Roman Milert - Fotolia

Which backup standards guide a data protection strategy?

A strong data protection strategy must follow applicable standards and regulations to protect data and comply with privacy laws. What are some key standards to look out for?

Data is one of an organization's most valuable assets. Keeping these assets safe and protected from malware, cyber threats and even human error is a mission-critical IT activity.

Domestic and international backup standards and regulations underscore the importance of protecting systems and data but typically do not specify the step-by-step process for performing these activities.

Key standards that reinforce the value of backup and recovery include standards from the International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST). Regulations, such as HIPAA, offer guidance for data protection and privacy law compliance that can steer backup and recovery strategy. Below are a handful of standards and regulations specific to data protection efforts.

3 key backup standards

Numerous standards apply to data backup. Organizations such as ISO and NIST publish backup standards that address storage security management, risk mitigation and data protection.

Backup standards for IT teams include the following:

ISO/IEC 27040:2015 Information technology -- Security techniques -- Storage security. This standard provides detailed technical guidance on how to effectively manage all aspects of data storage security, from planning and design to implementation and documentation. The standard provides guidance on mitigating risks of data breaches and corruption.

ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems -- Requirements. This standard is part of the ISO 27000 suite of standards that governs issues associated with information security. ISO/IEC 27001:2013 covers ways to improve an organization's data security and tailor a strategy of risk assessment and mitigation for that organization.

NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This standard considers the critical role of backup and recovery in data protection, particularly Controlled Unclassified Information (CUI). CUI data is not covered under federal protection laws and isn't owned or created by the federal government. NIST SP 800-171 -- as well as its supplement, SP 800-172, which was last updated in February 2021 -- can provide guidance to data protection teams that ensures CUI data is secure.

Regulations to watch out for

Compliance with local and global privacy regulations is an increasingly important part of data protection strategy. Two regulations, General Data Protection Regulation (GDPR) in the EU and California Consumer Privacy Act (CCPA) in the U.S., affect how organizations back up and store personal information. Violations of data regulations can result in penalty fees.

Domestic and global regulations that address backup and recovery include the following:

GDPR. The primary global data protection regulation, developed by the EU but with global effects, addresses the need for data protection activities, such as backup and recovery. GDPR expands privacy rights of data subjects and covers data produced by EU citizens, as well as all people whose data is stored in EU-member countries. It does not matter if the data belongs to EU citizens or if the organization collecting the data is in the EU.

CCPA. This regulation supports individuals' right to control their own personally identifiable information (PII). It gives California residents a way to control their PII through certain rights, including the right to know what personal information is being collected and the right to refuse sale of PII. Many IT organizations have rolled out CCPA compliance for all users, rather than create specific sites for California residents.

HIPAA. The Health Insurance Portability and Accountability Act Security Rule regulates information backup as well, in 45 CFR Part 160 and Subparts A and C of Part 164. Part 164 of the HIPAA Security Rule, in particular, includes requirements for protecting the security and integrity of electronic personal health information and includes backup and recovery in its requirements. This regulation serves as an audit and assessment standard for healthcare and nonhealthcare institutions.

Standards and regulations do not specify how to perform backup and recovery -- only that they are crucial activities. When an organization has formal backup and recovery processes, it can demonstrate conformity with these backup standards and regulations.

Next Steps

Adopt data storage security standards to ensure compliance

Dig Deeper on Archiving and tape backup