Operational Recovery Planning Presented by the California State Information Security Office
State Information Security Office • Vision Leading the way to secure the State's information assets. • Mission To manage security and operational recovery risk for the State's information assets by providing statewide direction and leadership.
Definitions • Emergency Response • Business Continuity Planning (BCP) • Operational Recovery Planning (ORP) • Continuity of Operations (COOP) • Continuity of Government (COG)
Emergency Response • The immediate reaction and response to an emergency situation commonly focusing on ensuring life safety and reducing the severity of the incident. • Definition from Disaster Recovery Journal (DRI) website at: http://www.drj.com/glossary/
Business Continuity Planning (BCP) • Process of developing and documenting arrangements and procedures that enable an organization to respond to an event that lasts for an unacceptable period of time and return to performing its critical functions after an interruption. • Similar terms: business resumption plan, continuity plan, contingency plan, disaster recovery plan, recovery plan. • Definition from Disaster Recovery Journal (DRI) website at: http://www.drj.com/glossary/
Operational Recovery Planning (ORP) • DISASTER RECOVERY PLAN (also known as - Operational Recovery Plan): The management approved document that defines the resources, actions, tasks and data required to manage the technology recovery effort. Usually refers to the technology recovery effort. This is a component of the Business Continuity Management Program. • Definition from Disaster Recovery Journal (DRI) website at: http://www.drj.com/glossary/
Continuity of Operations (COOP) • Continuity of Operations (COOP) – The activities of individual departments and agencies and their sub-components to ensure that their essential functions are continued under all circumstances. This includes plans and procedures that delineate essential functions; specify succession to office and the emergency delegation of authority; provide for the safekeeping of vital records and databases; identify alternate operating facilities; provide for interoperable communications; and validate the capability through tests, training, and exercises. • Office of Emergency Services (OES)
Continuity of Government (COG) • The preservation, maintenance, or reconstitution of the institution of government. It is the ability to carry out an organization’s constitutional responsibilities. This is accomplished through succession of leadership, the pre-delegation of emergency authority and active command and control. • Office of Emergency Services (OES)
Three Phases of Continuity Departments Emergency Response - Life Safety First 72 Hours IT Operational Recovery up to 30 days Restoration Business back to normal Planning, Documenting, Testing, and Training Business Recovery up to 30 days Damage Assessment First 72 hours Phase I Phase II Phase III
IMPLEMENTATION OF PLANS • Disruption of business occurs and you are informed, next steps 1. Emergency Response – safety and security of staff. 2. Securing the site. 3. Activate COOP/COG Plan to ensure the continuation of essential functions. 4. Implementation of the communication plan. 5. After assessing incident, determine if implementation of BCP & ORP is required. 6. Contact SISO to report incident. 7. Implement BCP and ORP
Strategies of Implementation • Business Continuity and Operational Recovery Plans should be invoked when there is an: • Incident that affects an essential business function that exceeds the maximum allowable outage (MAO). For example: • System Availability – major virus infection requiring systems or applications to be shut down (denial of service). • Communication disruption – connection with DTS is disrupted. • Fire, flood, or other natural or man-made catastrophe that disrupts your essential business functions.
ORP Documentation Revised • Components to be included in the ORP were updated in January 2007 • The changes must be included in the ORPs filed with the SISO beginning in October 2007. • Training classes have been scheduled on the changes made to the ORP.
New Requirements • ORPs must describe: • Agency Administrative Information • Critical Business Functions/Applications • Recovery Strategy • Backup and Offsite Storage Procedures • Operational Recovery Procedures • Data Center Services • Resource Requirements • Assignment of Responsibility • Contact Information • Testing
Supplemental Requirements • Agencies that have not developed and implemented a full business continuity plan or COOP/COG must also address and include the following in their plan: • Damage Recognition and Assessment • Mobilization of Personnel • Primary Site Restoration and Relocation
State IT Strategic Plan Action Item To align the ORP and COOP/COG, a work group has been established to: • review processes • define terminology • evaluate reporting requirements
Resources • SISO web site: http://www.infosecurity.ca.gov/ORP/ • Budget Letter 07-03 – ORP Policy Changes http://www.dof.ca.gov/OTROS/StatewideIT/IT_BdgtLttrs.asp • ORP – SIMM 65A: http://www.infosecurity.ca.gov/Policy/ • ORP Training Schedule: http://www.infosecurity.ca.gov/Training/
Contact Us Rosa.Umbach@dof.ca.gov (916) 445-1777 ext 3242 SISO Office: email: email@example.com Telephone: (916) 445-5239 www.infosecurity.ca.gov