Understanding how often to backup your organization's critical data, applications and systems depends on how you want recovery to run. The goal for managing your backup strategy should be to mitigate the impact of a disaster on your business. Generally speaking, there are two guiding parameters that must be considered when creating a backup and recovery strategy: recovery time objective (RTO) and recovery point objective (RPO).
Defining the key terms: RTO and RPO
RTO is the targeted amount of time it should take to restore a business process to full functionality after a disaster before there are unacceptable consequences to your business. If your RTO is 30 minutes then you intend to have a system recovery completed within 30 minutes or less.
RPO answers the question, how much data is your business able to lose after a disaster strikes? An RPO is the targeted amount of time you will be able to recover historical data before there are unacceptable consequences to your business. Recovery that is not an instant restore will happen over a period of time and RPO is a measurement of time, not a measurement of lost data. So if your server went down right now and your RPO is 30 minutes, then you are planning to recover data from a backup made 30 minutes ago or less.
Understand your business
In order to understand how a disaster will affect your business and determine your RPO and RTO, you must first complete an audit to create a comprehensive catalog of your environment. Next, perform a business impact analysis to determine the impact of each system, service, application, etc. The result of this analysis will help determine your RPO and RTO. Decide on and record the maximum amount of downtime and data loss the business can accept for each component.
Understand your data hierarchy
From an operations perspective, businesses will have certain expectations about the availability of specific data, applications, and systems. Data availability needs should be discussed with each department in your organization and expectations should be decided upon based on the hierarchy of business critical data. Some data will inevitably be more important to the existence of your business and your recovery strategy should reflect this hierarchy with varying backup frequency and retention policies.
Determine realistic objectives
It is not uncommon that an executive or leadership team may have certain expectations and it’s also not uncommon to find a gap between those expectations and the reality of your current backup infrastructure. Make sure your business is investing resources to keep your infrastructure modern if you will be expected to comply with modern objectives like instant recovery.
The bottom line: to determine your disaster recovery objectives you must understand how your business is impacted by its data. Then, use this information to implement a backup strategy that will allow you to meet these objectives.