Restrict Backup Access to Unprivileged Users
Ensure that users without special permissions cannot see other people's backups.
Plain language
This control makes sure that only users with the proper permissions can see or get into backup files of others. It’s important because if someone without permission can access backups, they might see private information or alter important files without anyone knowing.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Official control statement
Unprivileged user accounts cannot access backups belonging to other user accounts.
Why it matters
If unprivileged users can access other users’ backups, confidential data may be disclosed and backup data could be altered, impacting integrity.
Operational notes
Enforce per-user backup ACLs so unprivileged accounts can only view/restore their own backups; regularly audit access and test restore permissions.
Implementation tips
- IT team should review user permissions for backup systems. First, list all users who have access to backup files. Then ensure only authorised personnel have the right permissions by checking and updating user accounts accordingly.
- System administrators should set up role-based access controls. Determine which staff need access to backup information and set permissions so only those roles can view or change backups. Use settings in your backup software to apply these controls.
- Managers should communicate policies on data access. Notify all staff about who is permitted to access backups and the reasons why restricting access is crucial for security. Regularly remind them through meetings or bulletins.
- IT security teams should implement auditing and monitoring tools. Set up alerts to track who accesses backups and investigate any unauthorised access attempts. Use logs to check the system regularly for suspicious activity.
- HR and IT should work together on training sessions. Educate staff about the importance of securing backups and recognising potential risks associated with unauthorised access. Make sure training is part of the regular professional development schedule.
Audit / evidence tips
-
Askthe list of current users with backup access
Goodshows only relevant IT or management roles listed, matching their job responsibilities
-
Goodis a document that clearly defines access roles and is updated regularly
-
Askrecent access logs to backup files
Goodshows that all entries match the access policy and roles
-
Goodincludes dated attendance records and summaries of what was covered in the sessions
-
Goodincludes logs of generated alerts and actionable steps taken following an alert
Cross-framework mappings
How ISM-1812 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.18 | ISM-1812 requires preventing unprivileged accounts from accessing other users’ backups | |
| Annex A 8.3 | ISM-1812 requires a specific access restriction: unprivileged users must not be able to access backups belonging to other users | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RB-ML2.1 | ISM-1812 requires that unprivileged user accounts cannot access backups belonging to other user accounts | |
| link Related (1) expand_less | ||
| E8-RB-ML1.5 | ISM-1812 requires that unprivileged user accounts cannot access backups belonging to other user accounts | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.