Dakota State University students walking around campus

Rise with us

DSU is a place where innovation meets opportunity. We are a nationally recognized leader in technology-driven education, constantly pushing the boundaries of what’s possible. With hands-on learning experiences, expert faculty, and cutting-edge facilities, we prepare you for modern careers. Choose from a wide range of affordable, forward-thinking programs that allow you to shape your own path. Your future begins today.

Majors & Degrees

Search

Popular searches

smiling woman

Rise with us

DSU is a place where innovation meets opportunity. We are a nationally recognized leader in technology-driven education, constantly pushing the boundaries of what’s possible. With hands-on learning experiences, expert faculty, and cutting-edge facilities, we prepare you for modern careers. Choose from a wide range of affordable, forward-thinking programs that allow you to shape your own path. Your future begins today.

Visit DSU

Home Data Backup

Data Backup

Policy 14.13

Approved by: President
Responsible Officer: Chief Information Officer
Responsible Office: Information Technology Services
Originally Issued: 02/09/2026
Last Revision: New
Category: Technology

Related Policies

SD BOR Security of Information Technology Systems Policy 7.4

I. Reason for Policy

The purpose of this policy is to establish clear guidelines and procedures for the systematic and secure backup of critical data assets owned or managed by Dakota State University (DSU). A comprehensive backup process reduces the risk of data loss due to system failures, disasters, or human error and ensures the timely restoration of critical information needed for continued operations.

This policy also supports compliance with applicable data security regulations and fosters a culture of proactive data protection and security awareness across the University community.

This policy applies to all University-owned or managed data assets, including academic, research, administrative, financial, and operational records, and all DSU departments, units, and personnel responsible for managing or safeguarding data.

II. Definitions

  1. Backup. The process of copying data to secondary storage media (e.g., tape, disk, or cloud) to prevent data loss due to system failures or disasters.
  2. CIO (Chief Information Officer). Campus Chief Information Officer/Vice President of Technology is the department head for the DSU (Dakota State University) technology department.
  3. Data Recovery. The process of retrieving data from a backup to restore it to a desired point in time.
  4. Data Trustee: Data Trustees are the university officials with authority over institutional data or the university’s use thereof. Data Trustees are accountable for protecting, managing, and ensuring the integrity of institutional data in accordance with policies, state law, and federal law.
  5. Institutional Data. Data for which institutional resources or institutionally owned, leased, licensed, or provided technology systems are used to create, manage, transmit, process, or store it, including administrative, instructional, operational, and research data. When institutional systems, devices, funding, or networks are used to create or process research data, the resulting data is considered institutional data regardless of where the researcher is physically located or which device is used at the moment of creation.
  6. ITS. Information Technology Services. The official technology department for Dakota State University and subsumed departments. 
  7. RPO (Recovery Point Objective). It is the maximum tolerable amount of data loss measured in time. It represents the point in time to which data must be recovered after a disruption, indicating the acceptable data loss window for an organization's backup and recovery processes.
  8. RTO (Recovery Time Objective). Defines the maximum acceptable downtime for a system after a disruption. It's essential to measure how long a system can tolerate being offline before operations are significantly impacted.

III. Statement of Policy

  1. Responsibilities
    1. Data Trustees
      1. Determine backup requirements, schedules, RPO, and RTO for their data and systems.
      2. Coordinate with ITS to document and review RPO/RTO values annually.
      3. Ensure backup retention aligns with operational and compliance requirements.
    2. Information Technology Services (ITS)
      1. Implement and manage centralized backup infrastructure.
      2. Perform regular backups and verify completion.
      3. Test and validate backups regularly to ensure recoverability.
      4. Securely store off-site backups following encryption and data classification requirements.
      5. Maintain documentation of backup records and ensure compliance with DSU and BOR standards.
    3. Users
      1. Ensure institutional data is stored only on ITS approved storage systems (on-premises or approved cloud environments).
  2. Backup Strategy
    1. Full backups: Performed at regular intervals (e.g., weekly) to capture all data.
    2. Incremental backups: Performed more frequently (e.g., daily) to capture changes since the last full backup.
    3. Differential backups: Capture changes since the last full or differential backup.
  3. Backup Storage and Encryption. All backup data must be encrypted in accordance with FIPS 140-2 standards and stored within managed, access-controlled environments. Exfiltration via unencrypted removable drives or non-DSU third-party systems is prohibited.
  4. Backup Testing. ITS must conduct quarterly restore tests for critical systems and annual tests for all other systems. Test results must be documented and retained for audit.
  5. 3-2-1 Rule. ITS shall implement the NIST-recommended 3-2-1 backup model:
    1. Three copies of data (one primary and two backups).
    2. Two different media types.
    3. Two different media types.
  6. Retention and Off-Site Storage. At least one backup per cycle shall be stored off-site in a secure, environmentally controlled location consistent with data classification and retention requirements.

Exclusions

Exfiltration of institutional data outside of the approved OneDrive default backup folders and backup process or designated SharePoint sites is prohibited. Data saved to local user devices or to non-standard OneDrive locations is not included in automated backups and will not be protected. Users are responsible for ensuring that institutional data is stored only within ITS-approved, managed storage locations to ensure it is backed up in accordance with this policy.
Public archive data is excluded from routine backup and recovery services. This includes data intended for long-term retention or historical reference that is publicly accessible, static or infrequently changed, and not required for day-to-day institutional operations.

Exceptions

Any exceptions to this policy shall only be approved with the consent of the CIO.

IV. Procedures (Major)

  1. ITS Procedures
    1. Backup Configuration:
      1. Define backup schedules and job configurations in accordance with Data Trustee requirements.
      2. Classify data by sensitivity to determine storage and encryption requirements.
    2. Backup Storage and Encryption:
      1. Encrypt all backup data in transit and at rest.
      2. Store encrypted copies off-site in a secure, controlled facility.
    3. Backup Audit and Logging:
      1. Review automated backup job logs weekly for errors or anomalies.
      2. Document completion status, timestamps, and data volumes.
    4. Backup Validation and Testing:
      1. Conduct regular restore testing (quarterly for critical systems; annual for others).
      2. Document test results and report anomalies or failures to the CIO.
    5. Offsite and 3-2-1 Compliance:
      1. Maintain compliance with the 3-2-1 rule.
      2. Ensure at least one copy of backups is securely maintained off-site.
    6. Retention and Recordkeeping:
      1. Maintain detailed backup records (media identifiers, contents, storage location, encryption status).
      2. Retain records per applicable retention schedules and BOR policy 7:4.
  2. Data Trustee Procedures
    1. Coordinate with ITS to define RPO and RTO requirements annually.
    2. Review backup reports and validation results to ensure data protection meets operational and compliance needs.
    3. Submit special backup or data restore requests to ITS using the approved Backup Restoration Form/Ticket.

V. Related Documents, Forms, and Tools

Backup Restoration Request (complete a Support ticket)

NIST Special Pub 800-53 Rev. 5 (Security and Privacy Controls)

VI. Policy History

Adopted: 02/09/2026

Policies

Policy Request Form