Purpose and scope
This policy outlines the requirements and responsibilities for the backup, storage, retention and control of data, to ensure availability, integrity, and compliance with regulatory requirements. It applies to all systems and personnel at ASK Research Partners involved in managing or processing data backups.
Backup Procedures
- Backups of critical systems and data, including DfE data, are performed automatically on a scheduled basis.
- All backups are stored in Microsoft Azure UK-based data centres.
- Data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.
Access and Recovery
- Access to backups is restricted to authorised IT personnel via Role-Based Access Control (RBAC).
- Recovery tests are conducted quarterly to verify integrity and effectiveness of backup systems.
Access Control
- All users must be uniquely identified and authenticated via Azure Active Directory.
- Multi-Factor Authentication (MFA) is required for all system access.
- Access is granted based on the principle of least privilege and reviewed quarterly.
Role-Based Access Control (RBAC)
- Access to systems and data is defined according to user roles and responsibilities.
- Access rights are reviewed and updated upon role change or termination.
Physical and Logical Access Controls
- Endpoint devices are encrypted and protected with secure login credentials.
- Remote access is restricted to managed devices and protected by conditional access policies.
Monitoring and Enforcement
- All access events are logged and monitored using Microsoft Purview and Endpoint Manager.
- Unauthorised access attempts are flagged and investigated immediately.
Compliance
Access control measures are aligned with ISO/IEC 27001, UK GDPR, and the Department for Education’s data handling standards.
Last reviewed: 01/05/2025