IG1 IG2 IG3

Protect Recovery Data

Control Group: 11. Data Recovery

Asset Type: Data

Security Function: Protect

Description

Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Identify all data requiring encryption

7

Select approved encryption algorithms and key lengths (AES-256)

8

Deploy encryption solution and verify data protection

9

Establish key management procedures

10

Identify critical data and systems requiring backup

11

Configure automated backup schedules

12

Verify backup integrity and test restoration

13

Store backups securely with offsite/air-gapped copies

Tool Recommendations

Veeam Data Platform Gartner MQ Leader, Enterprise Backup & Recovery 2024

Enterprise backup, recovery, and data security platform for virtual, physical, cloud, and SaaS workloads

Veeam · Per-workload subscription

Commvault Cloud Gartner MQ Leader, Enterprise Backup & Recovery 2024

Enterprise data protection platform with backup, recovery, ransomware detection, and cyber deception

Commvault · Per-workload subscription

Rubrik Security Cloud Gartner MQ Leader, Enterprise Backup & Recovery 2024

Zero Trust data security platform with immutable backups, ransomware monitoring, and automated recovery

Rubrik · Per-workload subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Ransomware Encrypting Unprotected Backup Repositories

Availability

Ransomware operators specifically target backup systems and encrypt or delete backup data that is stored without adequate protection, eliminating the organization's ability to recover without paying the ransom.

Backup Data Breach Exposing Sensitive Information

Confidentiality

Unencrypted backup media or repositories are accessed by unauthorized parties, exposing sensitive data including PII, financial records, and intellectual property that exists in an easily restorable format within the backup archives.

Insider Theft of Unprotected Backup Media

Confidentiality

Employees or contractors with physical access steal unencrypted backup tapes or portable backup drives, obtaining a complete copy of enterprise data without triggering any access controls that protect the production systems.

Vulnerabilities (When Safeguard Absent)

Backup Data Stored Without Encryption

Backup repositories and media are not encrypted, meaning anyone with access to the storage location can read all backed-up data, including sensitive information that is encrypted or access-controlled in production environments.

Backup Access Controls Weaker Than Production Data

Recovery data is stored with access controls that are less restrictive than those protecting the original data, allowing individuals who cannot access production data to freely access the same data through backup systems.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Technical	Encryption configuration evidence (disk encryption status, TLS settings)	Scanned monthly
Document	Key management procedures and key rotation records	Reviewed annually
Technical	Backup job status reports and success rates	Reviewed weekly
Record	Backup restoration test results	Tested quarterly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Backup and Recovery Policy

Control 11

Related Safeguards in Control 11

11.1 Establish and Maintain a Data Recovery Process

11.2 Perform Automated Backups

11.4 Establish and Maintain an Isolated Instance of Recovery Data

11.5 Test Data Recovery