Operational Recovery Planning - PowerPoint PPT Presentation

1 / 53
About This Presentation
Title:

Operational Recovery Planning

Description:

Operational Recovery Planning Presented by the California State Information Security Office Agenda Introductions name and agency CA State Information Security ... – PowerPoint PPT presentation

Number of Views:246
Avg rating:3.0/5.0
Slides: 54
Provided by: cag85
Category:

less

Transcript and Presenter's Notes

Title: Operational Recovery Planning


1
Operational Recovery Planning
  • Presented by the California State Information
    Security Office

2
Agenda
  • Introductions name and agency
  • CA State Information Security Office
  • Definitions
  • Four Types of Continuity Plans
  • Review of BL 07-03 ORP Changes
  • ORP-COOP/COG Alignment
  • Discuss Test Scenarios

3

4
State Information Security Office
  • Vision
  • Leading the way to secure the State's
  • information assets.
  • Mission
  • To manage security and operational
  • recovery risk for the State's
  • information assets by providing
  • statewide direction and leadership.

5
Definitions
  • Emergency Response
  • Business Continuity Planning (BCP)
  • Operational Recovery Planning (ORP)
  • Continuity of Operations (COOP)
  • Continuity of Government (COG)

6
Emergency Response
  • The immediate reaction and response to an
    emergency situation commonly focusing on ensuring
    life safety and reducing the severity of the
    incident.
  • Definition from Disaster Recovery Journal (DRI)
    website at http//www.drj.com/glossary/

7
Business Continuity Planning (BCP)
  • Process of developing and documenting
    arrangements and procedures that enable an
    organization to respond to an event that lasts
    for an unacceptable period of time and return to
    performing its critical functions after an
    interruption.
  • Similar terms  business resumption plan,
    continuity plan, contingency plan, disaster
    recovery plan, recovery plan.
  • Definition from Disaster Recovery Journal (DRI)
    website at http//www.drj.com/glossary/

8
Operational Recovery Planning (ORP)
  • The management approved document that defines the
    resources, actions, tasks and data required to
    manage the technology recovery effort.  Usually
    refers to the technology recovery effort.  This
    is a component of the Business Continuity
    Management Program. 
  • DISASTER RECOVERY PLAN (also known as
    Operational Recovery Plan)
  • Definition from Disaster Recovery Journal (DRI)
    website at http//www.drj.com/glossary/

9
Continuity of Operations (COOP)
  • The activities of individual departments and
    agencies and their sub-components to ensure that
    their essential functions are continued under all
    circumstances. This includes plans and
    procedures that delineate essential functions
    specify succession to office and the emergency
    delegation of authority provide for the
    safekeeping of vital records and databases
    identify alternate operating facilities provide
    for interoperable communications and validate
    the capability through tests, training, and
    exercises.
  • Office of Emergency Services (OES)

10
Continuity of Government (COG)
  • The preservation, maintenance, or reconstitution
    of the institution of government. It is the
    ability to carry out an organizations
    constitutional responsibilities. This is
    accomplished through succession of leadership,
    the pre-delegation of emergency authority and
    active command and control.
  • Office of Emergency Services (OES)

11
Relationship of Plans
12
Inter-Dependencies
13
Three Phases of Continuity
Departments
Emergency Response - Life Safety First 72 Hours
Restoration Business back to normal
IT Operational Recovery up to 30 days
Planning, Documenting, Testing, and Training
Business Recovery up to 30 days
Damage Assessment First 72 hours
Phase I
Phase II
Phase III
14
IMPLEMENTATION OF PLANS
  • Disruption of business occurs and you are
    informed, next steps
  • 1. Emergency Response safety and security of
    staff.
  • 2. Securing the site.
  • 3. Activate COOP/COG Plan to ensure the
    continuation of essential functions.
  • 4. Implementation of the communication plan.
  • 5. After assessing incident, determine if
    implementation of BCP ORP is required.
  • 6. Contact SISO to report incident.
  • 7. Implement BCP and ORP

15
Budget Letter 07-03
  • SAM Section 4843 Operational Recovery Planning
  • Use results from risk analysis and business
    impact analysis to identify critical business
    functions.
  • Include the operational recovery considerations
    and costs in FSRs.
  • Develop ORP as part of a complete continuity
    program.

16
Budget Letter 07-03 Continued
  • SAM Section 4843.1 Agency Operational Recovery
    Plan
  • Rewritten to clarify and enhance operational
    recovery requirements.
  • Removal of minimum components from policy.
  • SIMM 65A ORP Documentation for Agencies
    Preparation Instructions
  • Requires ten minimum components in ORP.
  • Additional three components for agencies without
    a BCP or COOP/COG.

17
ORP Documentation Revised
  • Components to be included in the ORP updated in
    January 2007.
  • The April and July quarterly filers must provide
    a cover sheet indicating where the information
    for each topic area in SIMM 65A is located in the
    agencys Operational Recovery Plan.
  • All components listed in SIMM 65A must be
    addressed and included in agencies ORPs
    beginning in October 2007.

