CIS Logo
tagline: Confidence in the Connected World

EI-ISAC Cybersecurity Spotlight – Backups

What it is

A backup is a copy of the system or network’s data for file restoration or archival purposes. Backups are an essential part of a continuity of operations plan as they allow for data protection and recovery.

To successfully backup data administrators use one of the three backup types: full, differential, and incremental, or a combination of the types. A full backup copies the whole system or all of the network’s data every time a backup is completed. A differential backup copies anything that has changed since the previous full backup was completed. Lastly, an incremental backup is a backup of any changes since the last backup, whether that happened to be a full or differential backup.

Full backups are the most complete, allowing for a faster restore process, but are also slower and more expensive to implement. Incremental backups are the fastest and most cost effective to implement because they only include changed information, but restoring the system is slow because it requires reinstalling from many backups to ensure all information is retrieved. For this reason, many administrators perform a combination of backups, creating weekly full backups, supplemented by differential and incremental backups.

Why does it matter

Backups are necessary due to the constant threat of modification or erasure of data due to accidental deletions, malware, and ransomware, natural disasters, or other events. CIS Control 10 advises the creation of processes and tools to properly back-up critical information with a proven methodology for timely recovery of it. This is especially important with election offices, as backups preserve election data from destruction or alteration, provide an efficient mechanism to recover deleted or corrupted files, and to abide by data retention requirements.

Backups also play a crucial role in expediting the recovery from malicious cyber activity allowing the restoration of a system to a reliable state that is free of malware infections and retains the original data. Rebuilding or reimaging an infected system from a known good backup or fresh operating system installation is a common best practice in incident response. For instance, if an elections network is compromised due to malware, restoring systems from a clean, uncompromised backup will allow the system to be quickly remediated and put back into production without the work of identifying and ensuring the removal of all possible malicious files.

What you can do

An effective backup strategy consists of six components: data classification, frequency, encrypted, offline, offsite, and tested. Election officials should work with their technical staff to ensure the six components of a backup are discussed and the best options are selected. In addition, best practices dictate that any time major system upgrades or changes occur, technical staff should re-evaluate and test the backups.

  1. Data Classification– Classifying data by its importance and sensitivity is part of the risk management process and will help you determine what, and how frequently, that data should be backed up. For instance, data vital to election operations, such as voter registration information, would be considered a high priority and the risk management process may justify the use of nightly full backups.
  2. Frequency – Utilize a risk management process to identify the frequency in which the data should be backed up, based on how much data loss would be acceptable in the event of a catastrophic failure. The amount of data that can be lost (e.g. 24 hours’ worth) should then be used to determine how often data should be backed up. When making this decision, look back to your data classification. Data that is classified as essential should be backed up more often than less important data. Additionally, examine whether you will back up everything every time or only the newer data that has been added to the system.
  3. Encrypted– To ensure data integrity, backups should be encrypted. Having the backup encrypted will safeguard it if someone unauthorized tries to access it.
  4. Offline – Storing backups offline is an industry best practice that reduces the risk of malware infecting the copies. Some malware, such as ransomware, will specifically look for backups that are available on the network to hinder the recovery process.
  5. Offsite – Decide where and how often the backups will be stored offsite. Industry best practice dictates that backups should be stored offsite to ensure recovery is possible in the event of disasters, such as fire or flooding. Offsite backups could be physical copies or cloud based. The backup location is vital to the recovery process and must be a place where the backups will be secure and quickly accessible. The backup’s accessibility is directly tied to your recovery objective (how fast you need the data restored), which should be taken into consideration.
  6. Tested– Testing the backup’s integrity and the ability to successfully restore a system from the backup is essential to a successful restoration. This ensures that, if needed, the backups will be able to restore what has been corrupted or destroyed. 

For more information and recommendations on backups, please view potential backup optionsCIS Control 10 - data recovery capability, the EI-ISAC Election Handbook, the NIST contingency planning guide for federal information systems, as well as how to create a data protection plan.


The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact

CIS Control That Helps Avoid This Issue Arrow CIS Control 10: Data Recovery Capability