1. Backups must be taken offsite on a separate server (obvious but surprisingly some people miss this)
2. Backups must be tested frequently. If you cannot test a backup, you don't have a backup.
3. Frequency depends on your criticality of data, your contract/SLA with your customer etc. Ideally, you should be able to have Point-in-time-Restore (PTR) going back to certain number of hours/days/weeks
4. Make sure to have notifications for backup failures. If a backup failed, you must be notified to correct it manually.
5. Bonus: Have a backup reconciliation script that runs additionally to recon all backups for a certain period.