Whether you’re in education, health care, transportation, infrastructure (and the list goes on), your agency’s operational continuity is vital to providing resources and stability that so many constituents rely on. And continuing to deliver services as usual in the event of a data loss, corruption or cyber attack shouldn’t leave your dependents or your colleagues scrambling; a smooth remediation comes down to the work you do before the incident arises. In this blog, we unpack how to proactively set expectations for operational continuity and put them into action.
Recovery Time Objective and Recovery Point Objective: What it means for organization
Just as your data is unique, so is understanding its recovery thresholds. In order to set expectations for operational continuity, you must address two foundational pillars of recovery strategy: Recovery time objective (RTO) and Recovery point objective (RPO).
Per the National Institute of Standards and Technology (NIST) guidelines, RTO is the “overall length of time an information system’s components can be in the recovery phase before negatively impacting the organization’s mission or mission/business processes.” RTO helps minimize disruption and downtime of mission-critical operations and services. RPO, as defined by NIST, is “the point in time to which data must be recovered after an outage.”’ Defining an explicit RPO helps you design a data protection strategy that minimizes data loss to a tolerable level.
Establishing an RTO and an RPO is important for more than just bouncing back after a data loss incident; it’s essential for compliance. The Federal Information Security Management Act (FISMA) requires that federal agencies develop, document, and implement programs to maintain the security of government information and operations. To be FISMA-compliant, agencies implement security and privacy controls developed by NIST, most recently published in NIST SP 800-53 Rev. 5, which has specific commentary on RTO and RPO.
While RTO and RPO have their own independent value for government agencies, understanding both can lift the veil on operational impact and costs, and play a critical role in establishing expectations for data recovery. Keep in mind that RTO and RPO are concepts relevant to all data and need to be examined specifically for SaaS applications that agencies are increasingly relying on.
Setting Realistic Expectations for RTO & RPO
When it comes to protecting your agency, it’s easy to want to go big and bold. But, setting achievable, maintainable RTO and RPO expectations requires an important shift from idealistic targets to truly manageable. As an organization, it’s up to you to take an objective look at how your RTO and RPO align with core operations, IT infrastructure, and budget. This ensures that you can respond quickly and effectively during a disruption, without overstretching resources (and your colleagues).
Setting realistic expectations should also include your data protection efforts; RPO goals must accurately reflect your agency’s backup capabilities (and can even have an impact on supporting shorter RPOs and RTOs). For example, if you’re operating in Salesforce and rely on weekly exports, switching to daily, automated backups could help bring down your RPO. Also, leveraging technology that supports rapid assessment of the scope of data loss and corruption, and the ability to surgically repair data, can reduce RTO.
In addition to addressing your agency’s unique needs, your RTO and RPO must factor in FISMA compliance. Failure to comply can have stiff penalties and consequences, including reduction or loss of federal funding, censure by congress, and reputational damage. Therefore, it’s up to your agency to do due diligence around achievable RTO/ RPO within the NIST Cyber Security Framework and execute accordingly.
Critical Role of Recovery Testing
Ensuring operational continuity boils down to more than just having a plan; it needs to be pressure tested. When a data breach, cyber attack, or unexpected outage occurs, you’ll want to have the confidence that you can respond to and recover from the event, which is best accomplished through recovery testing.
For government agencies, recovery testing is especially important, as NIST security controls for Contingency Planning (CP) require backups to be recoverable and secure. For example, CP-09(02) “System Backup | Test Restoration Using Sampling,” states that federal information systems are required to demonstrate ‘a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.’ Testing your recovery processes ensures that you’re both in compliance and that you’ll be able to restore quickly and efficiently.
Testing backup recovery capabilities is not just a one-time technical exercise - it requires a combination of well defined processes, properly prepared personnel, and fit-for-purposes technology, and regular practice. Like any complex procedure, staff will be more effective at responding to, and recovering from, a data loss or corruption incident if they have been properly trained and have recent experience performing recovery testing drills. Drills can provide opportunities for personnel to practice specific actions, ensuring that each person has the necessary access to technology and data, and has the necessary knowledge and skills to fulfill their roles and responsibilities in the process.
Recovery testing also helps assess how your backup and recovery solution operates when you need it most. You’ll be able to understand the amount of data that is backed up, which relationships are backed up and can be restored (including parent-child relations and attachments), and how streamlined the recovery process actually is. This way, you and your team can identify any gaps or shortcomings that would otherwise hinder your recovery process, and make appropriate changes before it's too late.
Make Operational Continuity a Reality with Own
While government agencies are committed to prioritizing the public good, it’s critical that they prioritize their own protection, including operational continuity efforts. From creating realistic expectations for RPO and RTO, conducting recovery testing, and assessing backup and recovery capabilities, agencies can make sure that they satisfy security controls articulated by NIST and other compliance requirements.
With solutions like Own Recover, agencies can ensure that regulatory compliance and fast, efficient recovery are always part of the equation, keeping your mission, data, and peace of mind protected. Own is FedRAMP® Authorized, and also uses the industry-leading Data Recovery Readiness & Response (DR3™) methodology to elevate an organization's contingency planning maturity level. Agencies can also elect to work with an Own Technical Account Manager, helping identify, assess, and bridge data protection gaps, and ensuring help when a data loss does occur.
.png)
