Information Systems Security Controls Guidance: Backups

Backups – Section 11(c)(9)(v)

Section 11(c)(9)(v) of the select agent regulations require the entity to “establish procedures that provide backup security measures in the event that access control systems, surveillance devices, and/or systems that manage the requirements of section 17 of this part are rendered inoperable.

Events such as security breaches, natural disasters, or equipment failure can sometimes result in systems or machines becoming inoperable. The entity is still responsible for any information that may get lost, so a backup system must be in place for the purposes of disaster recovery. There are many backup systems that will restore data after a data loss event. The IT department may set up an imaging system, an incremental style repository, a differential backup, a continuous data protection, among other solutions. The best solution depends on the size and nature of the entity and the IT department that manages the backup system.