ICT Infrastructure Backup and Recovery – Schools

Policy

The purpose of this policy is to specify the minimum operational backup requirements for information and communications technology infrastructure in schools. Data archiving and records management are not within the scope of this policy.

Summary

• To minimise IT security and business continuity risks associated with data loss, there is a requirement to implement operational backup and recovery procedures for information and communications technology infrastructure in schools.
• This policy excludes:
  • data archiving and records management
  • backup and recovery of data residing on school systems hosted by external service providers
  • backup and recovery of data residing on school systems hosted centrally by the Department.

Details

For the purposes of backup and recovery, each item of information and communications (ICT) infrastructure located in schools will fall under one of the following categories:

• Department-supplied ICT infrastructure where the Department is responsible for backup and recovery
• Department-supplied ICT infrastructure where the individual school is responsible for backup and recovery
• ICT infrastructure supplied and supported by an external service provider who is responsible for backup and recovery
• school-supplied ICT infrastructure where the individual school is responsible for backup and recovery
• staff and student devices, where the individual school is responsible for backup and recovery

The ICT Infrastructure Classification document in the Resources tab sets out the different types of ICT infrastructure in schools and list who is responsible for backup and recovery. Where a particular type of ICT infrastructure in a school does not appear in this document, schools are responsible for backup and recovery procedures.

Where the Department is responsible for backup and recovery procedures, the standard operational backup frequency will be daily, with backups to be retained for a period of 31 days. Recovery of data on such infrastructure outside of a declared disaster is to be requested by a school through logging a service request via the Services Portal (staff login required).

Schools, supported by Technical Support to Schools (TSSP) personnel, are responsible for defining, implementing and supporting backup and recovery procedures for school ICT infrastructure. These procedures are to be used for the purpose of operational data recovery to minimise IT security and business continuity risks associated with data loss.

Schools are required to classify each item of school ICT infrastructure as falling into one of the 2 following categories:

• where no backup procedures are required, as recovery in the event of data loss can be accomplished by re-initiating or rebuilding the item without loss of data
• where backup procedures are required, due to the business need to recover data in the event of data loss through whatever cause

Where backup procedures are required for an item of school ICT infrastructure, schools are responsible for:

• determining the method used for backup
• determining the backup frequency and retention period for each type to meet operational needs for business continuity, both with respect to recovery from declared disasters and recovery from data loss through other causes
• successfully testing recovery of data from each different type of backup at a minimum of once per year
• implementing automated processes to execute backups according to a schedule that meets the required backup frequency requirement
• putting in place procedures to monitor and report on the success or failure of backups
• ensuring that data recovery of school ICT infrastructure from backup can be achieved in the event of a declared disaster, up to and including total loss of a school site, for example, through fire

Where backups of school ICT infrastructure are transmitted or stored offsite, they are to be encrypted. Schools are to implement suitable processes to manage certificates used for encrypting backups, and that certificates are available for recovery purposes in the event of declared disasters, including total loss of a school site.

Schools are advised that where technically possible, backup processes should be configured to minimise their use of computing and network resources during normal school hours.

It is recommended to backup data stored on staff and student devices by configuring cloud-based data storage services on these devices. The Department-approved cloud-based data storage services for use by schools are:

• Google Drive
• Microsoft OneDrive

Each school should select one of the above cloud-based data storage services for use by staff and students.

The Department, via the assigned school technicians, schools which infrastructure items located at school sites are covered by Department backup and recovery procedures along with assisting the school to put in place backup capability for the school ICT infrastructure.

Further information about school administration server backup of data in the (D:\Users on the fileserver) folder can be found in the Guidance tab.

Definitions

Archive
Storing older information that is not needed for everyday operations (that is, moving these older files to a separate, long-term storage device). The technical requirements and user expectations of data archive are different to data backup.

Backup
Copy data to another medium so that in the event the active data is lost, it can be recovered in a recent, if not completely current, version. Backup is primarily intended for disaster recovery. Backup is not intended for archiving data for future reference or maintaining a versioned history of data. Data backups are not intended to serve as archival copies of data or to meet the departmental records keeping or retention requirements.

Restore
The process of bringing data stored offline back onto a storage system, such as the school administration server.

Retention
The length of time a backup is kept. The backup is deleted at the end of the retention period. Note, retention periods for disaster recovery are different to this policy retention period. The retention period of data backups used for disaster recovery provide for recoverability and a point-in-time snapshot of data as it existed at the time of backup.

School ICT infrastructure
ICT infrastructure that is provided and supported by an individual school, plus that Department-supplied ICT infrastructure where the school has responsibility for backup and recovery.

Related policies

• Acceptable Use Policy for ICT Resources
• Information Security — InfoSafe
• Records Management
• ICT Support for Schools

School administration server backup – users folder

It is important that there is a sound backup regime for user data contained within the school administration server to minimise IT security and business continuity risks associated with data loss.

The department’s school administration server backup service takes a copy of the data within the users folder. The users folder is located on the D: Drive of the administration server. A school user can see this folder on their workstations as the U:\Users Folder. The school administration server backup process stores a copy of the data elsewhere so that it can be restored to the school administration server after a data loss event, such as a disaster (such as theft, fire or flood), damage or corruption or accidental deletion. The service ensures that:

• data is backed up daily and retained for 31 days
• backup data will be encrypted in transit
• data is backed up to the department’s central data centre locations
• user data files and folders can be restored upon request within the backup retention period.

Please be aware the P: Drive directory within the CASES21 environment is not part of the School Administration Server backup process. P: Drive is a temporary holding folder in the CASES21 environment. P: Drive data must be copied from P: Drive to the U: Drive to ensure the data is backed up.

The department is responsible for the backup and restore of user data in the D:\Users folder (U:\Users Folder at school level) of the school administration server and will restore user data to the point of the last successful data backup.

If there is data loss on the school administration server (that is not a disaster event), schools must log a request via the Services Portal to restore data.

In the event of a disaster at a school site, the department will work with school management to recover the school administration server and restore the school administration user data.

It is a school’s responsibility to archive critical data that is no longer in use that may need to be accessed for future reference. For more information on archiving school information – refer to Records Management.

When storing files on the school administration server, schools must store files in accordance with the Acceptable Use Policy for ICT Resources.

Authorised department staff supporting and managing the School Administration Backup service (or those acting in those roles) are required to comply with this guidance to ensure data has been backed up and can be restored.

Resources

ICT Infrastructure Classification Guide

The ICT Infrastructure Classification Guide (DOCX) (staff log-in required) outlines the backup and recovery classifications for the base types of ICT infrastructure in schools in order to define responsibility for backup and recovery. It also contains a diagram showing an example of a school ICT network.