Policy
The purpose of this policy is to specify the minimum operational backup requirements for information and communications technology infrastructure in schools. Data archiving and records management are not within the scope of this policy.
Summary
- To minimise IT security and business continuity risks associated with data loss, there is a requirement to implement operational backup and recovery procedures for information and communications technology infrastructure in schools.
- This policy excludes:
- data archiving and records management
- backup and recovery of data residing on school systems hosted by external service providers
- backup and recovery of data residing on school systems hosted centrally by the Department.
Details
For the purposes of backup and recovery, each item of information and communications (ICT) infrastructure located in schools will fall under one of the following categories:
- Department-supplied ICT infrastructure where the Department is responsible for backup and recovery
- Department-supplied ICT infrastructure where the individual school is responsible for backup and recovery
- ICT infrastructure supplied and supported by an external service provider who is responsible for backup and recovery
- school-supplied ICT infrastructure where the individual school is responsible for backup and recovery
- staff and student devices, where the individual school is responsible for backup and recovery
The ICT Infrastructure Classification document in the Resources tab sets out the different types of ICT infrastructure in schools and list who is responsible for backup and recovery. Where a particular type of ICT infrastructure in a school does not appear in this document, schools are responsible for backup and recovery procedures.
Where the Department is responsible for backup and recovery procedures, the standard operational backup frequency will be daily, with backups to be retained for a period of 31 days. Recovery of data on such infrastructure outside of a declared disaster is to be requested by a school through logging a service request via the Services (staff login required).
Schools, supported by Technical Support to Schools (TSSP) personnel, are responsible for defining, implementing and supporting backup and recovery procedures for school ICT infrastructure. These procedures are to be used for the purpose of operational data recovery to minimise IT security and business continuity risks associated with data loss.
Schools are required to classify each item of school ICT infrastructure as falling into one of the 2 following categories:
- where no backup procedures are required, as recovery in the event of data loss can be accomplished by re-initiating or rebuilding the item without loss of data
- where backup procedures are required, due to the business need to recover data in the event of data loss through whatever cause
Where backup procedures are required for an item of school ICT infrastructure, schools are responsible for:
- determining the method used for backup
- determining the backup frequency and retention period for each type to meet operational needs for business continuity, both with respect to recovery from declared disasters and recovery from data loss through other causes
- successfully testing recovery of data from each different type of backup at a minimum of once per year
- implementing automated processes to execute backups according to a schedule that meets the required backup frequency requirement
- putting in place procedures to monitor and report on the success or failure of backups
- ensuring that data recovery of school ICT infrastructure from backup can be achieved in the event of a declared disaster, up to and including total loss of a school site, for example, through fire
Where backups of school ICT infrastructure are transmitted or stored offsite, they are to be encrypted. Schools are to implement suitable processes to manage certificates used for encrypting backups, and that certificates are available for recovery purposes in the event of declared disasters, including total loss of a school site.
Schools are advised that where technically possible, backup processes should be configured to minimise their use of computing and network resources during normal school hours.
It is recommended to backup data stored on staff and student devices by configuring cloud-based data storage services on these devices. The Department-approved cloud-based data storage services for use by schools are:
- Google Drive
- Microsoft OneDrive
Each school should select one of the above cloud-based data storage services for use by staff and students.
The Department, via the assigned school technicians, schools which infrastructure items located at school sites are covered by Department backup and recovery procedures along with assisting the school to put in place backup capability for the school ICT infrastructure.
Further information about school administration server backup of data in the (D:\Users on the fileserver) folder can be found in the Guidance tab.
Definitions
Archive
Storing older information that is not needed for everyday operations (that is, moving these older files to a separate, long-term storage device). The technical requirements and user expectations of data archive are different to data backup.
Backup
Copy data to another medium so that in the event the active data is lost, it can be recovered in a recent, if not completely current, version. Backup is primarily intended for disaster recovery. Backup is not intended for archiving data for future reference or maintaining a versioned history of data. Data backups are not intended to serve as archival copies of data or to meet the departmental records keeping or retention requirements.
Restore
The process of bringing data stored offline back onto a storage system, such as the school administration server.
Retention
The length of time a backup is kept. The backup is deleted at the end of the retention period. Note, retention periods for disaster recovery are different to this policy retention period. The retention period of data backups used for disaster recovery provide for recoverability and a point-in-time snapshot of data as it existed at the time of backup.
School ICT infrastructure
ICT infrastructure that is provided and supported by an individual school, plus that Department-supplied ICT infrastructure where the school has responsibility for backup and recovery.
Related policies
Reviewed 27 October 2021