This entry is part of the series Ten things you can do to improve IT security and reliability without spending money
Do you run backups and get them offsite weekly or more frequently? When was the last time you verified that backups actually did do offsite? When was the last time you verified (by testing) that you can successfully?
Here’s the way we approach this with clients. Start with two simple questions:
1. How much data or work can you afford to lose? In some organizations losing a full day’s worth of work is annoying, but not a big deal. In others, lost hours of work, or unrecoverable missing transactions, could be very costly. So you need to determine, in the worst case scenario, what you are prepared to lose. This is called Recovery Point Objective (or RPO). If the ABC Agency is prepared to lose one day of work due to some fatal computer failure, then their RPO would be one day.
2. How long can you afford to be down? (Or how fast do we need to get things recovered?) Some organizations could withstand being down for a week, maybe more, others only a day. This is called Recovery Time Objective (or RTO). If the ABC Agency’s computers or servers were to disappear today, and ABC’s management team said, “We must have all our systems recovered by a week from today,” —then their RTO would be seven days.
The next step is to adjust your current backup technology, or choose new backup technology—whether hardware, software, or online services—to support your Recovery Point Objective. In the case of the ABC Agency I just mentioned, it was prepared to lose one day of work, so its RPO is one day. Just about any backup technology that runs nightly would be suitable for that situation.
Next, you need to evaluate whether your current backup technology—or any new technology you might be considering—will also support your Recovery Time Objective. So, let’s see… the ABC agency has an RTO of seven days. Since it might take more than 7 days to order new servers, re-install all the software, and restore all the data from the backups, a tape-based backup technology might not meet their Recovery Time Objective. (By the way, if you need help selecting or evaluating the appropriate backup technology, I can provide consulting assistance—at no charge—just send email to bill@pragmatix.com.) Once you’ve settled on a technology you need to get it implemented and assigned to one or more people to carry out as part of their routine duties.
And finally, you need to verify (a) that the employees are in fact performing their assigned backup duties and (b) that the backups will actually work. There is a simple way to verify both Test the recovery process. In our company, we do a test recovery once per month, as a scheduled event.