There are six major planning activities in the IT Disaster Recovery Program. Not every component is required for every resource.

IT Security Controls Related to DR:

• CP-2 Contingency Plan
• CP-4 Contingency Plan Testing
• CP-6 Alternate Storage Site

A BIA of a unit/department's IT services is a systematic assessment of the potential impact of a loss of the service due to an interruption of computing and/or infrastructure support services resulting from a disruptive event or incident. All IT services must be included in a BIA. All IT services must be assigned a Recovery Time Objective (RTO) and a Recovery Point Objective (RPO) by their information resource owner.

An integral part of an IT DR Program is taking steps to prevent a disaster or to mitigate its effects beforehand. A Facility Assessment examines various threats that could lead to a disaster, vulnerable areas, and steps taken to minimize risk to IT infrastructure and hardware that support mission critical information resources and essential IT services. The threats covered in the assessment are both natural and human-created.

A department/unit IT DRP is focused on the overall recovery of IT services based on the information resource owner's established Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Detailed recovery procedures and assumptions of an individual or a group of interdependent mission-critical information resource or essential IT services are stored in the department/unit's Information System Contingency Plan(s) (ISCP).

IT Services that have been identified by the information resource owner or the Chief Information Security Officer (CISO) as either an essential IT service or a mission-critical information resource must be included in an ISCP. An ISCP can be completed for an individual IT service or a group of interdependent IT services. An ISCP contains detailed procedures to recover a mission-critical or essential IT service or a grouping of interdependent IT services following a disruption. Mission critical information resources and essential IT services must be exercised annually.

A Cost-Benefit Analysis is only required if the IT service is determined to be an essential IT service and the actual Recovery Time Objective (RTO) is not in alignment with the required RTO.

Texas A&M University IT DR Plan addresses the use of the Incident Command System (ICS) to recover essential IT services that support university-level critical functions. Critical functions are identified in Institutional Continuity Plan (Annex J) of the Texas A&M University Emergency Operation Plan. The university-wide IT DR Plan contains a list of key personnel, contact information, a listing of essential IT services by Recovery Time Objective (RTO), Recovery Point Objective (RPO), and a listing of recovery procedure milestones.