10.5: Ensure All Backups Have at Least One Offline Backup Destination
Sub-control 10.5 states that you must ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination.
| Asset Type | Security Function | Implementation Groups |
|---|---|---|
| Data | Protect | 1, 2, 3 |
Dependencies
- Sub-control 1.4: Maintain Detailed Asset Inventory
- Sub-control 1.5: Maintain Asset Inventory Information
-
Sub-control 5.1: Establish Secure Configurations
Inputs
-
Endpoint Inventory: A list of endpoints.
-
Backup configuration policy: The backup configuration policy, assuming the inclusion of “offline” backup destinations.
Operations
-
Collect a list of endpoints that do/do not matchthe policy specified in I2.
Measures
| Measure | Definition |
|---|---|
| M1 = List of endpoints |
A list of endpoints. |
|
M2 = Count of items in M1 |
A count of the total number of items in M1. |
| M3 = List of endpoints matching policy | A list of endpoints that match the policy. |
| M4 = Count of items in M3 | A count of the total number of items in M3. |
| M5 = List of endpoints not matching policy | A list of endpoints that do not match the policy. |
| M6 = Count of items in M5 | A count of the total number of items in M5. |
Metrics
Coverage
| Metric | Calculation |
|---|---|
| The ratio of endpoints matching the backup configuration policy compared to the total number of endpoints. | M4 / M2 |
Lack of Coverage
| Metric | Calculation |
|---|---|
| The ratio of endpoints not matching the backup configuration policy compared to the total number of endpoints. | M5 / M2 |