18
Changes for ORP Development
  • Overall
  • Requires more details
  • New Components
  • Backup and offsite storage
  • Data Center Services
  • Contact information
  • Removed from SAM and Policy
  • Damage Recognition
  • Preparation of cost-benefit analysis
  • Selection of alternative
  • SIMM Section 140A

19
New Requirements
  • ORPs must describe
  • Agency Administrative Information
  • Critical Business Functions/Applications
  • Recovery Strategy
  • Backup and Offsite Storage Procedures
  • Operational Recovery Procedures
  • Data Center Services
  • Resource Requirements
  • Assignment of Responsibility
  • Contact Information
  • Testing

20
Supplemental Requirements
  • Agencies that have not developed and implemented
    a full business continuity plan or COOP/COG must
    also address and include the following in their
    ORP
  • Damage Recognition and Assessment
  • Mobilization of Personnel
  • Primary Site Restoration and Relocation

21
Agency Administrative Information
  • A communication plan should include strategy on
  • How information will flow (escalation)
  • Decision making processes
  • Interrelationship among agency resources for
    response, recovery and resumption

22
Example - Escalation Process
  • Single site, minor impact. User calls into Help
    Desk with possible virus infection. Communication
    Plan strategy includes
  • Process to dispatch field support to check PC
  • If infected, take steps to identify and
    quarantine
  • notify ISO and IT Management
  • Eradicate virus
  • Verify virus has not spread

23
What would you do?
  • Multiple site, major impact. The virus outbreak
    has spread from your headquarters to your remote
    offices and is running rampant. The anti-virus
    software will not eradicate it and all the
    systems in your agency are being impacted.
  • What would your communication plan need to
    include?

24
Communication Plan
  • Document
  • Who to contact and under what circumstances
  • Lists name, phone , cell , home , email
    address
  • Includes Chain of Command Management, other
    pertinent staff (ISO, ORP Coordinator, etc), and
    contractors
  • Distribute to applicable staff
  • Providing training to staff
  • Collect when duties change or staff leaves

25
Sample Call Lists
  • Wallet size cards
  • Name, work , cell , home , email
  • Call Tree
  • Manager calls supervisor
  • Supervisor calls his/her staff

26
Critical Business Functions/Applications
  • This section includes a description of
  • Critical business functions and their supporting
    applications
  • Maximum Allowable Outage (MAO) for each
    application
  • Recovery priorities

27
Example - Critical Business Function
  • Single site, minor impact. Help Desk identifies
    that the services on the email server are not
    working. As a critical business function,
    recovery strategy includes
  • Process for IT staff to check services
  • If denial of service, follow internal procedures
    to identify and mitigate.
  • Notify ISO and IT Management

28
What would you do?
  • Multiple site, major impact. The email server has
    crashed, there are both hardware and software
    failures. Rebuilding the server will require
    replacement hardware, which will take several
    days to acquire and configure.
  • What would your Critical Business Functions /
    Applications need to include?

29
Procedures for Critical Functions
  • Document
  • Critical Business Functions
  • Recovery Procedures
  • Responsible individuals or team for recovery
  • Distribute procedures to applicable staff
  • Provide training

30
Sample Procedure
  • Repair/replace hardware
  • Restore database structure
  • Restore post office
  • Restore gateway connectivity
  • Rebuild database
  • Keep users/management informed

31
Recovery Strategy
  • Recovery strategy should include alternate
    recovery site/sites that include
  • Location of all sites
  • Requirements of facilities/equipment
  • Contact numbers

32
What would you do?
  • Single site, minor impact Your department is
    located in several locations. A building adjacent
    to one location has a fire, the fire did not
    spread to your site. The Fire Dept and Law
    Enforcement block the street, so there is no
    access into your building.
  • What would your recovery strategy need to
    include?

33
Recovery Strategy
  • Communication plan for employees, management, and
    contractors.
  • List all office locations.
  • Identify the alternate location. If multiple
    locations are available, prioritize them.
  • Address what functions could be restored at each
    site.
  • Determine who would need to be called, include as
    the contact list.

34
Sample Recovery Strategy
  • Department has three locations
  • 1234 Headquarters St., Sacto, 95814
  • 5678 Anywhere St., Sacto, 95825
  • 9876 SomePlace St., LA 90210
  • Critical operations would be restored at an
    unaffected site (identify priority and equipment
    needed).
  • Contact
  • J Resto at (916) 555-1212 for Headquarters
  • R Quick at (916) 444-1212 for Anywhere
  • M Pia at (213) 555-1212 for SomePlace

35
Backup and Offsite Storage
  • The backup and offsite storage procedures should
    include
  • Retention schedule
  • Procedures
  • List of authorized staff
  • Account information
  • Contacts of offsite storage

36
What would you do?
  • The data on one of your critical applications was
    corrupted and its MAO is 4 hours. It is 530 pm
    on Friday and Monday is a holiday. The business
    area have staff scheduled to work Saturday on
    this system. Technical staff has gone home, and
    several are out of town for the weekend.
  • What would your backup and offsite storage
    procedures need to include?

