Section 5: Disaster RecoveryAnchor: #i1352083
TxDOT must plan how to recover and support the continuity of services if a disruption denies access to a primary operations facility. The sole objective of this plan is to re-deploy affected services at a designated alternate site. This objective addresses the “Recover” objective of the Texas CyberSecurity Framework.Anchor: #i1352155
A disaster recovery plan is a site-specific plan of action to direct TxDOT in enabling its services when access to the daily operational location is prohibited. Document the disaster recovery plan as part of the business continuity plan. Test the plan periodically to make sure that it works. The plan must include a strategy to ensure all critical information is backed up and can be deployed at alternate sites.
Each plan must include:
- identified software applications and their data
- assigned priority for hardware and software restoration
- specified procedures for obtaining necessary equipment
- Written instructions to recreate an operational environment for supporting the systems.
Alternate Sites. Alternate sites must be located sufficiently apart to prevent one disaster from affecting multiple facilities. The sites are designated either hot, warm, or cold based on the amount of time necessary to make the services available. Three system attributes will determine which alternative site a system will use:
- How critical is the system?
- How long is the recovery time for the system?
- What are the effects of a system outage?
Planning for continued service after a disaster is the responsibility of all stakeholders who have a duty to provide that service. Planning is a coordinated effort that requires the input from the individuals, information custodians, information owners, department heads, the information security officer, and the head of the agency.
Compliance and Standards
See the “Disaster Recovery Standards” in the Information Security Standards manual for a list of the minimum standards necessary to comply with this objective of the Business Continuity Policy.