Risk R-012 - Loss of Infrastructure Backups
| Field | Value |
|---|---|
| Risk ID | R-012 |
| Asset | Backup Storage (Infrastructure – Owner: Ops) |
| Scenario | S-011 - Loss of backups |
| Likelihood | 🟨 Medium - backup failures or accidental deletions are plausible without proper controls |
| Impact | 🟥 High - inability to restore systems and potential permanent loss of data |
| Risk Level | 🟥 High |
| Owner | Ops |
| Last Review | 2026-03-08 |
| Next Review | 2026-09-08 |
Associated Controls:
- Regular, automated backup schedules with redundancy (onsite and offsite/cloud).
- Immutable or write-once storage for critical backups.
- Periodic restore tests to verify backup integrity and recoverability.
- Access controls and MFA on backup management systems.
- Monitoring and alerting on failed backup jobs.
References:
- ISO 27001 - Control 8.3 Information access restriction.
- ISO 27001 - Control 8.13 Information backup.
- NIST CSF - PR.IP Information Protection Processes and Procedures.
- NIST CSF - PR.DS Data Security.
- EBIOS RM - Analysis of risks related to backup loss or unavailability of critical infrastructure data.
Response Actions:
- Containment - Stop any ongoing operations that may corrupt backups.
- Investigation - Identify failed backups or causes of deletion.
- Recovery - Restore systems from the latest valid backups; verify integrity before reconnection.
- Post-incident - Review backup policies and schedules, implement additional redundancy, and update documentation.