Determine Backup Requirements

Backup frequency is determined by analyzing how often data changes and how much data the organization can afford to lose. Highly dynamic systems like transactional databases require frequent backups, whereas static file shares may only need daily or weekly backups. For auditability, tools like WatchDog Security's Compliance Center can help link backup frequency decisions to the control requirement and store supporting rationale as evidence.

Organizations must include any system hosting essential business information, such as financial records, intellectual property, and critical operational software. This includes on-premise servers, cloud environments, and specific endpoints if they hold unique critical data. Tools like WatchDog Security's Asset Inventory can help maintain an accurate, current list of systems and owners so backup scope decisions stay aligned as environments change.

A Recovery Point Objective (RPO) is the maximum acceptable amount of data loss measured in time. By defining an RPO, you automatically determine your minimum backup frequency to ensure you never lose more data than the set threshold.

A Recovery Time Objective (RTO) is the maximum acceptable amount of time it takes to restore a system after a disruption. A short RTO requires backup solutions that allow for rapid restoration, influencing the types of backup technologies and strategies selected.

Data classification helps prioritize backup efforts by separating essential, sensitive data from public or redundant information. Critical systems with high-value data require more rigorous, frequent, and secure backup strategies based on data classification.

CyberSecure Canada Section 5.6.2.2 requires organizations to evaluate on a case-by-case basis what systems need to be backed up and how frequently. It explicitly recognizes that not all systems have the same backup and recovery requirements.

Databases processing continuous transactions typically require high-frequency backups, such as hourly snapshots or continuous data protection. In contrast, standard file shares or employee endpoints might only require daily or weekly backup schedules.

To protect against ransomware, organizations should employ immutable backups that cannot be altered, maintain air-gapped or offline backups separated from the primary network, and follow the 3-2-1 backup rule.

Organizations should document backup requirements for compliance within a formal backup policy or disaster recovery plan. This documentation should map out each critical system, its designated RPO and RTO, the specific backup schedule, and management approval. Tools like WatchDog Security's Policy Management can help manage policy versions and capture approvals, while WatchDog Security's Compliance Center can map the documentation to CSC-05-017 and centralize audit evidence.

Organizations must conduct regular test restores using a sampling of backup data to verify integrity and measure the actual time it takes to recover. This validation ensures the implemented backup frequency and strategy successfully meet the documented recovery needs. Tools like WatchDog Security's Compliance Center can help track restore test records as evidence and tie results back to the stated recovery requirements.

Backup requirements often drift as new apps, cloud services, and data stores are introduced. Tools like WatchDog Security's Asset Inventory can help maintain an up-to-date system list with ownership and criticality context, while WatchDog Security's Compliance Center can track rationale and evidence that each system’s backup scope and frequency were reviewed.

Auditors typically look for documented RPO/RTO decisions, defined backup scope and frequency per system, and management approval with review cadence. Tools like WatchDog Security's Policy Management can help control versions and capture approvals, and WatchDog Security's Compliance Center can map those records to CSC-05-017 and package them as audit-ready evidence.