THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Testing your Business Continuity Plan If you have developed your Business Continuity Plan (BCP) you will need to test it at some point to make sure that it will help support the organization in case of a disaster. (Also, having a Disaster Recovery Plan (DRP) will be crucial in determining how the business will respond to the disaster, but that will be for another blog). As they say, “you are only as protected as your last test”. Really, that is the key here. You need to test the BCP on a regular basis, because things change in your environment all the time. The BCP should be a living document in that it should reflect the way your business is conducted. Developing a Test Plan So your BCP is completed and you have all the additional documentation that you will need to support the overall recovery strategy (you have a recovery strategy, don’t you?). Now is the time to develop a test plan that you will simulate as your disaster. (Please, no aliens or asteroids hitting and wiping out the business, it’s just not going to happen, and it’s a waste of your time). Pick an area where you will most likely see in your geographic area. Some common disasters are listed below:
Ransomware & Pandemics In the list above there were a pandemic disaster is listed. The reason for this is that the CDC and other organizations like NIST (National Institute of Standards and Technology) have come out with guidelines on how a company should prepare for such events. With that in mind, even though you may not test for it at first, including it in your preparation planning process and discussing how you are going to deal with it in case it effects your business is a best practice. Ransomware is also listed above and the reason for that is that a ransomware attack on an organization will have the same impact as a disaster. And you might as well prepare for it like one. Different scenarios and different means of infiltration of the ransomware makes this type of disaster difficult to plan for, but determining how you will react to it and how you will handle specific aspects will go a long way in ensuring your customers and employees that you are doing things the right way. “you are only as protected as your last test” Types of Tests
Tabletop There are several types of testing that you could do when you are testing your BCP. The most common or the one that is required by most standards is the tabletop test. If you are not familiar with this type of test, it is important that you be. This test runs through a given scenario with the BCP (that you developed) as the decision maker’s guide. This test depending on the complexity should take a while to complete and should challenge the leadership of your organization in a way that they have not been done before. Partial Functional Test This type of testing will have a component that is part of the functional test as part of the tabletop scenario. This will bring some realism to the events of the testing process. Conducting a network backup during the same time or testing your backup generators are very common during these types of tests. These are meant to put a little stress on the company for recovery purposes, but not affect the overall business operations. Functional A functional test is meant to be a full on test of the continuity plan and is meant to show that the company will be able to recover in the event of a disaster. This type of test requires a simulated event where the impact to the operations of the business (physical disconnection of network wiring, or a fire breaks out) are effected and the recovery is required in order to be back up and functioning within a reasonable amount of time. This should not be done on a regular basis, but should be performed periodically in order to ensure the plan is effective. Working up to this point is the goal of most organizations. Some types of industries will require it, but most do not. Sticking to the Script One of the things that has happened more times to those of us who have run these tests is that the Leadership Team will go off the script and tell you things that will not make sense. Given a scenario, the Leadership will want to perform everything correctly. Truth is, this is where you will find your weak points in your planning process, and you want to have failures, so you can fix them for the next time you have a test. Going off script and saying you have a solution for a problem (but it is not in your plan) is lying to yourself and your company. If it is not in your plan, you can’t use it. If it needs to be added after the training, fine, but not during the training scenario testing. Nevertheless, it can’t be used as part of the recovery portion of the testing. Keeping the script and the plan the same will ensure that you identify your gaps and are able to address them effectively once you start to remediate the findings of your testing. Documentation of Disaster One of the key things that you can do to ensure that you have an effective test of your BCP is to document the process from beginning to the end. This may be difficult due to the communication that is going on between the different leadership members who will be making those key decisions. But the process should be documented in order to determine if there is a gap in the overall planning process. Keeping track of important events or incidents will help to ensure that you are able to analyze the events in a chronological order when the testing has been completed. Noting all incidents as they happen (having someone who is not part of the testing process would be great to have during the testing to take notes) will ensure that you can go back and look at the events in a more objective manner later on. In addition, providing documentation of the disaster may be needed for auditing purposes later on, if you are under any sort of regulatory requirement. Remediation Efforts After the testing has been completed, the remediation efforts will begin. This is where the real work of the BCP testing will be conducted. Identify the gaps that happened during the testing of the plan, and list them so that all of those that have taken part may see those specific areas that may need to be worked on. This will also help to identify the possible responsible parties for those areas within your organization. Prioritizing the remediation efforts will give the business a detailed period for which they will need to begin working towards fixing the identified gaps. The plan here is to make sure that the gaps have been addressed within a given period, or that the company will be able to deal with the gap as a known issue. (This should also be recorded on your Risk Register as an acceptance of the risk to the company). Summary While there are many items that go into a Business Continuity Plan, the plan is there to help your organization to recover from a disaster. Without this documented plan, your business runs the risk of not being able to recover and may go out of business because of it. The importance of the planning process cannot be under stated here. The time you take in making sure that, you have plans or processes in place in case your organization has to deal will a disaster will go a long way in ensuring that you will recover and with your business intact.
0 Comments
Your comment will be posted after it is approved.
Leave a Reply. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|