10.5: Ensure All Backups Have at Least One Offline Backup Destination

Sub-control 10.5 states that you must ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination.

Asset Type Security Function Implementation Groups
Data Protect 1, 2, 3

Dependencies

  • Sub-control 1.4: Maintain Detailed Asset Inventory
  • Sub-control 1.5: Maintain Asset Inventory Information
  • Sub-control 5.1: Establish Secure Configurations

Inputs

  1. Endpoint Inventory: A list of endpoints.

  2. Backup configuration policy: The backup configuration policy, assuming the inclusion of “offline” backup destinations.

Operations

  1. Collect a list of endpoints that do/do not matchthe policy specified in I2.

Measures

Measure Definition
M1 = List of endpoints

A list of endpoints.

M2 = Count of items in M1

A count of the total number of items in M1.

M3 = List of endpoints matching policy A list of endpoints that match the policy.
M4 = Count of items in M3 A count of the total number of items in M3.
M5 = List of endpoints not matching policy A list of endpoints that do not match the policy.
M6 = Count of items in M5 A count of the total number of items in M5.

Metrics

Coverage

Metric Calculation
The ratio of endpoints matching the backup configuration policy compared to the total number of endpoints. M4 / M2

Lack of Coverage

Metric Calculation
The ratio of endpoints not matching the backup configuration policy compared to the total number of endpoints. M5 / M2