07) Does your organisation encrypt the backups to prevent unauthorised access to the backup data?
IT Operations Backup Encryption
Written by Haydn Brooks
Created on March 18, 2019
Modified on June 7, 2020

Answer yes if your organisation encrypts the backups to prevent unauthorised access to the data. Please state the encryption algorithm used in the notes section.

Backups are copies of your production data, which means that they need to be suitably protected. Backups should be encrypted to prevent unauthorised access and to protect their confidentiality. If a malicious actor can get hold of your backups, that is as good as breaking into your systems.

Many tools used to take backups of systems include a feature that encrypts the backups for you. If your IT team take backups manually, they can also implement encryption tools to protect them.

Encryption algorithms vary in strength, and many older algorithms that used to be secure have now been broken. It is important to ensure you utilise a strong encryption algorithm such as AES (Advanced Encryption Standard), with a suitable long encryption key. Risk Ledger recommends using an encryption algorithm that is equal to, or stronger than AES-256 bit.

How to implement the control:
You must tell your IT team to ensure that backups are encrypted to protect them from unauthorised access. The encryption algorithm used should be a recognised standard that is of equal strength, or stronger than, AES-256.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.