Which platforms back up student data? Multi-select — most districts run more than one (e.g. on-prem Veeam plus a cloud-native tool for M365 / Google Workspace).
How often Tier 1 systems (SIS, finance, M365) are backed up. Daily is the floor for most district workloads; hourly is appropriate for SIS during the school day.
How far back you can restore. Texas record-retention requirements for some student data extend beyond a year — verify against district records-retention policy before locking in a value.
Backups that can't be modified or deleted from inside the production environment. Ransomware that encrypts production storage can also encrypt mutable backups; immutability is the single most effective ransomware-recovery control.
Backup data encrypted on the storage medium itself, not just in transit. Modern backup tools usually default to AES-256 at rest, but verify — older configurations may not.
Who can read, restore, or delete from the backup system. RBAC with MFA is the target state; shared admin credentials are the worst-case (one stolen password → full backup destruction).
How backup-job success/failure is observed. Dashboard-only means someone has to look; paged alerts mean someone gets told. Most districts miss silent failures for weeks before someone notices during a restore attempt.
Channel that failure events route to. Email-only is one rung above none; paged means a person is on the hook.
3 copies, 2 media types, 1 offsite. The offsite copy is what survives a site-level event (fire, flood, full ransomware blast). Cloud-only copy counts as offsite; same-site backup doesn't.
A copy that's logically disconnected from production — physically removable media, write-once cloud tier, or a separate cloud tenant. The bar above immutability for the most determined ransomware operators.
Cross-reference with Data Stewardship's inventory (STW-INV F2 owner+tier mapping). "Tier 1+2 only" is acceptable if Tier 3 is genuinely low-value; "spotty" means the coverage map is unknown.
Written, system-specific recovery steps — not just a high-level DR plan. Per-tier runbooks (Tier 1 vs Tier 2) reflect mature practice.