Drilling for disaster at LAX

Los Angeles World Airports (LAWA), the department that oversees three airports in the LA area, recently implemented a business continuity and disaster recovery plan for the Los Angeles International Airport (LAX). As part of the effort, the organization conducted a tabletop exercise on what would happen if an earthquake struck LAX.

CSO contributor Bob Violino interviewed Dominic Nessi, deputy executive director and CIO of LAWA, about these efforts.

CSO: What was involved in implementing a business continuity and disaster recovery plan for LAX, and did this replace an existing plan?

Dominic Nessi: When I arrived at LAX in 2007, it was apparent that we needed to drastically upgrade our approach to business continuity and disaster recovery planning. My first step was to bring on an experienced CISO, Bob Cheong, who would be the program manager for our efforts. We also hired an experienced and skilled cybersecurity team.

The initial step in the planning was a business impact analysis (BIA). The key component of the BIA was to develop the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO) of each business process.

RTO is the time in which a business process must be restored after a disaster and RPO is the maximum time that data might be lost from an IT service outage. The purpose of this analysis is to understand the impacts a disruptive event may have on our organization. The BIA forms the business case for a business continuity program.

The second step was to develop 13 business continuity plans, the IT disaster recovery plan, and the IT incident response plan. The two major components of the business continuity plan are the manual workaround procedures and the roles and responsibilities of each participant in the recovery process.

Each business unit was required to submit a manual workaround procedure for each of their business processes. This is required to continue business operations when IT systems are unavailable. This was the most detailed task of the project, as it required many interactions with stakeholders to ensure the accuracy of information. Bob and his team managed this process, working intimately with the LAX business community.

Who took part in the tabletop exercise and what was learned and accomplished from that?

We used the following scenario for the tabletop exercise: At approximately 9:30 a.m. Pacific Daylight Time, an earthquake began in the Pacific Ocean about 30 miles southwest of Malibu, [Calif.] at a magnitude of 6.7 on the Richter scale. The epicenter of this quake was 53 miles from the Civic Center and had a significant effect on the area around LAX. The buildings sustained moderate to severe structural damage.

The participants in the exercise represented the LAX department managers and selected staff for which business continuity and disaster recovery plans had been established. Participants were gathered in a single room and asked to address recovery solutions based on the information in their plan. They were able to question other departments to determine if there was available support for any dependencies.

During the exercise we identified the roles and responsibilities of each team, established communication flow to exchange dependencies information, and discovered missing or incorrect recovery information.

What were some of the challenges you encountered, and how did you address them?

One of the challenges the LAX cybersecurity team encountered during the exercise was to make sure the participants were kept on track in responding to the situation and that there was an open dialogue that flowed between groups. Because this was a new experience for LAX, there was ample opportunity for deviating from the script. What we found was that the LAX business community responded enthusiastically to the exercise, providing insightful information to the security team.

Are you planning other tabletop exercises, and if so what will they involve?

As LAX is currently going through many changes in enhancing its business environment, we will have to conduct tabletop exercises on a regular basis to reflect major business process changes. These exercises will validate the effectiveness of each updated plan and address any gaps that were uncovered.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place