What is the difference between a recovery point objective and recovery time objective in terms of incident response?
Both a recovery point objective (RPO) and recovery time objective (RTO) are terms involved with business continuity (BC) and disaster recovery (DR). These are perhaps the two most important terms in the entire BC/DR space, when considered from the perspective of the business.
Backing up a bit, the main idea of business continuity and disaster recovery is: What must the organization do before, during and after a disruptive incident to ensure the business can continue to operate? What the organization will do and how it will consist of assorted processes and technologies that are outside the scope of this response.
Regardless, before you can determine your processes and select appropriate technologies, you need to perform a business impact analysis. This analysis will help you determine how long the business can afford to be without whatever service you are considering, as well as how much data the organization can afford to lose. This is precisely what RTO and RPO are.
An RTO is an assessment of how long a business feels it can be without certain services or systems before seeing negative effects. This can be a matter of minutes, hours or even days. It just depends on what the needs of the business are.
The flip side of this is an RPO. That is, in less fancy terms, how much data can be acceptably lost, which is also measured in time. Realistically, this translates into how many minutes, hours, days, etc., have elapsed since the last backup. This will depend heavily on what the data is and how critical it is to the business, just like RTO. This doesn't necessarily imply backup to tape, but can also be some sort of synchronization or asynchronies copy to another facility.
As mentioned previously, these decisions are driven by how much data and time the business thinks it can lose. This is generally done as a basic cost benefit analysis of how much can be lost versus how much will it cost to prevent that loss. Case in point, if your RTO and RPO needs to be under an hour, costs can easily go into the millions of dollars to architect a useable solution, whereas an RTO/RPO of 12-24 hours might hit the low hundreds of thousands of dollars. Again, this will depend heavily on the volume of data, how often it changes and how it is being handled.
- Check out this series of videos on disaster recovery and business continuity.
- Cloud computing can aid disaster recovery: Learn how to justify information security spending on cloud computing.
Dig deeper on Information Security Incident Response-Detection and Analysis
Related Q&A from David Mortman, Contributor
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ...continue reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security...continue reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.