last sync: 2024-Nov-25 18:54:24 UTC

Microsoft Managed Control 1287 - Information System Backup | Regulatory Compliance - Contingency Planning

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1287 - Information System Backup
Id 819dc6da-289d-476e-8500-7e341ef8677d
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Contingency Planning control
Additional metadata Name/Id: ACF1287 / Microsoft Managed Control 1287
Category: Contingency Planning
Title: Information System Backup - User-level Information
Ownership: Customer, Microsoft
Description: The organization: Conducts backups of user-level information contained in the information system Daily Incremental and Weekly Full; Azure Infrastructure provides a backup service that consists of daily incremental and weekly full backups; Critical information and services are deployed in redundant datacenters in an active – active configuration.;
Requirements: For user-level information stored in Azure Storage, data is synchronously replicated locally using Locally Redundant Storage (LRS), which provides redundancy equivalent to three copies. In addition, data is asynchronously replicated to a separate datacenter in the zone or to a remote region for accounts which have configured Zone-Redundant Storage (ZRS), Geo-Redundant Storage (GRS), or Read-Access Geo-Redundant Storage (RA-GRS). The backups sent to Azure Storage are encrypted using FIPS 140-2 compliant AES 256-bit encryption. There are three types of backups – Customer Machine, Disk Pod, and Tape. For Customer Machine and Disk Pod backups, the data is tied together in a location and retained for seven (7) days. Disk Pods back up to Blob storage, in which there are two accounts, ensuring that data is backed up into two accounts in different regions. For tape backup, the Data Protection Services (DPS) policies and procedures describe the roles, responsibilities, and services for the backup standards, retention policies, monitoring, and reports available to customers. All information backed up and stored uses the Data Type Classification according to CELA Data Classification. Service teams are required to identify the Data Type Classification that in turn drives the appropriate retention and storage policy assigned. The default settings include a full backup once a week and a nightly differential backup. If the backup schedule needs changing based on customer requirements, a workflow ticket is opened requesting the change. The ticket is reviewed and approved by DPS prior to instituting the change. Backup tapes are moved to an off-site facility for long term storage. The scalar tape backup library, encryption device, and servers are in each applicable datacenter. The secure offsite backup process consists of the following: * Off-site containers are stored within the datacenter. * The containers are loaded within the datacenter by authorized personnel. * All tapes are placed inside the containers for transport. * Containers are locked by authorized personnel. * CommVault Simpana Software is used to track the tape numbers through a vault report. Along with the CommVault Simpana vault report, a workflow ticket is created to track the tapes, their transport, and the personnel involved. The tracking is to ensure location of the tapes in the event a recovery is requested. * The off-site vendor retrieves the containers according to a schedule specified by DPS. * The locked containers are stored within the datacenter until an off-site vendor representative can retrieve the tape containers. * When the off-site vendor picks up the tape containers, they are not allowed to enter any datacenter, as mandated by security. The tape containers are brought to the lobby for the exchange. * Authorized personnel who handle the tapes are required to have an authorization account with the off-site vendor. This account includes a unique account number that is tracked by the off-site vendor when tapes are exchanged. * If tapes need to be retrieved for recovery purposes, authorized personnel can request the tape from off-site storage. All recovery requests are initiated by the customer by opening a workflow ticket. This ticket allows tracking of the entire recovery process. Expired tapes are tracked by vaulting and the off-site vendor. tapes are returned to the datacenter on the day of expiration.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance
The following 5 compliance controls are associated with this Policy definition 'Microsoft Managed Control 1287 - Information System Backup' (819dc6da-289d-476e-8500-7e341ef8677d)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
op.cont.1 Impact analysis op.cont.1 Impact analysis 404 not found n/a n/a 68
op.cont.2 Continuity plan op.cont.2 Continuity plan 404 not found n/a n/a 68
op.cont.3 Periodic tests op.cont.3 Periodic tests 404 not found n/a n/a 91
op.cont.4 Alternative means op.cont.4 Alternative means 404 not found n/a n/a 95
op.exp.3 Security configuration management op.exp.3 Security configuration management 404 not found n/a n/a 123
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC