Customer Data Backup Policy

Summary

This Customer Data Backup Policy addresses

  • A disaster occurring at the primary site
  • Hardware failure
  • Cybercrime (deletion or modification of data)
  • Accidental deletion or modification of data

 
The table below identifies the main risks for data loss and the policy identified for managing the risk

Data loss risk Policy
A disaster occurring at the primary site (fire, flood, explosion, network etc.)
  • All live data is continuously replicated to the DRS
  • Redundant hardware available at the DRS
Hardware failure (database)
  • Identical hardware on standby at DRS can be deployed to primary site
  • Server uses redundant power supplies and RAID
Hardware failure (server)
  • Websites are load balanced across two separate physical servers
Hardware failure (network file system)
  • Microsoft Distributed File System enables files to be accessible across 2 different sites
Cybercrime (deletion or modification of data)

Accidental deletion or modification of data

  • Hourly snapshots enabled on network file system servers for rapid recoverability
  • Replicated data is backed-up at the DRS to a dedicated backup server for robust recoverability
  • Database backed up every 15 minutes

 

Physical Locations of Data Storage

Customer Data is stored at two locations in the UK. Both premises deploy 24/7/365 manned security with CCTV surveillance.

  • Primary Site – Here, data is stored on our own equipment and co-located in a private locked cabinet at a TelecityGroup owned “Tier 2” data centre in Manchester.
  • Disaster Recovery Site (DRS) – Here, data is stored on our own equipment, housed in a locked cabinet in a dedicated, locked environment at One Central Park, Manchester.

 

Customer Data Backup

Customer Data is stored as either live “database data” in the application database on the database server or as “file data” on the network file system.

The network file system is comprised of two physical servers (one at the primary site and one at the DRS) that are made available in a high-availability failover cluster using Microsoft Distributed File System.

All servers use RAID technology to distribute Customer Data across an array of hard drives to limit the impact of a single drive failure. Each server utilises at least one ‘Hot Spare’ so that in the event of a single drive failure, the hot spare drive is automatically deployed at the earliest possible opportunity.

Database Data

Database data comprises:

  • the list of Authorised Users, their personal data and their configuration settings
  • an activity log of key events as undertaken by the Authorised Users
  • organisational parameters and configuration settings
  • security settings and access permissions granted to Authorised Users
  • details of assessments, reviews, plans, progress and signatures recorded by Authorised Users

 
The following rules are applied when backing up database data:

  • Database data is backed up in full at 3AM daily and incrementally every 15 minutes, 7 days a week, 365 days a year.
  • The backup files are transferred to the network file system and replicated to the DRS on a continuous basis. Personnel manually verify replication success twice a day.
  • The retention policy for expired database data is 90 days.

 

File Data

File data (document, movies, audio, photographs etc.) comprises:

  • the files that the Customer has provided for its Authorised Users
  • the files that the Authorised Users have provided as assessment evidence
  • other files that Authorised Users have uploaded for private or public online access
  • the backup files containing the database data

 
The following rules are applied to backing up file data:

  • File data is stored on the network file system that is comprised of two physical servers (one at the primary site and one at the DRS). The network file system is made available in a high-availability failover cluster using Microsoft Distributed File System. Files at the DRS are backed up to disk every 15 minutes using a dedicated backup server.

 

Data Security

  • All servers hosting Customer Data are encrypted to AES-256bit standard using Microsoft Bitlocker with hardware-based Trusted Platform Modules protecting system drives and data drives. This level of encryption is designed to protect the disks should they be stolen as they cannot be read in another system without a special recovery key.
  • User passwords in the Database are encrypted irreversibly so that personnel or end-users cannot read them.
  • Customer Data moving between our servers and user browsers is encrypted using a 2048-bit strength certificate.
  • Customer Data moving between the data centre and our offices is encrypted using an IPSec VPN (virtual private network).

 

Data Retention

  • File data (Eportfolio data) is retained for the period stipulated by the awarding body (usually 5 years) or the funding body (usually 6 years), whichever is the greater. Customers may request the deletion of eportfolios before this period by giving written instruction.
  • Copies of database backup files are kept for 90 days before being deleted.

 

Restore & Recoverability

Database Server

  • Identical database server hardware is located at the DRS and can be relocated to the primary site with a full restore of the most current data and made operational within an hour.
  • It can be made operational at the DRS within 15 minutes.

Disaster Recovery Site (DRS)

  • Senior management will make the decision to elevate the DRS after gathering intelligence and reviewing all available options
  • We aim to have a fully functioning operational service within 30 minutes of making a decision to elevate the DRS.
  • External routing to the DRS is activated by updating our Domain Name Service records.