Rule: Backup Recovery Points Should Not Expire Before Retention Period
This rule ensures that backup recovery points do not expire before the specified retention period to maintain data integrity.
| Rule | Backup recovery points should not expire before retention period |
| Framework | GxP EU Annex 11 |
| Severity | ✔ Low |
Rule Details
Description
The rule ensures that backup recovery points for GxP EU Annex 11 compliant systems should not expire before the specified retention period. This is to ensure that all necessary backups are retained for the required duration in order to comply with regulatory requirements.
Implementation
To implement this rule, it is necessary to configure the backup system and retention settings accordingly. The backup system should be able to manage and retain recovery points for the defined retention period, and prevent them from expiring prematurely.
Troubleshooting Steps
If backups are expiring before the defined retention period, the following troubleshooting steps can be followed:
- 1.Verify the backup system configuration: Check the backup system's settings and ensure that the retention period is correctly defined and aligned with the regulatory requirements of GxP EU Annex 11.
- 2.Check backup job schedules: Ensure that backup jobs are running at the specified frequencies and timings to create recovery points for the system. If backups are not being taken as scheduled, investigate and resolve any issues related to backup job scheduling.
- 3.Examine error logs: Review the logs of the backup system for any errors or warnings related to backup expiration or retention periods. Troubleshoot and address any identified issues accordingly.
- 4.Validate backup and restore processes: Perform a test restore of a backup recovery point to confirm that the backup system is working properly and backup retention is correctly configured.
Code Examples
The specific code examples for this rule will depend on the backup system in use. The following example demonstrates a generic command for backup retention setup using the AWS Command Line Interface (CLI):
aws backup put-lifecycle --lifecycle-name GxP_EU_Annex11_Lifecycle --resource-type RecoveryPoint --lifecycle-policy "{\"Rules\":[{\"RuleName\":\"RetentionRule\",\"TargetTags\":{\"TagValues\":[\"GxP_EU_Annex11\"]},\"ScheduleExpression\":\"cron(0 0 * * ? *)\",\"LifecycleTransition\":\"RETIRE\",\"DeleteAfterDays\":365}]}"
This command sets up a retention policy named "GxP_EU_Annex11_Lifecycle" for recovery points associated with resources tagged as "GxP_EU_Annex11". The
DeleteAfterDaysRemediation Steps
Follow these steps to remediate any issues related to backup recovery point expiration:
- 1.Identify the regulatory requirements: Understand the specific retention period mandated by GxP EU Annex 11 for backup recovery points.
- 2.Review the backup system configuration: Verify the retention settings within the backup system and ensure that the defined retention period aligns with the regulatory requirements.
- 3.Adjust retention policy: If the retention period is shorter than required, modify the backup system's retention policy and set it to the appropriate duration.
- 4.Test backup and restore: Perform a backup and restore test to validate that the retention policy update is working as expected. Ensure that recovery points are not expiring prematurely after the remediation.
By following these steps, the backup recovery points will retain the required duration as per GxP EU Annex 11 and ensure compliance with applicable regulations.