{"id":70074,"date":"2026-03-11T14:05:18","date_gmt":"2026-03-11T21:05:18","guid":{"rendered":"https:\/\/policies.wsu.edu\/prf\/?page_id=70074"},"modified":"2026-03-11T14:05:18","modified_gmt":"2026-03-11T21:05:18","slug":"bppm-87-75","status":"publish","type":"page","link":"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-75\/","title":{"rendered":"87.75 Data Retention Backup and Archive"},"content":{"rendered":"\n<h1 class=\"wp-block-heading wsu-font-size--xxmedium\">University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual)<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Data Retention Backup and Archive<\/h2>\n\n\n<div class=\"wsu-row wsu-row--single\" >\r\n    \n<div class=\"wsu-column\"  style=\"\">\r\n\t\n\n<p><strong>UPPM 87.75<\/strong><\/p>\n<p><strong>For more information contact:<\/strong><br>&nbsp; &nbsp;<a href=\"https:\/\/its.wsu.edu\/how-can-we-help-contact-its\/\">Information Technology Services<\/a><\/p>\n<hr>\n<div id=\"toc_container\">\n<h3>Contents<\/h3>\n<ul class=\"toc_list\">\n<li><a href=\"#One_0\">1.0 &nbsp;&nbsp; Overview and Purpose<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#One_1\">1.1 &nbsp;&nbsp; Information Assurance Policies Generally<\/a><\/li>\n<li><a href=\"#One_2\">1.2 &nbsp;&nbsp; Specific Policy Overview and Purpose<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Two_0\">2.0 &nbsp;&nbsp; Applicability<\/a><\/li>\n<li><a href=\"#Three_0\">3.0 &nbsp;&nbsp; Roles and Responsibilities<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Three_1\">3.1 &nbsp;&nbsp; Chief Information Officer<\/a><\/li>\n<li><a href=\"#Three_2\">3.2 &nbsp;&nbsp; Information System Owners<\/a><\/li>\n<li><a href=\"#Three_3\">3.3 &nbsp;&nbsp; Office of Information Security and Assurance (OISA)<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Four_0\">4.0 &nbsp;&nbsp; Requirements<\/a>\n<ul>\n<li><a href=\"#Four_1\">4.1 &nbsp;&nbsp; General<\/a><\/li>\n<li><a href=\"#Four_2\">4.2 &nbsp;&nbsp; Moderate- and High-Impact Systems<\/a><\/li>\n<li><a href=\"#Four_3\">4.3 &nbsp;&nbsp; High-Impact Systems<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Five_0\">5.0 &nbsp;&nbsp; Training<\/a><\/li>\n<\/ul>\n<\/div>\n<h3 id=\"One_0\">1.0&nbsp; &nbsp; Overview and Purpose<\/h3>\n<h4 id=\"One_1\">1.1&nbsp; &nbsp; Information Assurance Policies Generally<\/h4>\n<p>The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:<\/p>\n<ul>\n<li>Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;<\/li>\n<li>Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and<\/li>\n<li>Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.<\/li>\n<\/ul>\n<p>The policies in this chapter comply with Federal Information Processing Standards (<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/fips\/nist.fips.199.pdf\">FIPS 199<\/a>), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability.<\/p>\n<p>To determine the potential consequence of a loss event, the Federal Information Processing Standards:<\/p>\n<ul>\n<li>Define WSU Information Owners\u2019 impact categorization rating (Low, Moderate, or High);<\/li>\n<li>Dictate which security controls are mandatory based upon the categorization level;<\/li>\n<li>Define the strength, frequency, and formalization of those controls; and<\/li>\n<li>Influence audit burden and continuous monitoring rigor.<\/li>\n<\/ul>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-01\/\">UPPM 87.01<\/a> for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.<\/p>\n<h4 id=\"One_2\">1.2&nbsp; &nbsp; Specific Policy Overview and Purpose<\/h4>\n<p>Protecting the confidentiality, integrity, and availability of WSU data and information requires robust data management and backup in accordance with all applicable laws, policies, and standards. This policy sets forth the roles, responsibilities, and requirements for creating and maintaining backup and archived system data.<\/p>\n<h3 id=\"Two_0\">2.0&nbsp; &nbsp; Applicability<\/h3>\n<p>This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.<\/p>\n<p>Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-23\/\">UPPM 87.23<\/a>.<\/p>\n<h3 id=\"Three_0\">3.0&nbsp; &nbsp; Roles and Responsibilities<\/h3>\n<h4 id=\"Three_1\">3.1&nbsp; &nbsp; Chief Information Officer<\/h4>\n<p>The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.<\/p>\n<h4 id=\"Three_2\">3.2&nbsp; &nbsp; Information System Owners<\/h4>\n<p>Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy&#8217;s implementation.&nbsp;<\/p>\n<h4 id=\"Three_3\">3.3&nbsp; &nbsp; Office of Information Security and Assurance (OISA)<\/h4>\n<p>WSU\u2019s Office of Information Security and Assurance (OISA) shall maintain the <a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/data-retention-backup-and-archive-standard.pdf\">standard (PDF)<\/a> associated with this policy and provide guidance for the associated procedures for the implementation of this policy (<a href=\"https:\/\/its.wsu.edu\/documents\/2026\/02\/data-retention-backup-and-archive-procedure.pdf\">see examples (PDF)<\/a>).<\/p>\n<p><strong>Note:<\/strong> While all units are required to adhere to the standard established by OISA (<a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/53\/r5\/upd1\/final\">NIST SP 800-53<\/a>), procedural examples for implementation are optional.