Recovery Strategies
What a recovery strategy is, and the cost-vs-RTO trade it optimizes
A hot site for a process whose downtime tolerance is a week is over-engineered waste, which is why the exam's correct recovery strategy is almost always the cheapest option that still meets the requirement, not the fastest one available. The requirement arrives as two numbers from earlier planning: the Recovery Time Objective (RTO), the maximum tolerable time a process can be down, and the Recovery Point Objective (RPO), the maximum tolerable data loss. A recovery strategy is money committed in advance to satisfy them, and this section optimizes that cost-versus-RTO trade.
A recovery strategy is pre-positioned capability, sized to requirements you were handed
A recovery strategy is the alternate site, the backup regime, and the resilient infrastructure you fund before a disruption so that, when one arrives, recovery completes inside the RTO and loses no more data than the RPO permits. The requirements engine sits upstream: the Business Impact Analysis (BIA) ranks processes by criticality and derives MTD, RTO, and RPO (covered in business-continuity). This subtopic does not re-derive those numbers; it spends against them. Keep that division straight, because a common exam distractor answers a strategy question by re-running the BIA, which is the wrong layer.
The cost-balance point: the single trade that governs every choice here
NIST SP 800-34 Rev. 1 frames the economics as two opposing curves: "the cost for disruption" rises the longer an outage runs, while "the cost to recover" rises as the recovery time shortens (NIST SP 800-34 Rev. 1, §3.2.1[1]). Where the two curves cross is the cost-balance point, and the RTO that sits there is the optimum. NIST is explicit about the two ends of the spectrum: "a short RTO (system recovery within minutes)" typically requires expensive options such as "system mirroring and alternate site facilities," whereas "a longer RTO ... can be accomplished by less expensive solutions such as tape backup" (NIST SP 800-34 Rev. 1, §3.2.1[1]). This is why the CISSP-correct strategy is the least expensive solution that still satisfies the requirement: a hot site for a process whose MTD is a week is over-engineered waste, and a tape-only strategy for a process needing minutes of RTO is negligent under-provisioning.
Two dimensions, two controls
Throughout this page, hold two dimensions separate because two different controls serve them. Time-to-recover is served by the recovery site (cold/warm/hot/mobile/cloud): that is the RTO dimension. Data-loss tolerance is served by the backup and replication regime: that is the RPO dimension. A team can over-invest in one and forget the other; the durable design names both targets first, then picks a site to meet the RTO and a backup cadence to meet the RPO. The figure below holds those two dimensions side by side: each is served by a different control, so name both targets before choosing either.
Recovery site types: the cold-warm-hot spectrum, plus mobile and cloud
This section covers the alternate-site decision, the most heavily tested part of recovery strategy. Read the cost-balance idea above first; every site type is a different point on that curve. The mechanics here are which equipment each type pre-stages and, therefore, how long activation takes.
One spectrum, defined by how much you pre-stage
All four classic site types answer one question (how much do you install and keep current in advance?) and the answer fixes both cost and activation time. NIST SP 800-34 Rev. 1 defines the canonical types (NIST SP 800-34 Rev. 1, §3.4.2[1]):
- Cold site: environmental support only: "adequate space and infrastructure (electric power, telecommunications connections, and environmental controls)" but no IT equipment and no current data. Cheapest to retain, but activation is measured in weeks because you must procure, install, configure, and load data before it can run; a cold site is therefore paired with offsite backups to supply that data on activation.
- Warm site: "partially equipped office spaces that contain some or all of the system hardware, software, telecommunications, and power sources." Hardware is staged but data must be restored from backups, so activation runs hours to days at moderate standing cost.
- Hot site: "office spaces appropriately sized to support system requirements and configured with the necessary system hardware, supporting infrastructure, and support personnel." Kept continuously synchronized with production data, so it takes over in minutes to hours, the fastest and the most expensive.
- Mobile site: "self-contained, transportable shells custom-fitted with ... telecommunications and IT equipment" delivered to a chosen location. The right tool when the building itself is unusable, the site must be relocated, or the location is remote; activation depends on transport and connection time.
The ordering to memorize cold: cost and recovery-speed both increase cold → warm → hot, and they move together (faster always costs more).
Cloud and DRaaS: the modern point on the same curve
Cloud recovery, including Disaster-Recovery-as-a-Service (DRaaS), is not a fifth philosophy; it is the same spectrum delivered as pay-per-use capacity. Because compute is provisioned on demand, a cloud strategy can behave like a warm or hot site (replicate continuously for near-zero RTO, or hold images and spin up on failover for a longer RTO) while paying mostly for storage until the disaster, when full compute is invoked. Cloud also delivers geographic separation by default through provider regions/zones. For example, AWS describes Availability Zones as "multiple, isolated locations" within a Region and notes that launching across multiple zones "protect[s] your applications from the failure of a single location" (AWS: Regions and Availability Zones[2]). The catch is the same as any backup: a cloud target must be restore-tested against the RTO, because egress and rehydration time are real.
Multiple processing sites and reciprocal agreements
Two related strategies round out the site picture. Multiple (redundant) processing sites means running the workload across two or more facilities the organization already operates, so that if one is lost the others carry the load. When both run live and share the workload (active/active), failover is effectively instantaneous and the second site earns its keep every day rather than sitting idle: the strongest, and most expensive, posture. A reciprocal agreement (mutual aid pact) is the opposite end: two organizations agree to host each other's processing in an emergency. It is cheap but unreliable at disaster scale: the partner may lack spare capacity, hardware/software may be incompatible, a regional event can hit both parties at once, and hosting a competitor's data raises confidentiality concerns. NIST notes reciprocal agreements and memoranda of understanding among alternate-site options but they are widely treated as a last resort, not a primary strategy (NIST SP 800-34 Rev. 1, §3.4.2[1]).
Backup storage strategies and the resilience controls that prevent outages
This section covers the two controls that serve dimensions the site does not: backups (the RPO/data dimension) and resilience (avoiding the outage entirely). Read the two-dimensions framing from the first section first: a site answers how fast, backups answer how much data, resilience answers can we skip recovery altogether.
Backup storage location: onsite, offsite, and cloud
Where a backup lives decides whether it survives the disaster that destroyed production. Onsite backups give the fastest restore for everyday recovery (a deleted file, a corrupt database) but share the fate of the primary in a fire, flood, or site-wide ransomware event. Offsite backups (physically distant media or a remote facility) survive the local disaster, which is exactly why NIST states it plainly: "It is good business practice to store backed-up data offsite," and the first criterion for choosing an offsite facility is "distance from the organization and the probability of the storage site being affected by the same disaster as the organization's primary site" (NIST SP 800-34 Rev. 1, §3.4.2[1]). Cloud storage is the modern offsite tier: it adds geographic separation by default and removes the courier/tape-rotation overhead, at the price of restore time bounded by network egress.
The durable rule the exam expects is 3-2-1: keep at least three copies of the data, on two different media types, with at least one copy offsite, the widely taught industry formulation of the same offsite principle. The offsite copy is the load-bearing element; an onsite-only backup is the most common recovery-design failure because one event takes both the data and its only copy. Whatever the location, NIST is explicit that the copy must be proven restorable: "Backup tapes should be tested regularly to ensure that data are being stored correctly and that the files may be retrieved without errors or lost data" (NIST SP 800-34 Rev. 1, §3.4.2 n.25[1]).
Backup types: the backup-time vs restore-time trade
The three backup methods differ in what they copy, which sets a direct trade between how long the backup takes and how long the restore takes:
| Method | What it copies | Backup time | Restore time | Archive bit |
|---|---|---|---|---|
| Full | All selected data, every run | Longest | Shortest (one set) | Clears it |
| Incremental | Only data changed since the last backup of any kind | Shortest | Longest (full + every increment in order) | Clears it |
| Differential | All data changed since the last full backup | Grows each day | Medium (full + one differential) | Leaves it set |
The testable contrast: incremental minimizes nightly backup time but a restore needs the last full plus every incremental in sequence; differential takes longer each night (it re-copies everything changed since the full) but a restore needs only the last full plus one differential. The archive-bit behavior is the classic discriminator: incremental and full clear the archive bit, differential does not, which is the mechanism behind "since last backup" vs "since last full."
Resilience, high availability, and fault tolerance: not synonyms
Resilience controls absorb a component failure so you never invoke a site or a restore at all, but the exam separates two promises. Fault tolerance means a component can fail with zero interruption: a redundant element carries the load transparently. High availability (HA) means the service is restored so quickly that downtime is minimal, typically through clustering and automatic failover, but not necessarily zero. The distinction is testable: a fault-tolerant design tolerates the failure invisibly; an HA design recovers from it fast.
