Workflow Templates for It Operations: System Backup Checklist

Backup Scope and Preparation

Inventory NPI and PHI systems in scope

Catalog the policy admin platform (Guidewire PolicyCenter, Duck Creek, or Insurity), the AMS (Applied Epic, AMS360, EZLynx), claims systems (ClaimCenter, Snapsheet), and document repositories (ImageRight). Anything holding NPI under GLBA or PHI under HIPAA is in scope. Printer spools, TPA portal exports, and email archives are easy to miss under NYDFS Part 500 §500.11.

Confirm whether HIPAA Security Rule applies

Health, dental, vision, and stop-loss carriers fall under the HIPAA Security Rule in addition to GLBA. P&C-only carriers usually do not, but check whether the carrier writes any group health products before answering No.

Document PHI-specific backup controls

Capture encryption-in-transit, encryption-at-rest, access logging, and the 6-year retention floor for PHI backups. The HIPAA Security Rule contingency-plan standard (§164.308(a)(7)) requires a documented data backup plan, disaster recovery plan, and emergency-mode operations procedure — all three, not just the backup plan.

Confirm retention windows by line of business

Most P&C policy and claim files require 5–7 years of retention; workers' compensation often runs 10+ years given lifetime medical exposure. Pull each state's records-retention rule and the carrier's WC manual before destroying anything — premature destruction creates discoverable spoliation risk.

Patch the backup software and agents

Apply current vendor patches to Veeam, Commvault, Rubrik, or whichever platform is in use, plus OS-level agents on backed-up hosts. NYDFS Part 500 §500.05 expects vulnerability management to cover backup infrastructure, not just production servers.

Backup Execution

Verify offsite or cross-region replication health

Confirm replication to the secondary region or offsite tape vault completed cleanly since the last cycle. A backup that exists only on the primary array is not a backup — and a single-region failure during a regional cloud outage will surface as a market-conduct finding.

Run the weekly full backup of policy admin

Schedule the full during a low-traffic window — typically Saturday night for the AMS and Sunday morning for policy admin to avoid colliding with rating-engine batches and overnight commission runs.

Run nightly incrementals on AMS and claims data

Incrementals capture diffs since the last full. Verify the incremental chain is intact end-to-end; a broken link in the middle means a restore will fail at exactly the wrong moment, typically discovered only during the next test cycle.

Encrypt backup volumes with AES-256

NYDFS Part 500 §500.15 requires encryption of NPI in transit and at rest unless infeasible and approved by the CISO in writing. AES-256 is the standard floor; verify the encryption status on the actual backup media, not just the policy setting in the console.

Capture the run logs and exception report

Attach the backup-software job report. Flag warnings — Veeam VSS errors, Commvault dedup misalignments, agent timeouts — for review even when the job reports overall success. Warnings ignored over multiple cycles are how silent corruption enters the chain.

Restoration Testing

Restore a sample policy record from this week's backup

Pick a random policy bound this quarter and restore the dec page, application, and underwriting file. A restore that succeeds at the file-system level but produces a corrupted policy record fails the test — verify the record opens cleanly in PolicyCenter or the AMS.

Restore a claim file with attachments

Restore a closed claim with adjuster notes, recorded statements, and photo attachments. Claims data with binary attachments is the most common restore-failure scenario — the metadata restores cleanly but the BLOB references break.

Compare restore time against the RTO target

Compare the actual restore window against the carrier's documented RTO. If the RTO is 4 hours and the test took 9, that's a finding regardless of whether the restore succeeded — the BCP is out of date.

Confirm the restore succeeded

Restore success means the data is complete, accurate, and accessible — not that the job finished without errors. A 'completed' restore producing a corrupted policy file or unreadable PDF attachment is a No.

Open a P1 ticket and notify the CISO

Open a P1 with the backup vendor, notify the CISO in writing within 24 hours, and log the failure in the incident register. Recurring restore failures become a market-conduct exam finding under the carrier's information-security program review.

Documentation and Audit Sign-Off

Update the WISP backup runbook

Reflect any change in scope, schedule, encryption configuration, or retention in the Written Information Security Program. Auditors compare the WISP to the actual workflow — a runbook that describes a tape rotation the team stopped using two years ago is a finding.

Verify the backup vendor's SOC 2 Type II is current

Pull the most recent SOC 2 Type II report and confirm coverage of the Availability and Confidentiality trust criteria. Part 500 §500.11 vendor oversight requires evidence on file — a returned questionnaire alone does not satisfy the standard.

Reconcile backup activity against the CISO log

Tie out completed jobs against the expected weekly schedule. Any gap — missed full, broken incremental chain, skipped offsite copy — becomes an input to the biennial risk assessment under Part 500 §500.09.

Sign the weekly backup attestation

The CISO or designate signs off on the week's backup cycle. Capture the overall result, any reviewer notes for follow-up next cycle, and the digital signature for the audit file.