Operational Recovery Planning

1
Operational Recovery Planning

• Presented by the California State Information
  Security Office

2
State Information Security Office

• Vision
• Leading the way to secure the State's
  information assets.
• Mission
• To manage security and operational recovery
  risk for the State's information assets by
  providing statewide direction and leadership.

3
Definitions

• Emergency Response
• Business Continuity Planning (BCP)
• Operational Recovery Planning (ORP)
• Continuity of Operations (COOP)
• Continuity of Government (COG)

4
Emergency Response

• The immediate reaction and response to an
  emergency situation commonly focusing on ensuring
  life safety and reducing the severity of the
  incident.
• Definition from Disaster Recovery Journal (DRI)
  website at http//www.drj.com/glossary/

5
Business Continuity Planning (BCP)

• Process of developing and documenting
  arrangements and procedures that enable an
  organization to respond to an event that lasts
  for an unacceptable period of time and return to
  performing its critical functions after an
  interruption.
• Similar terms  business resumption plan,
  continuity plan, contingency plan, disaster
  recovery plan, recovery plan.
• Definition from Disaster Recovery Journal (DRI)
  website at http//www.drj.com/glossary/

6
Operational Recovery Planning (ORP)

• DISASTER RECOVERY PLAN (also known as -
  Operational Recovery Plan) 
• The management approved document that defines
  the resources, actions, tasks and data required
  to manage the technology recovery effort. 
  Usually refers to the technology recovery
  effort.  This is a component of the Business
  Continuity Management Program. 
• Definition from Disaster Recovery Journal (DRI)
  website at http//www.drj.com/glossary/

7
Continuity of Operations (COOP)

• Continuity of Operations (COOP) The activities
  of individual departments and agencies and their
  sub-components to ensure that their essential
  functions are continued under all circumstances.
  This includes plans and procedures that delineate
  essential functions specify succession to office
  and the emergency delegation of authority
  provide for the safekeeping of vital records and
  databases identify alternate operating
  facilities provide for interoperable
  communications and validate the capability
  through tests, training, and exercises.
• Office of Emergency Services (OES)

8
Continuity of Government (COG)

• The preservation, maintenance, or reconstitution
  of the institution of government. It is the
  ability to carry out an organizations
  constitutional responsibilities. This is
  accomplished through succession of leadership,
  the pre-delegation of emergency authority and
  active command and control.
• Office of Emergency Services (OES)

9
Relationship of Plans
10
Inter-Dependencies
11
Three Phases of Continuity
Departments
Emergency Response - Life Safety First 72 Hours
IT Operational Recovery up to 30 days
Restoration Business back to normal
Planning, Documenting, Testing, and Training
Business Recovery up to 30 days
Damage Assessment First 72 hours
Phase I
Phase II
Phase III
12
IMPLEMENTATION OF PLANS

• Disruption of business occurs and you are
  informed, next steps
• 1. Emergency Response safety and
• security of staff.
• 2. Securing the site.
• 3. Activate COOP/COG Plan to ensure the
  continuation of essential functions.
• 4. Implementation of the communication plan.
• 5. After assessing incident, determine if
  implementation of BCP ORP is required.
• 6. Contact SISO to report incident.
• 7. Implement BCP and ORP

13
Strategies of Implementation

• Business Continuity and Operational Recovery
  Plans should be invoked when there is an
• Incident that affects an essential business
  function that exceeds the maximum allowable
  outage (MAO). For example
• System Availability major virus infection
  requiring systems or applications to be shut down
  (denial of service).
• Communication disruption connection with DTS is
  disrupted.
• Fire, flood, or other natural or man-made
  catastrophe that disrupts your essential business
  functions.

14
ORP Documentation Revised

• Components to be included in the ORP were updated
  in January 2007
• The changes must be included in the ORPs filed
  with the SISO beginning in October 2007.
• Training classes have been scheduled on the
  changes made to the ORP.

15
New Requirements

• ORPs must describe
• Agency Administrative Information
• Critical Business Functions/Applications
• Recovery Strategy
• Backup and Offsite Storage Procedures
• Operational Recovery Procedures
• Data Center Services
• Resource Requirements
• Assignment of Responsibility
• Contact Information
• Testing

16
Supplemental Requirements

• Agencies that have not developed and implemented
  a full business continuity plan or COOP/COG must
  also address and include the following in their
  plan
• Damage Recognition and Assessment
• Mobilization of Personnel
• Primary Site Restoration and Relocation

17
State IT Strategic Plan Action Item

• To align the ORP and COOP/COG, a work group has
  been established to
• review processes
• define terminology
• evaluate reporting requirements

18
Resources

• SISO web site http//www.infosecurity.ca.gov/ORP/
  
• Budget Letter 07-03 ORP Policy Changes
• http//www.dof.ca.gov/OTROS/StatewideIT/IT_BdgtLtt
  rs.asp
• ORP SIMM 65A http//www.infosecurity.ca.gov/Pol
  icy/
• ORP Training Schedule
• http//www.infosecurity.ca.gov/Training/

19
Contact Us

• Rosa.Umbach_at_dof.ca.gov
• (916) 445-1777 ext 3242
• SISO Office
• email security_at_dof.ca.gov
• Telephone (916) 445-5239
• www.infosecurity.ca.gov