Los Angeles World Airports (LAWA), the department that oversees three airports in the LA area, recently implemented a business continuity and disaster recovery plan for the Los Angeles International Airport (LAX). As part of the effort, the organization conducted a tabletop exercise on what would happen if an earthquake struck LAX.
CSO contributor Bob Violino interviewed Dominic Nessi, deputy executive director and CIO of LAWA, about these efforts.
CSO: What was involved in implementing a business continuity and disaster recovery plan for LAX, and did this replace an existing plan?
Dominic Nessi: When I arrived at LAX in 2007, it was apparent that we needed to drastically upgrade our approach to business continuity and disaster recovery planning. My first step was to bring on an experienced CISO, Bob Cheong, who would be the program manager for our efforts. We also hired an experienced and skilled cybersecurity team.
The initial step in the planning was a business impact analysis (BIA). The key component of the BIA was to develop the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO) of each business process.
RTO is the time in which a business process must be restored after a disaster and RPO is the maximum time that data might be lost from an IT service outage. The purpose of this analysis is to understand the impacts a disruptive event may have on our organization. The BIA forms the business case for a business continuity program.
The second step was to develop 13 business continuity plans, the IT disaster recovery plan, and the IT incident response plan. The two major components of the business continuity plan are the manual workaround procedures and the roles and responsibilities of each participant in the recovery process.
Each business unit was required to submit a manual workaround procedure for each of their business processes. This is required to continue business operations when IT systems are unavailable. This was the most detailed task of the project, as it required many interactions with stakeholders to ensure the accuracy of information. Bob and his team managed this process, working intimately with the LAX business community.
Who took part in the tabletop exercise and what was learned and accomplished from that?
We used the following scenario for the tabletop exercise: At approximately 9:30 a.m. Pacific Daylight Time, an earthquake began in the Pacific Ocean about 30 miles southwest of Malibu, [Calif.] at a magnitude of 6.7 on the Richter scale. The epicenter of this quake was 53 miles from the Civic Center and had a significant effect on the area around LAX. The buildings sustained moderate to severe structural damage.
The participants in the exercise represented the LAX department managers and selected staff for which business continuity and disaster recovery plans had been established. Participants were gathered in a single room and asked to address recovery solutions based on the information in their plan. They were able to question other departments to determine if there was available support for any dependencies.
During the exercise we identified the roles and responsibilities of each team, established communication flow to exchange dependencies information, and discovered missing or incorrect recovery information.
What were some of the challenges you encountered, and how did you address them?
One of the challenges the LAX cybersecurity team encountered during the exercise was to make sure the participants were kept on track in responding to the situation and that there was an open dialogue that flowed between groups. Because this was a new experience for LAX, there was ample opportunity for deviating from the script. What we found was that the LAX business community responded enthusiastically to the exercise, providing insightful information to the security team.
Are you planning other tabletop exercises, and if so what will they involve?
As LAX is currently going through many changes in enhancing its business environment, we will have to conduct tabletop exercises on a regular basis to reflect major business process changes. These exercises will validate the effectiveness of each updated plan and address any gaps that were uncovered.