Today's focus: Establishing recovery time objectives with your
By Mike Karp
When you write a service-level agreement with one of the groups
in your company, how do you make sure that the value they place
on the data they leave under your control actually corresponds
to the data's true value to your firm?
Many of us contend with a group of department heads, each of
whom feels all the data that their department uses is critical
to the well being of the company. When you meet people like
this you may find yourself dealing with what is as much a
psychological issue as an IT problem. Tell a department head
that his departmental data is of lesser value than the data from
another department and he may think that you're saying his
department is of lesser value than another and, by extension,
that he too is not as important as some of his colleagues.
If putting yourself between a department head and his psyche is
not exactly what you had in mind when you asked your company's
management to define service levels for their data, then perhaps
the following may be of some use.
The Storage Networking Industry Association (SNIA), through the
work of its Data Management Forum, provides a useful set of
guidelines for defining the value of data. Its schema
classifies five different classes of data according to the
degree by which they must be accessible, available and
protected. In other words, data value is defined by how much
importance that data has to the running of the company.
The five classes are defined as "mission critical" (where data
must be available 99.999% of the time - the "five-nines" level
of protection that we hear so much about), "business vital"
(99.99% availability), "mission important" (99.9%), "important
for productivity" (99%), and "not important to operation" (90%).
Recovery time objectives (RTO) are defined as the maximum time
allowable for recovering data. Thus, for mission critical data
the RTO (taken as .00001 of the total year) is 1.5 minutes; for
business Vital data the RTO is 15 minutes; for mission important
data the RTO is two hours; for data important for productivity
the RTO is one day; and for data not important to operation to
RTO is one week.
Rather than asking the various stakeholders in your organization
how vital their data is (and probably finding out that everyone
claims "mission critical"), ask them how soon they need their
recoveries to occur. If they can wait 15 minutes, the odds are
pretty good that they (and you) will appreciate the savings that
can be applied. This is a fine way to implement an SLA. If you
want to check this out first-hand, go to:
A number of my readers have asked for stories about how their
colleagues at other companies are preparing for Sarbanes Oxley
and Health Insurance Portability and Accountability Act audits.
Have you just undergone such an audit, or do you see one in the
near future? Has preparing for such audit significantly
impacted the way your IT group goes about its work?
If you have a tale you'd like to share (anonymously, of course)
about what your team has done to ensure conformance to these or
other regulations - and of course, if what you want to talk
about really is "sharable" - send me an e-mail.
Copyright Network World, Inc., 2004