<\/p>\n<h3 id=\"Four_0\">4.0&nbsp; &nbsp; Requirements<\/h3>\n<h4 id=\"Four_1\">4.1&nbsp; &nbsp; General<\/h4>\n<p>WSU will create standards for data retention that reflect legal and regulatory requirements applicable to WSU that include periodic reviews of retained data, in accordance with UPPM <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-90-01\/\">90.01<\/a> and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-70\/\">87.70<\/a>.<\/p>\n<p>WSU Information System Owners, or their delegates, must ensure that system data, including system documentation, is backed up on a regular basis consistent with recovery time and recovery point objectives, in accordance with UPPM <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-70\/\">87.70<\/a> and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-53\/\">87.53<\/a>.<\/p>\n<p>Information System Owners, or their delegates, must protect the confidentiality, integrity, and availability of backup system data.&nbsp; Physical copies of backups are to be protected in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-53\/\">UPPM 87.53<\/a>.<\/p>\n<p>Information System Owners are to ensure access to data backups is provided based on job responsibilities in accordance with UPPM <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-05\/\">87.05<\/a> and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-50\/\">87.50<\/a>.<\/p>\n<p>Information System Owners, or their delegates, must manage and retain system information in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines, contractual obligations, and operational requirements.<\/p>\n<p>A current copy of institutional data must be preserved to ensure the restorability of data lost to disaster or destruction. Procedures to recover lost data must be in place. See also UPPM<a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-50-38\/\"> 50.38<\/a>, <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-50-39\/\">50.39<\/a>, <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-90-15\/\">90.15<\/a>, and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-90-01\/\">90.01<\/a>.<\/p>\n<p>WSU\u2019s OISA must create a process regarding legal matters such as litigation holds in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-53\/\">UPPM 87.53<\/a>.&nbsp;<\/p>\n<p>Information systems that only store archived data sets that are not regularly accessed are to be removed from WSU&#8217;s networks or placed on isolated\/restricted network segments or air-gapped storage.<\/p>\n<p>Archiving and destroying backups of decommissioned systems is to be performed in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-72\/\">UPPM 87.72<\/a>.<\/p>\n<h4 id=\"Four_2\">4.2&nbsp; &nbsp; Moderate- and High-Impact Systems<\/h4>\n<p>In addition to the above, the following requirements apply to all moderate- and high-impact systems.<\/p>\n<p>WSU Information System Owners are to ensure that backups of moderate- and high-impact systems are:<\/p>\n<ul>\n<li>Encrypted in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-33\/\">UPPM 87.33<\/a>; and<\/li>\n<li>Regularly tested to verify media reliability and information integrity.<\/li>\n<\/ul>\n<h4 id=\"Four_3\">4.3&nbsp; &nbsp; High-Impact Systems<\/h4>\n<p>In addition to the above, the following requirements apply to all high-impact systems.<\/p>\n<p>Information System Owners are to ensure that backup copies of critical system software of high-impact systems are transferred and stored in a separate geographical location that is not collocated with the operational system.<\/p>\n<p>Information System Owners are to ensure that a sample of backup information is used when testing the restoration of high-impact systems.<\/p>\n<h3 id=\"Five_0\">5.0&nbsp; &nbsp; &nbsp;Training<\/h3>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a> for training requirements related to UPPM Chapter 87.<\/p>\n<p>In addition to the requirements in <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a>, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner\u2019s authority.<\/p>\n<p style=\"font-size: .8rem\">_______________________<br><strong>Revisions:<\/strong>&nbsp; March 2026 (NEW &#8211; Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/bppm-manual-revisions\/bppm-revision-654\/\">654<\/a>).<\/p>\n\n<\/div>\r\n\n<\/div>\n\n<div class=\"wsu-row wsu-row--single\" >\r\n    \n<div class=\"wsu-column\"  style=\"\">\r\n\t<\/div>\r\n\n<\/div>","protected":false},"excerpt":{"rendered":"<p>University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual) Data Retention Backup and Archive<\/p>\n","protected":false},"author":49281,"featured_media":0,"parent":50633,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"wsuwp_university_location":[],"wsuwp_university_org":[],"_links":{"self":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/70074"}],"collection":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/users\/49281"}],"replies":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/comments?post=70074"}],"version-history":[{"count":3,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/70074\/revisions"}],"predecessor-version":[{"id":70142,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/70074\/revisions\/70142"}],"up":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/50633"}],"wp:attachment":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/media?parent=70074"}],"wp:term":[{"taxonomy":"wsuwp_university_location","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_location?post=70074"},{"taxonomy":"wsuwp_university_org","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_org?post=70074"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}