Storing and backing up data is essential to any business. But when it comes to actually creating your credit union’s personalized backup and retention plan, trying to understand all the components that go into storing data and what will work best for your credit union’s needs can be overwhelming. It can leave you asking, “What does it all mean and how do I figure out what makes sense for my organization?” Let’s break it down.

Terms to know

There are many different acronyms and terms for backing up data: RPO, RTO, onsite, offsite, retention, and redundancy to name a few. To understand how to plan and create a backup strategy, let’s first start by understanding the terms and some strategies:

RPO: Recovery Point Objective is the frequency at which data is backed up. Are daily backups adequate? Do you have infrastructure to support your RPO?

RTO: Recover Time Objective is the amount of time data or services need to be recovered within. Do you need to have your email service functioning within eight hours of an outage? Do you have infrastructure to support your RTO? Understand that infrastructure is one component of RTO, training and practice recovering application and data is also an important consideration.

Onsite Backup: Backups that are performed and stored onsite. These local backups allow for a higher RPO and lower RTO as local network speeds are typically much faster than Internet speeds.

Offsite Backups: Backups that are stored off premise. This can be done via a network transfer over the Internet. It can also be as simple as taking tapes or external drives containing backups to a different location.

Retention: Very simply. How long backups are saved. Do you have infrastructure to support your retention?

Redundancy: It is important to understand that redundancy is not the same as a backup. Redundancy allows for recovery in the event of a failure. It does not allow for recovery of lost, damaged, altered, or destroyed data.

Planning your strategy

Now that the basics are understood, designing a strategy is a manageable process.

1. Identify applications and data (i.e. file shares, email, imaging systems, etc.).
2. Determine acceptable RPOs for the applications and data. These may vary based on the data or application. For example, it may be acceptable to lose eight hours of word and excel documents, but unacceptable to lose eight hours of email.
3. Determine acceptable RTOs for the applications and data. Can the organization tolerate twelve hours without email? Eight hours without imaging solutions?
4. Determine Retention for Onsite and Offsite backups. How far back might you need to recover data? Make sure this matches written policy.
5. Design Onsite and Offsite systems that are capable of meeting RPO, RTO, and retention goals. Can the source environment meet the desired recovery objectives? Does the backup environment? Can the Internet connection send the data offsite within the desired time frame?

Tying it all together is a regular testing plan. It’s important to validate that the system is not only able to recover data, but able to meet the desired recovery objectives. Production environments are dynamic; what worked on day one may work differently after year one.

As mentioned earlier, infrastructure is one component to meeting recovery objectives. The second – and more important – component is having staff members with experience recovering your data and applications. Regular testing allows them to practice and identify gaps in a situation that is far less stressful than a real recovery event. This training ensures that when the real event happens, your staff will know what to do.