ROWAN UNIVERSITY POLICY
Title: Data Backup Policy
Subject: Information Security
Policy No: ISO:2016:04
Applies: University-Wide
Issuing Authority: Senior Vice President for Information Resources and Chief Information Officer
Responsible Officer: Information Security Officer
Date Adopted: 04/01/2016
Last Revision: 03/27/2025
Last Review: 03/27/2025
I. PURPOSE
The purpose of this policy is to outline the requirements for performing periodic backups of University systems, applications, and data to ensure they are adequately preserved and protected in the event of accidental deletion, data corruption, system failure, or disaster.
II. ACCOUNTABILITY
Under the direction of the President, the Chief Information Officer and the Information Security shall implement and ensure compliance with this policy. The Vice Presidents, Deans, and other members of management will implement this policy.
III. APPLICABILITY
This policy applies to any Rowan University faculty member, staff member, student, temporary employee, contractor, outside vendor, or visitor to campus ("User") who process and/or store University data.
IV. DEFINITIONS
Refer to the Rowan University Technology Terms and Definitions for terms and definitions that are used in this policy.
V. POLICY
The University requires that all University data is backed up according to the following best practices:
All University systems, applications and data must be backed up on a technically practicable schedule suitable to the criticality, integrity, and availability requirements, as defined by the data owner.
Retention period of backups should be proportionate to the criticality, integrity, and availability needs of the data. At a minimum, backup copies must be retained for 30 days, when appropriate.
Records must be kept detailing the backup environment (what data is backed up and where it is backed up).
Backup schedules must be maintained and periodically reviewed.
Backups of confidential or sensitive information will be encrypted to the standards set forth in the university Encryption Policy.
All University data should have at least one fully recoverable backup version stored in a secure, geographically diverse location from the primary location of the data.
Recovery procedures for the restoration of data must be kept up to date.
Backup and recovery documentation must be maintained and periodically reviewed and updated to account for new technology, business changes, and migration of applications to alternative platforms.
Backup media must be clearly labeled.
Federal and state regulations pertaining to the long-term retention of information (e.g., financial records) will be met using separate archive policy and procedures, as determined by the Business Owner of the information. Long-term archive requirements are beyond the scope of this policy.
VI. POLICY COMPLIANCE
Violations of this policy may subject the violator to disciplinary actions, up to or including termination of employment or dismissal from a school, and may subject the violator to penalties stipulated in applicable state and federal statutes. Any exceptions to this policy must be approved by the Information Security Office.
By Direction of the CIO:
Mira Lalovic-Hand,
SVP and Chief Information Officer