intelliHR's Backup Policy explains how intelliHR ensures the confidentiality, integrity, and availability of data, both for intelliHR and intelliHR’s customers, complete backups are performed daily to assure that data remains available when it’s needed and in the case of a disaster. This policy covers backups as they relate to the intelliHR application running in production on the Amazon Web Services (AWS) platform.
Policy
intelliHR policy requires that:
- Data should be classified at time of creation or acquisition according to the Data Classification Policy
- An up-to-date inventory and data flow map of all critical data is maintained.
- All business data should be stored or replicated into a company-controlled repository, including data on end-user computing systems.
- Data must be backed up according to its level defined in Data Classification Policy.
- Data retention period must be defined and comply with any and all applicable regulatory and contractual requirements. More specifically,
- Data and records belonging to intelliHR customers must be retained per intelliHR product terms and conditions and/or specific contractual agreements.
- By default, all security documentation and audit trails are kept for a minimum of seven years, unless otherwise specified by intelliHR’s Data Classification Policy, specific regulations, or contractual agreement.
Backup and Recovery
Customer Data
intelliHR stores customer data in a secure production account on AWS, using PostgreSQL RDS, and AWS DynamoDB databases. By default, AWS S3 provides durable infrastructure to store important documents and is designed for 99.999999999% durability and 99.99% availability of objects over a given year. intelliHR performs automatic backups of all customer and system data to protect against catastrophic loss due to unforeseen events that impact the entire system. An automated process will back up all data to a separate region in the same country (e.g. US East to US West). By default, data will be backed up daily. The backups are encrypted in the same way as live production data. Backups are monitored and alerted by AWS CloudWatch. Backup failures trigger an incident by alerting the Security Officer.
Database Backups
RDS Databases
Relational Database Service (RDS) databases should be backed up with a minimum of the built-in AWS snapshot functionality. For databases containing customer application data and where the database cannot be rebuilt without a backup, a raw database dump should be taken in addition to RDS snapshots, with a tool such as pg_dump.
DynamoDB Databases
DynamoDB backups should be set up and taken with one or more of the following solutions:
- AWS Backup
- A script executed on a schedule via Jenkins
All other database types
It is out of the scope of this document to go through all different database types, however, ALL production databases containing customer or system data must have some form of backup.
Server Backups
Where a server contains customer data or critical system data, that in the event of a failure that data would be required to bring the server back up to a functioning standard, backups must be taken of said server, either entire server snapshots or application data backups, such as the Jenkins working directory.
S3 Backups and Versioning
S3 versioning should be enabled on all backups containing either customer data or critical system data. Where versioning has not been enabled, some form of replication must be set up on the bucket where existing and new items are replicated to another account for safe storage.
Off-site Backups
Where possible, all backups must be copied to a separate highly secure AWS account. This AWS account must have bucket policies that require Multi-Factor Authentication (MFA) to delete any objects. Deletes must not be possible in this account by any other AWS account.
Backup Encryption
All backups must be encrypted using a minimum cipher of AES-256.
Backup Key Management
Where a backup is encrypted, the key or key pair used to encrypt the data must only be accessible by the operations team or senior management.
Backup Retention
Where possible backup retention must be as follows unless business policy dictates otherwise:
- Daily backups kept for 7 days
- Weekly backups kept for 4 weeks
- Monthly backups kept for 12 months
- Yearly backups kept for 3 years
Backup Verification
Backups must be verified at least once a month. The verification process must include the following items:
- Copying an encrypted backup from off-site (where applicable)
- Decrypting said backup
- Extracting said backup
- Restoring said backup
- Verifying data is not corrupt