37
Details Backup and Offsite Storage
  • Document
  • Retention schedule
  • Detailed procedures
  • Hardware and software (include version)
  • Offsite storage details (location, acct )
  • Retrieval of backups (contacts (24x7) and
    personnel authorized to retrieve)
  • Process to identify data to be restored

38
Operational Recovery Procedures
  • These procedures systematically detail the
    operational procedures for recovery in a timely
    and orderly way, they should include
  • Detailed procedures that the backup or other IT
    professional could follow
  • High-level network diagram that includes all
    critical applications

39
Data Center Services
  • This section should include a
  • Description of service to be provided.
  • Interagency agreements, memorandums of
    understanding, or contracts.
  • Specific coordination efforts with the data
    center critical to the recovery efforts.

40
Example Minor Impact
  • Single site, minor impact. Your Web server
    providing access to one of your critical
    applications located at DTS has been compromised.
    You have contacted DTS and DTS is working to get
    the server back online within the hour.
  • What would your need to include?

41
What would you do?
  • Multiple site, major impact. There was a fire in
    a facility adjoining DTS facility where the
    servers are housed. The sprinkler system was
    activated and the servers had to be powered down.
    There is significant water damage. There is an
    estimate that it will take 14 to 21 days to
    reestablish services.
  • What would your plan need to include?

42
Details - Data Center Services
  • Expectations
  • Meet with Data Center to identify
  • Hardware/Software requirements
  • Services required
  • Timeframe for services
  • Document Agreement Before its needed
  • Create a Service Level Agreement (SLA) or
    Memorandum of Understanding (MOU)
  • Develop Recovery Procedures

43
Resource Requirements
  • This is a comprehensive list of
  • Equipment
  • Software
  • Telecommunication needs
  • Data
  • Hard copy manuals
  • Personnel essential for recovery

44
Assignment of Responsibility
  • Designation of responsibilities and assignments
    should be listed. Procedures should include job
    title, and not individual names, for the recovery
    process.
  • Individuals names can be placed in a single
    location for ease of maintenance.

45
Contact Information
  • There are two types of contact information to be
    collected
  • Employees, including management.
  • Resource List including contractors, Major
    Service providers, vendors, other government
    entities, and outside resources critical to the
    recovery process.

46
Contact List
  • Employee contact information should be designated
    as sensitive, and provided to authorized
    individuals.
  • Resource lists typically have business contact
    information. This information can be provided
    more widely.

47
Testing
  • Annual testing of the ORP is essential to
  • Ensure for training the management and recovery
    teams.
  • Validate that the procedures have the appropriate
    level of detail.
  • Verify Call Back lists are current.
  • Confirm that Recovery strategies are appropriate
    for your environment.

48
Governors Office of Emergency Services
  • Introduction
  • Mission and Goals of OES
  • SEMS/NIMS
  • Disaster Service Worker

49
Planning
  • Be Smart, Be Responsible. Be Prepared. Get Ready
    Campaign
  • Your Intranets and Emergency Preparedness
  • Executive Order S-04-06
  • State Emergency Plan /
  • COOP-COG/ORP

50
Training and Testing
  • Emergency Management Training Requirements for
    Public Employees
  • The California Specialized Training Institute
    (CSTI)/OES Training Branch
  • How to develop a Table Top Exercise (TTex)
  • Definition of a TTex
  • The 8 Step Process Used to Design a TTex
  • After Action/ Corrective Action Process
  • California Master Exercise Calendar (CMEX)

51
State IT Strategic Plan Action Item
  • To align the ORP and COOP/COG, a work group has
    been established to
  • review processes
  • define terminology
  • evaluate reporting requirements

52
Resources
  • SISO web site http//www.infosecurity.ca.gov/ORP/
  • Budget Letter 07-03 ORP Policy Changes
  • http//www.dof.ca.gov/OTROS/StatewideIT/IT_BdgtLtt
    rs.asp
  • ORP Policy in the State Administrative Manual
    (SAM)
  • Operational Recovery Planning
    http//sam.dgs.ca.gov/TOC/4800/4843.htm
  • Operational Recovery Plan http//sam.dgs.ca.gov/T
    OC/4800/4843.1.htm
  • ORP SIMM 65A http//www.infosecurity.ca.gov/Pol
    icy/

53
Contact Us
  • Rosa.Umbach_at_dof.ca.gov
  • (916) 445-1777 ext. 3242
  • Colleen.Pedroza_at_dof.ca.gov
  • (916) 445-1777 ext. 3224
  • SISO Office
  • email security_at_dof.ca.gov
  • Telephone (916) 445-5239
  • www.infosecurity.ca.gov
Write a Comment
User Comments (0)
About PowerShow.com