The workhorse fault-tolerance technology for storage is RAID (Redundant Array of Independent Disks), which keeps data available across a disk failure. NIST lists RAID among the redundancy and fault-tolerance processes that "store data on more than one drive and eliminate loss of data from single drive failures" (NIST SP 800-34 Rev. 1, §5.1.3 / §5.3.3[1]). Know the common levels: RAID 0 stripes for performance and provides no redundancy (a single disk loss destroys the array, a deliberate trap); RAID 1 mirrors; RAID 5 stripes with one parity block and survives one disk failure; RAID 6 uses double parity and survives two; RAID 10 mirrors then stripes for both speed and redundancy. RAID protects against disk failure: it is not a backup, because it faithfully replicates deletion, corruption, and ransomware to every mirror.
Quality of Service (QoS) is the availability control for the network: it reserves bandwidth for and prioritizes critical traffic so that, under contention, a flood of low-priority traffic cannot starve the systems that must stay up. The unifying design lesson across all of these: redundancy at one layer does not imply redundancy at another. A fault-tolerant RAID array on a server with a single power supply and one network uplink is still a single point of failure: true resilience eliminates the SPOF at every layer the service depends on. The figure below groups these resilience controls into their three families, each promising something different.
Exam-pattern recognition
This section maps question shapes to the right answer. Read the others first; this is the pattern layer.
Pattern 1, "Given this RTO, which site?" A stem states an RTO (or MTD) and asks for the recovery site. Map it: near-zero / minutes → hot site (or multiple active processing sites); hours-to-days → warm site; days-to-weeks with cost pressure → cold site. The trap is picking the fastest site regardless of cost: the CISSP-correct answer is the least expensive option that still meets the RTO, per the cost-balance point (NIST SP 800-34 Rev. 1, §3.2.1[1]).
Pattern 2, "Cheapest vs fastest activation." A stem asks which site is cheapest to maintain (answer: cold) or which activates fastest (answer: hot). Hold the two ends straight: cold = cheapest to hold but slowest to activate; hot = costliest to hold but fastest to activate; warm is the middle on both. The trap conflates standing cost with activation speed: they move in opposite directions across the spectrum.
Pattern 3, "The backup didn't survive the disaster." A stem describes a fire/flood/ransomware that destroyed both production and its backup, then asks what the design got wrong. Answer: the backup was onsite only; the fix is an offsite/cloud copy and the 3-2-1 rule. The trap is an answer that adds more onsite copies or a bigger array, which does nothing against a site-wide event.
Pattern 4, "Fastest restore vs smallest nightly window." A stem optimizes the backup schedule. Smallest nightly backup window → incremental (copies only since the last backup). Fastest/simplest restore → differential (restore needs only the last full plus one differential) or, simplest of all, a recent full. The trap is choosing incremental for fast recovery: incremental has the slowest restore because you replay the full plus every increment in order.
Pattern 5, "RAID is not a backup." A stem presents a RAID array and a deletion/corruption/ransomware event and asks whether RAID covers it. Answer: no, RAID protects against disk hardware failure only and faithfully replicates logical damage to every mirror. The trap is treating RAID 0 as protective (it has no redundancy) or treating any RAID level as a substitute for offsite backups.
Pattern 6, "Fault tolerance vs high availability." A stem describes a requirement for zero interruption versus minimal downtime. Zero interruption on component failure → fault tolerance (redundant component takes over transparently). Fast recovery via clustering/failover, downtime minimized but not zero → high availability. The trap uses the two terms as synonyms; the exam rewards the candidate who keeps the promises distinct.
Pattern 7, scope boundaries. A stem that asks how to derive the RTO/RPO or rank process criticality is business-continuity (the BIA), not this subtopic; a stem about executing the failover and failback during the disaster is disaster-recovery; a stem about proving the plan works with tabletop/parallel/full-interruption tests is dr-testing. Recovery strategy owns only the selection of site, backup regime, and resilience controls against the targets it was handed.
Alternate recovery site types: cost vs. activation time vs. RTO fit
| Site type | Equipment & data | Activation time | Relative cost | RTO it fits |
|---|---|---|---|---|
| Cold site | Space, power, cooling, connectivity only: no hardware, no data | Weeks (procure, install, load) | Lowest | Long (days–weeks) |
| Warm site | Hardware and connectivity staged; data restored from backups | Hours–days | Moderate | Moderate (hours–days) |
| Hot site | Fully equipped, continuously data-synchronized mirror | Minutes–hours | Highest | Near-zero (minutes–hours) |
| Mobile site | Transportable self-contained unit; capability varies by fit-out | Hours–days (transport + connect) | Variable | When the building/location itself is the problem |
| Cloud / DRaaS | Provider-hosted capacity, pay-as-you-go; warm-to-hot by configuration | Minutes–hours | Pay-per-use (low standing cost) | Configurable, often near-zero |
| Reciprocal agreement | Borrowed capacity at a peer org; no dedicated equipment | Uncertain (depends on peer's spare capacity) | Lowest (mutual aid) | Unreliable: rarely a primary strategy |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Pick the cheapest recovery option that still meets the RTO, not the fastest one available
A recovery strategy is funded against requirements set upstream by the BIA, so the correct choice is the least expensive solution that still satisfies the RTO. NIST SP 800-34 frames this as a cost-balance point: the cost of disruption rises the longer an outage runs, while the cost to recover rises as the RTO shortens, and the optimum sits where the two curves cross. A hot site for a process whose RTO is a week is wasteful over-provisioning, just as tape-only is negligent under-provisioning for a process needing minutes.
Trap Choosing the fastest-recovering site regardless of cost when the stem only asks for a strategy that meets the stated RTO.
3 questions test this
- A regional nonprofit runs its donor management system on aging in-house servers and operates under a severely constrained IT budget. A…
- An organization is evaluating the cost implications of different disaster recovery site strategies. The disaster recovery committee wants…
- A medium-sized company is evaluating disaster recovery options for their non-critical development systems. Budget constraints are…
- RTO drives site choice; RPO drives backup cadence: two dimensions, two controls
Time-to-recover is served by the recovery site (cold/warm/hot/mobile/cloud) and is the RTO dimension; data-loss tolerance is served by the backup or replication regime and is the RPO dimension. A durable design names both targets, then picks a site to meet the RTO and a backup frequency to meet the RPO. Over-investing in one while ignoring the other is a common design gap: a hot site with weekly backups still loses a week of data.
Trap Upgrading the recovery site to shrink the RPO when only the backup or replication cadence moves the RPO; a faster site cuts the RTO but recovers no fresher data.
4 questions test this
- A bank's continuity team is defining the backup approach for a loan-processing database where the business has set a recovery point…
- A security professional is analyzing the results of a parallel simulation test where systems were recovered to an alternate site while…
- A financial services company has completed its Business Impact Analysis and determined that its core trading platform requires a Recovery…
- An organization's business impact analysis indicates that critical financial systems can tolerate a maximum of 4 hours of data loss and…
- Cold, warm, and hot sites are one spectrum: cost and recovery speed rise together
The three classic alternate sites differ only in how much you pre-stage. A cold site has space, power, cooling, and connectivity but no installed hardware or current data, so it is cheapest to keep but takes weeks to activate. A hot site is fully equipped and continuously data-synchronized, so it activates in minutes to hours but costs the most. A warm site stages hardware and connectivity while data restores from backups, activating in hours to days at moderate cost. Faster recovery always costs more, moving cold to warm to hot.
Trap Conflating standing cost with activation speed: cold is cheapest to hold but slowest to activate, while hot is the opposite; they move in opposite directions.
8 questions test this
- A regional nonprofit runs its donor management system on aging in-house servers and operates under a severely constrained IT budget. A…
- The CISO of a high-frequency trading firm is selecting a disaster recovery strategy for its order-matching platform, where the board has…
- A mid-sized insurer is choosing a recovery site for its claims-processing application. The business impact analysis sets a recovery time…
- An organization is selecting an alternate processing site and has determined through their BIA that mission-critical applications require…
- A financial services company has completed its Business Impact Analysis and determined that its core trading platform requires a Recovery…
- An organization is evaluating the cost implications of different disaster recovery site strategies. The disaster recovery committee wants…
- A medium-sized company is evaluating disaster recovery options for their non-critical development systems. Budget constraints are…
- An organization's business impact analysis indicates that critical financial systems can tolerate a maximum of 4 hours of data loss and…
- Use a mobile site when the building or location itself is the problem
A mobile site is a self-contained, transportable shell (often a trailer) fitted with the telecommunications and IT equipment a system needs, delivered to a chosen location. It is the right answer when the primary facility is destroyed or inaccessible, the operation must relocate, or the site is remote: situations a fixed cold/warm/hot site does not address. NIST notes a mobile site can often be delivered within about 24 hours, though installation and setup add to that response time.
Trap Reaching for a fixed hot site when the stem's problem is that the location itself is lost or inaccessible; a transportable mobile site is what addresses relocation, not a faster fixed facility.
- A mirrored or multi-active-site setup gives near-100% availability at the highest cost
A mirrored site is a fully redundant facility with automated real-time data mirroring, identical to the primary in all technical respects, and is the most expensive option but ensures virtually 100% availability. Running across multiple active processing sites the organization already operates achieves the same near-instant failover and earns its keep daily rather than sitting idle. Reach for this only when the RTO is near zero and the process criticality justifies the standing cost.
Trap Selecting a mirrored site for a process whose RTO is hours or days; its near-100% availability is real but the standing cost is unjustified over-provisioning unless the RTO is near zero.
- Cloud and DRaaS are the same site spectrum delivered as pay-per-use capacity
Cloud recovery, including Disaster-Recovery-as-a-Service (DRaaS), is not a separate philosophy but the cold-warm-hot spectrum sold on demand: replicate continuously for a hot-site-like near-zero RTO, or hold images and spin up on failover for a longer RTO, paying mostly for storage until the disaster. Cloud also delivers geographic separation by default through provider regions and zones. The catch is the same as any backup: restore time bounded by network egress must be tested against the RTO.
Trap Assuming cloud or DRaaS guarantees a near-zero RTO by default when a storage-only, spin-up-on-failover tier recovers no faster than the egress and rebuild time it actually takes.
- A reciprocal agreement is cheap but unreliable, so it is rarely the BEST answer
A reciprocal agreement (mutual-aid pact) has two organizations agree to host each other's processing in an emergency; it costs little and needs no dedicated facility. But it is fragile at disaster scale: the partner may lack spare capacity, hardware and software may be incompatible, a regional event can hit both parties at once, and hosting a peer's data raises confidentiality concerns. It is widely treated as a last resort, not a primary strategy.
Trap Selecting a reciprocal agreement as the primary recovery strategy when a dedicated alternate site is among the options: its capacity and availability cannot be relied on in a real disaster.
- Store at least one backup copy offsite, because an onsite-only backup dies with the data it protects
It is standard practice, and NIST guidance, to store backed-up data offsite, because an onsite-only copy is destroyed by the same fire, flood, or site-wide ransomware that destroys production. When selecting an offsite facility the first criterion is geographic distance and the probability of the storage site being hit by the same disaster as the primary. Onsite copies still earn their place for fast everyday restores (a deleted file), but they cannot be the only copy.
Trap Adding more onsite backup copies or a bigger disk array as the fix for a site-wide disaster: neither survives an event that destroys the whole facility.
- Follow the 3-2-1 rule: three copies, two media types, one offsite
The widely taught backup rule is 3-2-1: keep at least three copies of the data, on two different media types, with at least one copy stored offsite. The offsite copy is the load-bearing element that survives a local disaster; the two-media requirement guards against a single media-type failure mode. Cloud storage is the modern way to satisfy the offsite leg while adding geographic separation by default.
Trap Counting three copies on a single disk array or media type as satisfying 3-2-1; the rule also requires two different media and one offsite copy, which a single array meets neither of.
- A backup is only a recovery capability if its restore is tested against the RTO
NIST is explicit that backup tapes should be tested regularly to confirm data is stored correctly and files can be retrieved without errors or loss. A copy that cannot be restored within the RTO, because the media is unreadable, the job was incomplete, or egress is too slow, is not a recovery capability, only a false sense of one. Restore testing belongs to every backup tier, including cloud.
Trap Treating a successful backup job or a green backup log as proof of recoverability when only a tested restore confirms the data is readable and recoverable within the RTO.
- Incremental minimizes backup time but has the slowest restore; differential is the reverse
An incremental backup copies only data changed since the last backup of any kind, so it is the fastest to take but a restore needs the last full plus every incremental replayed in order. A differential copies all data changed since the last full backup, so each one grows over time but a restore needs only the last full plus a single differential. The trade is direct: shortest backup window (incremental) costs the longest restore, and vice versa.
Trap Choosing incremental backups to get a fast recovery: incremental has the slowest restore because you must apply the full plus every increment in sequence.
- Full and incremental backups clear the archive bit; differential does not
The archive bit is the mechanism behind 'since last backup' versus 'since last full.' Full and incremental backups clear the archive bit when they run, so the next incremental only captures what changed afterward. A differential leaves the archive bit set, which is why every differential keeps capturing everything changed since the last full until a new full resets the baseline. A full backup copies everything and gives the fastest, single-set restore.
Trap Assuming a differential backup clears the archive bit like an incremental does; a differential leaves it set, which is exactly why each differential keeps re-capturing everything since the last full.
- RAID protects against disk failure, but it is not a backup
RAID (Redundant Array of Independent Disks) keeps data available across a physical disk failure, but it faithfully replicates deletion, corruption, and ransomware to every mirror in real time, so it cannot stand in for backups. It defends only the disk-hardware layer; logical data loss still requires a restorable, ideally offsite, backup. Treat RAID as availability for disks and backup as the recovery-from-data-loss control: they are not interchangeable.
Trap Treating a RAID array as a substitute for offsite backups: RAID copies a malicious deletion or ransomware encryption to every disk instantly.
- Know the common RAID levels, and that RAID 0 has no redundancy
RAID 0 stripes data for performance and provides no redundancy, so losing one disk destroys the array: a deliberate exam trap because the name implies protection. RAID 1 mirrors; RAID 5 stripes with single parity and survives one disk failure; RAID 6 uses double parity and survives two; RAID 10 mirrors then stripes for both speed and redundancy. Match the level to whether the requirement is performance, fault tolerance, or both.
Trap Assuming RAID 0 adds fault tolerance because it is a RAID level: RAID 0 is pure striping with zero redundancy and a single disk loss wipes the array.
- Fault tolerance means zero interruption; high availability means minimal downtime
Fault tolerance lets a component fail with zero interruption because a redundant element carries the load transparently (mirrored disks, dual power supplies). High availability (HA) instead restores the service fast, typically through clustering and automatic failover, so downtime is minimal but not strictly zero, which NIST scopes as achieving roughly 99.999% uptime or better. The two are not synonyms: a requirement for no interruption at all calls for fault tolerance, while a requirement for fast recovery from failure calls for HA.
Trap Using fault tolerance and high availability interchangeably: the exam rewards distinguishing zero-interruption (fault tolerance) from minimized-but-nonzero downtime (HA).
- Use QoS to keep critical traffic alive when the network is congested
Quality of Service (QoS) is the availability control for the network: it reserves bandwidth for and prioritizes critical traffic so that, under contention, a flood of low-priority traffic cannot starve the systems that must stay up. It protects availability at the transport layer the way RAID and clustering protect it at the storage and compute layers. QoS does not add capacity: it allocates scarce capacity to what matters most.
Trap Reaching for QoS to solve a network that is genuinely under-provisioned; QoS only prioritizes existing bandwidth under contention and adds no capacity, so a saturated link still needs more bandwidth.
- Redundancy at one layer does not eliminate a single point of failure at another
True resilience removes the single point of failure (SPOF) at every layer the service depends on, not just the one that is easy to harden. A fault-tolerant RAID array on a server with one power feed and one network uplink is still a SPOF, because the power or the uplink can take the whole system down regardless of the disks. Audit each dependency (disk, power, network, site) and add redundancy wherever a single failure halts the service.
Trap Declaring a system resilient because one layer is redundant; a fault-tolerant disk array still fails entirely on a single power feed or network uplink that was never made redundant.
- Write-ahead logging plus transaction logs deliver point-in-time recovery and roll back incomplete transactions
Write-ahead logging (WAL) records each change in the log on durable storage before the data file is modified, which is what guarantees committed transactions survive a crash (the durability in ACID). On restart, recovery analyzes the log from the last checkpoint to find transactions in flight, replays committed log records forward to reach a chosen timestamp (point-in-time recovery), and undoes the operations of incomplete transactions to restore a consistent state. A damaged or un-backed-up tail of the log means everything since the last log backup is unrecoverable.
Trap Assuming a full database backup alone enables point-in-time restore: without the transaction-log chain you can only recover to the backup instant, losing every change since.
6 questions test this
- A database administrator discovers that a critical financial database experienced an unexpected shutdown during a large transaction. When…
- During a ransomware incident response, the security team determines they must restore a critical production database to a state from 4…
- An organization needs to implement a database recovery strategy that allows restoration to any point within the last 7 days. The security…
- An organization experiences a server failure during a large batch data import operation. After restoring hardware, the database…
- A database experiences corruption at 3:15 PM. The DBA discovers the active transaction log is damaged but the transaction log backup taken…
- A database transaction that was modifying sensitive customer records failed halfway through execution due to a constraint violation. The…