Recovery Point Objective (RPO)

Recovery Point Objective (RPO) is a term used in the field of information technology. In particular, it has been coined to describe a strategy for backing up and protecting data, which specifies how much data loss an organization can accept when recovering from a disaster.

RPO is commonly used in conjunction with a complementary metric called Recovery Time Objective (RTO). RPO and RTO were first presented as part of NIST 800-61:  guidelines on electrical power grid cyber security.

The importance of RPO

The risk of losing data has real-world consequences for businesses. Since business operations are critical to any organization’s survival, many organizations have strict standards in place to ensure the appropriate level of protection for their most important data assets.

Acceptable data loss

RPO specifies an acceptable amount of data loss that can be tolerated by the organization before initiating a recovery action. If an organization experiences more data loss than what was specified or contained within its RPO, it is likely that the company will experience significant problems recovering from a disaster situation. Although both RPO and RTO are designed to mitigate potential losses resulting from cyber-attacks or other computer-related disasters, RPO is often used as part of information security strategies.

Establishing an RPO strategy

The first step to establishing an RPO strategy is to list, as accurately as possible, all the information assets used by the organization and valued by business operations. This includes data such as:

• financial transactions
• human resources information
• client Information

Once these important data assets have been identified, it’s necessary to establish a plan for protecting them that considers recovery time and recovery point objectives.

The final step of this process is to create formal documentation of key agreements, including but not limited to:

• contractual obligations between companies
• service level agreements (SLA)
• effective dates of SLAs
• turnaround times specified in SLAs
• frequency of backups

It’s equally important to clearly identify the roles and responsibilities of all parties involved, including but not limited to:

• the customer’s management
• the supplier’s management
• support staff employed by the customer
• support staff employed by the supplier

The RPO+RTO framework

Once the goal of protecting an organization’s data assets has been established, it becomes necessary to create a strategy that will help protect these assets. The RPO+RTO model provides businesses with strategies for backing up and recovering important information in the event of disaster or disruption by including Recovery Point Objective (RPO) and Recovery Time Objective (RTO).

How it works

The RPO+RTO framework can be used by determining the extent of impact felt after certain types of data loss have occurred. Extensive damage might call for RTOs measured in days, while limited damage might only require recovery within several hours. By establishing both an acceptable amount of time prior to initiating recovery procedures as well as how much data loss is permissible, organizations can create a plan for protecting their most important data assets.

RPO+RTO examples

Bear in mind that RPO and RTO can be difficult to determine without considering your organization’s unique situations and requirements. The following examples provide just two possible ways of implementing these guidelines:

• A retailer with a strong online presence might determine that any loss or downtime that occurs on its e-commerce platform would have the greatest degree of impact. In this case, it could set its RPO at zero (meaning no acceptable losses) but establish an RTO measured in hours.
• An accounting firm might require strict standards for disaster recovery because its information is such a critical resource to its business operations; however, if it were not providing services 24/7, the time needed to recover information would likely be longer than an e-commerce platform and could be measured beyond hours and maybe even days.

Using RPO in data security strategies

RPO is often used as part of an organization’s data security strategy, which includes developing strategies for preventing cyberattacks causing downtime or data loss. This process typically involves several steps:

• Identifying network security vulnerabilities.
• Implementing risk management processes to address all identified issues.
• CNSSP certification, which is a recognized standard for cyber-security best practices instituted by the National Institute of Standards and Technology (NIST).
• Development of an information security program that includes business continuity plans, disaster recovery plans and contingency planning measures.

How to measure RPO

Measuring RPO can be difficult because it depends on multiple variables, including the type of data being protected, the value of that data and its configuration state. For example, finance departments might require backup servers running real-time applications to avoid downtime altogether while other departments are willing to accept some loss of information.

Determining an acceptable level of risk before backing up or recovering information is known as establishing an RPO threshold, which functions as part of a business continuity plan to help ensure important data assets are always accessible if disaster strikes.

Why should you care about the recovery point objective (RPO) for disaster recovery?

With the rise of cyberattacks and data breaches, businesses must consider investing in disaster recovery plans to help protect their valuable data assets. The Recovery Point Objective (RPO) is often used when measuring how quickly this type of information should be recovered after a disaster or disruption occurs. Managing RPO thresholds can help organizations prioritize which systems are more critical than others and establish an effective strategy for protecting these valuable resources against any possible downtime or loss of information.

By following a set of best practices for data security, which includes establishing an RPO threshold, organizations can be more confident that their vital information assets will remain accessible when disaster strikes.

Frequently asked questions about recovery point objective

What is the difference between RPO and RTO?

RPO stands for Recovery Point Objective. This is the time interval in which you need to recover your IT infrastructure in order to maintain business continuity. The RTO stands for Recovery Time Objective, this is how much downtime can be tolerated from a system or application perspective before it needs to be available again. Usually, these two measures are used together, but they are different parameters of a larger enterprise disaster recovery plan. In other words, they both work together as part of a larger strategy.

What happens if the recovery point objective (RPO) is too low?

If your organization’s Recovery Point Objective (RPO) is too low it might have to sacrifice some functionality in order to meet its goals. For example, some organizations may lose access to particular systems during a scheduled backup, while others might experience downtime when recovering information from a server that doesn’t have enough computing power to function properly after being restored.

What is the difference between RPO and RTO?

RPO stands for Recovery Point Objective. This is the time interval in which you need to recover your IT infrastructure in order to maintain business continuity. The RTO stands for Recovery Time Objective, this is how much downtime can be tolerated from a system or application perspective, before it needs to be available again. Usually, these two measures are used together, but they are different parameters of a larger enterprise disaster recovery plan. In other words, they both work together as part of a larger strategy.

How many days does it take to recover an application with one hour of RPO?

This depends on the application itself, the number of days worth of data that needs to be restored, and other factors. The RPO threshold should not be confused with the Recovery Time Objective (RTO), which is a different measure entirely. The RTO represents how long it takes to recover a system after failure, while the RPO tells you how far back in time you need to go when recovering data.

What is the recovery point objective in data storage?

The Recovery Point Objective, or RPO for short, represents the number of days that you are willing to lose when it comes to restoring your data after a disaster. This is generally measured in hours in order to make it more manageable. For instance, if an organization can only afford to lose up to five hours worth of data on average per day, then its RPO threshold would need to be set at five hours or less. The lower this number is, the better off your business continuity will be when something goes wrong with one of your key systems.