What does requirement say about storing media backups regarding location and security review?

• A. Store media backups in a secure location, preferably an off-site facility such as an alternate or backup site, or a commercial storage facility. Review the location's security at least annually.
• B. Backups should be kept only on the primary site with no annual review.
• C. Backups can be stored in a desk drawer.
• D. Backups must be stored on personal devices.

Answer: (A)

Backups must be protected by their storage location and ongoing oversight. The requirement emphasizes keeping media backups in a secure location, preferably off-site such as an alternate or backup site or a commercial storage facility, so that disasters or incidents at the primary site don’t destroy the backups. Equally important is reviewing the security of that location at least annually, to ensure access controls, environmental protections, and other safeguards remain effective over time. This combination—off-site secure storage and an annual security review—helps maintain the resilience and integrity of backups.

Storing backups only at the primary site, in a desk drawer, or on personal devices would not provide the necessary protection or governance. Those practices fail to meet the intended control because they expose backups to the same risks as the live environment, lack formal security oversight, and introduce higher risk of unauthorized access or loss.