10.4: Protect Backups

Sub-control 10.4 states that you must ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network. This includes remote backups and cloud services.

Asset Type Security Function Implementation Groups
Data Protect 1, 2, 3

Dependencies

  • Sub-control 1.4: Maintain Detailed Asset Inventory
  • Sub-control 1.5: Maintain Asset Inventory Information
  • Sub-control 5.1: Establish Secure Configurations

Inputs

  1. Endpoint inventory: The list of endpoints configured for periodic backup, derived from the endpoint inventory (sub-control 1.4).

  2. Backup configuration policy: The organization’s backup configuration policy.

Assumptions

  • Backup software (either OS or 3d party) is installed and appropriately configured on endpoints identified in I1.

Operations

  1. Interrogate the organization’s backup configuration policy to determine if backups are configured to be encrypted.

  2. For each endpoint, examine its backup configuration policy to ensure that encrypted backups are configured. Note which endpoints are configured appropriately and inappropriately.

Measures

Measure Definition
M1 = List of endpoints

A list of endpoints.

M2 = Count of items in M1

A count of the total number of items in M1.

M3 = List of appropriately configured endpoints A list of endpoints that are configured correctly.
M4 = Count of items in M3 A count of the total number of items in M3.
M5 = List of inappropriately configured endpoints A list of endpoints that are configured incorrectly.
M6 = Count of items in M5 A count of the total number of items in M5.

Metrics

Coverage

Metric Calculation
The percentage of backups that are protected via physical security/encryption. M6 / M2