BACKGROUND AND KEY RISKS: Backup and recovery controls are key to an organization’s ability to continue operations in the event of a disruption and recover from a more catastrophic event.  With the ransomware threat always looming in the background, it is critical for backup and recovery processes and controls to be effective.

Risks in this area include not performing sufficient restoration tests to ensure that critical data, applications, and software can be recovered to a newly built server and within a timeframe that aligns with business expectations; periodically restoring a file or folder for an end user is not enough to prove that restoration from backup is effective.

Other notable risks relate to administrative access to the backup system and environment, functions that backup administrators can perform, and the overall backup strategy implemented.


An organization with effective backup and recovery controls should be:

  • Performing regular (at least daily) backups of their data
  • Limiting administrative access to the backup system and environment to only those individuals who require it to perform their job duties
  • Ensuring that authentication for accounts with access to the backup system and environment are protected by multi-factor authentication
  • Enable immutable backups. Immutable means cannot be changed. An immutable backup is a way of protecting data that ensures the data is fixed, unchangeable, and can never be deleted, encrypted, or modified. Many backup solutions have features that should be enabled to ensure that both backup data and protection policies are not tampered with by known or unknown threats, such as ransomware.
  • Selecting an overall backup strategy that provides redundancy and significant protection from a ransomware event. For example, the best practice of the “3-2-3 rule” would have 3 copies of data (one production and two backup copies), 2 different backup media types, and 3 geographically separate off-site locations.