INF-04: Backup & Recovery
Objective
Ensure business continuity through reliable backup and recovery capabilities.
Description
Critical systems and data are backed up regularly. Backups are encrypted and tested. Disaster recovery procedures are documented and tested annually.
Implementation Details
Database Backups: RDS automated backups daily with 30-day retention. Manual snapshots before major changes.
Infrastructure Backups: Terraform state backed up. AMI snapshots of critical EC2 instances. S3 versioning enabled for application data.
Backup Testing: Quarterly restore test from backup to verify recovery. Document restore time and success.
DR Plan: Written disaster recovery plan tested annually. Defines RTO (4 hours) and RPO (1 hour) targets.
Examples
- RDS production database has automated daily backups retained 30 days
- Q4 2024 backup restore test successfully restored production database in 45 minutes
- S3 versioning enabled on all production buckets with MFA delete protection
- Annual DR tabletop exercise completed with documented findings
Audit Evidence
- Backup configuration showing schedule and retention
- Quarterly backup restore test results
- Disaster recovery plan document
- Annual DR exercise documentation
Framework Mapping
SOC 2
- A1.2 ^[Regular backups and disaster recovery procedures ensure availability commitments are met]
- CC9.1 ^[Business continuity planning includes backup and recovery capabilities for critical systems]
GDPR
- Article 32 ^[Backup and recovery capabilities ensure resilience and ability to restore availability and access to data after incident]
Referenced By
This section is automatically generated by make generate-backlinks. Do not edit manually.
Processes:
- Backup and Recovery Process ^[7-step backup process: scope definition, automated configuration, monitoring, security (encryption/access control), quarterly recovery testing, annual DR drill, documentation]