CP-9 / CP-9(8) / CP-4 NIST SP 800-53 Rev 5 NIST CSF

Are backups isolated, immutable, and tested?

Demonstrate that backup infrastructure is architecturally separated from production systems, configured to prevent modification or deletion of backup data, and validated through documented restoration testing at defined intervals.

Description

What this control does

This control ensures that backup data is protected from unauthorized modification or deletion through three mechanisms: isolation (network or air-gap separation from production systems), immutability (write-once-read-many or append-only storage that prevents tampering), and regular restoration testing. Immutable backups prevent ransomware and malicious insiders from encrypting or destroying recovery data. Testing validates that backups are functional and restoration procedures work under operational conditions, ensuring recovery time and recovery point objectives can be met during actual incidents.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Ransomware encrypts or deletes backups stored on network-accessible shares, rendering recovery impossible
Malicious insiders with administrative access delete backup repositories to cover tracks or cause operational harm
Compromised credentials allow attackers to traverse from production systems to backup infrastructure and destroy recovery data
Backup restoration fails during an actual incident due to corrupted, incomplete, or misconfigured backup sets that were never tested
Logical or administrative deletion of immutable backups occurs due to misconfigured retention locks or inadequate role-based access controls
Backup data is exfiltrated because it resides on production networks without encryption or access segmentation
Recovery time objectives are not met because restoration procedures were never validated under realistic conditions

Testing procedure

How an auditor verifies this control

Obtain and review the current backup architecture diagram showing network segmentation, storage topology, and access pathways between production and backup environments
Interview backup administrators to understand isolation mechanisms (air-gap schedules, VLAN segmentation, separate authentication domains) and document the separation controls in place
Examine backup storage configuration settings to verify immutability features are enabled (object lock, compliance mode, WORM storage, or snapshot locking with retention periods)
Test immutability by attempting to delete or modify a sample backup file using administrative credentials to confirm that the storage system blocks the operation
Review access control lists and role assignments for backup infrastructure to verify that production system administrators cannot modify or delete backup data
Select a sample of backup restoration test records from the past twelve months and verify that tests include full system restores, not just file-level recoveries
Witness or review evidence of a recent restoration test, including start time, completion time, data integrity validation steps, and documented success or failure outcomes
Verify that backup monitoring alerts are configured to detect tampering attempts, failed backup jobs, or changes to immutability settings, and review recent alert logs

Evidence required Collect backup architecture diagrams, network segmentation configurations, and firewall rules demonstrating isolation. Obtain storage configuration exports showing immutability settings such as object lock policies, retention periods, and WORM status. Gather restoration test reports, runbooks, and validation logs from the past year, including screenshots or change tickets documenting test execution and results.

Pass criteria Backup storage is demonstrably isolated from production networks or credentials, immutability is technically enforced and verified through testing, and documented restoration tests have been successfully performed within the last 90 days covering critical systems.