Support: 0330 332 7933 Sales: 0808 500 1436

Disaster Recovery: When RPO meets RTO

Disaster recovery as a service or DRaaS sounds dramatic. To allow your business to boom after an unexpected blip, you’ve got to be prepared to weather a disaster recovery storm. That means knowing how to prevent a disaster in the first place, and if the worst happens, knowing how to pick your business up and carry on with minimal disruption. Our disaster recovery guide can help you do that. 

In the tech world, we’re experts in acronyms, and we’re well-versed in loaded three-letter-terms. When we’re talking about your disaster recovery plan, you’ll want to know what RPO (Recovery Point Objective) and RTO (Recovery Time Objective) both represent and how they can help you create a strategy to keep your business afloat if the worst actually happens.

To allow your business to boom after an unexpected blip, you’ve got to be prepared to weather a disaster recovery storm.

What is RPO (‘Recovery Point Objective)

The Recovery Point Objective refers to the maximum amount data that can be lost taking into account the last time that data was backed up and the point at which that data was lost. For RPO, it’s all about how much data can be lost before it seriously impacts on the ability of your business to function.

What is RTO (‘Recovery Time Objective’)

The Recovery Time Objective is all about the amount of downtime your business will have until it’s back up and running and available to customers. As part of a robust disaster recovery plan, RTO focuses on the time it takes for your systems to get back online after your customers or users have been impacted.

What is RPO and RTO?

How do you prioritise which apps or services should be your focus after a disaster?

There’s no clear-cut ‘one size fits all’ formula for coming up with a disaster recovery plan. Your own business will have its own priorities based on your customer base and how you deal with them.

Some businesses will operate with specific Service Level Agreements (‘SLAs’) around certain processes or customer experiences, which will mean that restoring a particular service will be top of your list of priorities.

Anything centred around the profit of your business is likely to be a critical consideration. You may have carried out a Business Impact Analysis (‘BIA’) as part of your disaster recovery business continuity plan, which will centre around recovering key data that drives your business, and understanding which applications are pivotal to your customers.

Anything centred around the profit of your business is likely to be a critical consideration.

Intercity can be your disaster recovery saviour

How can Intercity help you with working out your RTO/RPO parameters to make sure the impact on your business is minimised?

With our Touch Cloud and Touch Secure platforms, we can manage your servers securely and make sure that your IT is available when you need it most: we work with your RPO and RTO firmly in mind.

With our dedicated data centres and experts managing your infrastructure, your cloud servers are in safe hands: we’re here for you 24 hours a day, 7 days a week and 365 days a year ensuring that your business continuity plan can be implemented as soon as a disaster occurs.

In the event of a hardware failure, your information and projects are stored remotely and can be accessed quickly to keep your staff working and your customers happy.

Contact us at Intercity to help disaster-proof your business and build a solution around your business’ RPO and RTO.

 

Download the Disaster Recovery Guide

Up next

Managing your people, processes and technology – A GDPR compliance checklist

As 25th May 2018 looms closer, Information Security personnel and anybody responsible for data protection should be ready to ensure that their organisation has completed their GDPR compliance checklist for the General Data Protection Regulation coming into force on that day.

Data Privacy Impact Assessments (DPIAs) should be well on their way to completion and Data Flow Maps drafted, if not already pinned to the walls of your ‘War Room’ as you manage the mass of information that tracking Personal Data (“Data”) has caused!

Keeping Data-tracking simple is the key. Don’t over-complicate the process. In most cases, we only need one ‘Source of Truth’ Data set used in multiple places for different legitimate reasons for collection and processing.

As Intercity’s Information Security & Compliance Manager I am responsible for our GDPR compliance project. From my experience, a key tip is to look at the processes that employ the Data and track them rather than trying to track the full lifecycle of the Data all at once.

Don’t over-complicate the process. In most cases, we only need one ‘Source of Truth’ Data

Your GDPR compliance checklist:

Provided that you keep the Source of Truth, tracking the process enables you to tackle bite-size chunks with the relevant stakeholders and ask the following questions for each process as part of your GDPR compliance checklist:

  1. What is the reason for collecting/processing the Data?
  2. What do they do with the Data?
  3. Is the Data altered or added to (as if so, is this then another Source of Truth)?
  4. How much is the Data processed?
  5. Do they just have the Data because years ago it was done this way?
  6. Could the Data be extracted from the Source of Truth when needed rather than keeping a separate copy?

The answers to these questions could be “Yes, we use the Data” or “No we don’t need the Data any more as we now have access to the system” or even “I like keeping the Data, just in case.”

GDPR compliance isn’t intended to stop you from processing Data or stripping it down so there is only one Source of Truth. It’s intended to ensure that you:

  • Know the Data location
  • Have a legitimate reason for having the Data
  • Understand what you do with the Data
  • Take responsibility for the Data
  • Do everything reasonably possible to keep that Data secure!

GDPR compliance isn’t intended to stop you from processing Data or stripping it down so there is only one Source of Truth

Remember – Data doesn’t belong to the company, it is just on loan from people who are entitled to expect that it will be used only for the purpose that it was collected and will be safe in someone else’s hands

Risk Management and Information Security are fundamental key process within GDPR!

So what causes Information Security Risk? People, Processes and technology.

People are one of the biggest risks as we can’t control everything that they do. You can’t put a firewall or some configuration in front of someone to say you can’t process Data in that way or if you get this Data, you must do a particular thing with it.

People are independent, so although you can influence them, you can’t control them. So how do we mitigate the risk? Employees should understand the risk associated with Data, particularly that which they hold or process. A training program including Data protection and information control should be given to everyone, supported by published, accessible policies and processes on: information classification, document control and acceptable use of equipment.

Employees should understand the risk associated with Data, particularly that which they hold or process.

Technology also plays a massive part of any key business process. From small SMEs to Enterprises, technology is everywhere. From obvious visible technology like laptops, mobile phones, Internet, email and applications, to technology used in the background like servers, cloud computing and firewalls – the list goes on and on. Ensuring the security of all technology that collects, or processes Data should be a key part of your GDPR compliance checklist.

People are independent, so although you can influence them, you can’t control them

ISO27001 Information Security accreditation is a key indicator of how seriously an organisation takes security. ISO27001 certification ensures the ongoing confidentiality, integrity and availability of information within the business. Have you asked your suppliers whether they have this certification?

Ask for a copy of the certificate along with a signed Code of Conduct – this will give you more confidence that any outsourced processing of Data is being handled appropriately.

To sum up, my tips as a GDPR practitioner going through the Information Security GDPR compliance process are:

  • Make GDPR compliance realistic and a helpful way of securing Data rather than just a word that means more work! Don’t over-complicate the process!
  • Keep it in bite-size chunks and look at Data within each process.
  • Give key stakeholders the responsibility for the Data that they collect/process.
  • Don’t over-complicate your Code of Conduct. It’s important to get it right but just ask the key questions – not every information security question available.
  • Don’t panic … prioritise high-risk areas first such as HR and Marketing.
  • And remember with GDPR, Data means Personal Data only – not all data!