Circular reference broken between AFDA and ISM

Eagle eyed readers and records management wonks will have noticed a circular reference between the National Archives of Australia’s Administrative Functions Disposal Authority and the Australian Cyber Security Centre’s Information Security Manual, regarding system backups.

The ISM, until the most recent update, stated:

Retention periods for backups
To prevent backups from being retained for an insufficient amount of time to allow for the recovery of information, organisations are strongly encouraged to store backups for three months or greater. In addition, when determining backup retention times, organisations are encouraged to consult with relevant retention requirements as documented in the National Archives of Australia’s Administrative Functions Disposal Authority publication.
Security Control: 1514; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must Backups are stored for three months or greater.

So we needed to look to Archives for the retention period. AFDA Express had 7 years (assuming it fell under Routine Class 20344), and the original AFDA had either ‘destroy when reference ceases’ (Class 2100), or 7 years (Class 2099) if they show a history of access changes.

This circular reference was identified when AFDA was reviewed, but was with the ACSC to address. It has now been removed in the March 2021 ISM update.

So what should do with your backups? NAA still points you to the ISM:

Destroy in accordance with the requirements of the Australian Signals Directorate’s Australian Government Information Security Manual

The thinking is that agencies should apply “a minimum 3 month retention period for back-up tapes, with agencies to identify risks and develop their own retention period as required, dependent upon the operational requirements and ICT operations of their agency.”

The justification for using the ISM as the authority is that:

“A national standard retention period is not possible as the breadth of information in question varies from high volume low level records to low volume high value.”

So there you have it – keep your backups at least three months, but make your own evaluation as to whether you need to retain them longer.