 7 |
| 11.4 | Establish and Maintain an Isolated Instance of Recovery Data | Recover |
IG1
IG2
IG3
|
8 | 5 |
| 11.5 | Test Data Recovery | Recover |
IG2
IG3
|
8 | 5 |
Audit Verification Details
Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Recovery objectives (RTO/RPO) are defined and documented.
Recovery plan with stated RTO/RPO values
Automated backups run on schedule and backup jobs complete successfully.
Backup job status reports, success/failure rates
Backups are stored securely with offsite or air-gapped copies.
Backup storage architecture, offsite replication evidence
Recovery procedures have been tested and results meet stated objectives.
Recovery test reports showing actual vs. target RTO/RPO
Recovery procedures are updated based on test results and lessons learned.
Updated procedures with revision history
Backup restoration has been tested and data integrity verified.
Restoration test results with integrity verification
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Recovery plan documentation | Reviewed annually |
| Record | Recovery test results and lessons learned | Tested quarterly |
| Technical | Backup job status reports and success rates | Reviewed weekly |
| Record | Backup restoration test results | Tested quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Recovery objectives (RTO/RPO) are defined and documented.
Recovery plan with stated RTO/RPO values
Automated backups run on schedule and backup jobs complete successfully.
Backup job status reports, success/failure rates
Backups are stored securely with offsite or air-gapped copies.
Backup storage architecture, offsite replication evidence
Recovery procedures have been tested and results meet stated objectives.
Recovery test reports showing actual vs. target RTO/RPO
Recovery procedures are updated based on test results and lessons learned.
Updated procedures with revision history
Backup restoration has been tested and data integrity verified.
Restoration test results with integrity verification
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Recovery plan documentation | Reviewed annually |
| Record | Recovery test results and lessons learned | Tested quarterly |
| Technical | Backup job status reports and success rates | Reviewed weekly |
| Record | Backup restoration test results | Tested quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Encryption is applied to all in-scope data at rest and in transit using approved algorithms.
Encryption status reports, TLS scan results, disk encryption audit
Automated backups run on schedule and backup jobs complete successfully.
Backup job status reports, success/failure rates
Backups are stored securely with offsite or air-gapped copies.
Backup storage architecture, offsite replication evidence
Changes to protection controls follow the change management process.
Change tickets, approval records
Encryption keys are managed per the key management procedure (rotation, storage, access).
Key rotation logs, key management system audit
Backup restoration has been tested and data integrity verified.
Restoration test results with integrity verification
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Encryption configuration evidence (disk encryption status, TLS settings) | Scanned monthly |
| Document | Key management procedures and key rotation records | Reviewed annually |
| Technical | Backup job status reports and success rates | Reviewed weekly |
| Record | Backup restoration test results | Tested quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Recovery objectives (RTO/RPO) are defined and documented.
Recovery plan with stated RTO/RPO values
Automated backups run on schedule and backup jobs complete successfully.
Backup job status reports, success/failure rates
Backups are stored securely with offsite or air-gapped copies.
Backup storage architecture, offsite replication evidence
Recovery procedures have been tested and results meet stated objectives.
Recovery test reports showing actual vs. target RTO/RPO
Recovery procedures are updated based on test results and lessons learned.
Updated procedures with revision history
Backup restoration has been tested and data integrity verified.
Restoration test results with integrity verification
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Recovery plan documentation | Reviewed annually |
| Record | Recovery test results and lessons learned | Tested quarterly |
| Technical | Backup job status reports and success rates | Reviewed weekly |
| Record | Backup restoration test results | Tested quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Recovery objectives (RTO/RPO) are defined and documented.
Recovery plan with stated RTO/RPO values
Automated backups run on schedule and backup jobs complete successfully.
Backup job status reports, success/failure rates
Backups are stored securely with offsite or air-gapped copies.
Backup storage architecture, offsite replication evidence
Recovery procedures have been tested and results meet stated objectives.
Recovery test reports showing actual vs. target RTO/RPO
Recovery procedures are updated based on test results and lessons learned.
Updated procedures with revision history
Backup restoration has been tested and data integrity verified.
Restoration test results with integrity verification
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Recovery plan documentation | Reviewed annually |
| Record | Recovery test results and lessons learned | Tested quarterly |
| Technical | Backup job status reports and success rates | Reviewed weekly |
| Record | Backup restoration test results | Tested quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |