Recovery procedures for an information processing facility are best based on which objective?

The appropriate objective for recovery procedures in an information processing facility is grounded in the Recovery Time Objective (RTO). RTO represents the maximum acceptable amount of time that an application can be down after a disaster occurs. Establishing recovery procedures based on RTO ensures that an organization plans its recovery capabilities effectively, aiming to restore operations within a timeframe that aligns with business needs.

By focusing on RTO, organizations prioritize their recovery efforts towards minimizing downtime, thereby helping them maintain operational efficiency and service availability. This objective is critical as it helps define the urgency of recovery efforts, informs resource allocation, and shapes the overall disaster recovery strategy.

Other options, while relevant in the broader context of disaster recovery, do not directly govern how recovery procedures are formulated. The Recovery Point Objective (RPO) focuses on data loss, indicating how much data can be lost, while the Maximum Tolerable Outage (MTO) refers to the longest period an organization can tolerate a disruption. The Information Security Policy provides overarching governance for information security practices but does not specifically guide recovery procedures for an information processing facility. Thus, establishing recovery procedures based on RTO sets a clear, time-focused framework for restoring critical services and functions after an incident.