There are numerous resources that provide the means for developing a business continuity plan. These include the achievement of such activities as team formation, business impact analysis, evaluation of legal and regulatory requirements, etc. This is not one of those.

I’d like to discuss a common issue that arises when reviewing the results of an organization’s testing of their Business Continuity and Disaster Recovery (BCDR) plan. Specifically, the result that it is not uncommon that no testing was performed at all.

The Misconception

A well-designed BCDR Plan should include the frequency by which the plan will be tested and the method of testing. Many organizations choose to include the requirement that testing be performed annually. However, often, organization’s fail to adhere to this frequency requirement due to a (not unusual) lack of time and lack of resources.

In truth, there is no excuse for not testing your plan annually – because testing your plan is easier than you think.

There is a common misconception that testing a BCDR Plan requires either:

  • The Parallel Test: Relocating personnel and/or implementing site activation procedures at the alternate recovery sight, or
  • The Full-Interruption Test: Including, amongst other things, purposely shutting down some aspect of your primary site’s production environment.

These tests may be costly, time-consuming, or not feasible for every organization to perform on an annual basis. However, before giving up entirely, let’s take a quick look at what NIST 800-53 has to say.

The baseline control for Contingency Plan Testing states the following:

Identifier

Name

Control Text

Discussion

CP-4

Contingency Plan Testing

a. Test the contingency plan for the system [Assignment: organization-defined frequency] using  the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests].
b. Review the contingency plan test results; and
c. Initiate corrective actions, if needed.

Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

 

While best practice strongly recommends testing your plan at, minimum, annually, the method of testing is (largely) at the discretion of the organization!

Refer to the following link to view additional testing requirements from various bodies and standards. In all examples, testing is required, but the method of testing remains organizationally defined.

So, with this flexibility in the method of testing, what time and resource friendly tests are available that do not involve these commonly associated difficulties?

The Easy-To-Implement Solution

The solution is almost as simple as talking about your plan.

Below are three straightforward methods for testing your BCDR Plan (and maintaining compliance) without breaking the bank or adding another weekly meeting to the calendar.

  • The Read-Through: Exactly as it sounds, this test requires the distribution of the plan to each member of the Disaster Recovery Team. By ensuring that each member of the team has read the plan, you achieve (at minimum) the following:
  1. Key personnel are refreshed on their responsibilities,
  2. The plan is reviewed for needed revisions and updates, and
  3. Situations are identified where key personnel have left and their duties have not been reassigned.

Time is a critical resource during a disaster. Don’t find yourself waiting on escalation or action from a vacant position.

  • The Table-Top: Adding a few steps to the read-through is the table-top test, also known as the structured walk-through. In this test, the Disaster Recovery Team is presented with a disaster scenario by a designated test moderator. Each team member refers to the BCDR plan and role-plays individual, team, and organizational responses throughout the duration of the simulated scenario.

The role of the moderator is to:

  • Understand how the organization should respond based on the requirements of the BCDR Plan,
  • Present scenario(s),
  • Record team member responses throughout the duration of the event (e.g. How the organization reacts over the span of hours, days, and weeks), and
  • Facilitate post-testing discussions and identify areas of needed improvement or revision.

Note: The definition of ‘meeting’ is rapidly changing. Getting a team together physically is no longer always possible. A table-top test may be performed and facilitated using virtual conferencing, instant messaging, or even email! What is important is that each participant sees both the information posted by the moderator and team member responses.

The table-top provides the opportunity for each team member to not only read and affirm their responsibilities in a given scenario, but also to process and provide output. The difference in effectiveness could be compared to reviewing the solution of a math problem versus working the problem yourself.

  • The Simulation: Begins the transition from words to actions. In addition to team members being asked how they would respond to a scenario, in this test team member responses may actually be tested. The most intensive of the three basic tests described, this test could involve such activities as performing a server restore, dialing a phone number, or running the backup power generator.

The benefits of this test are the added assurance gained through spot-checking responses and verifying that no immediate issues arose. Expanding on our math example from #2, here we are checking a few calculations to make sure everything looks right.

The Conclusion

By using the read-through, the table-top, and the simulation to evaluate preparedness, it is possible to maintain compliance with internal and external requirements without a drain on time and resources, along with ensuring that your plan remains accurate and effective.  With the simple, age-old tools of organization, communication, and documentation, any Plan can make the transition from a stale set of policies and procedures to a living document that continues to reflect and support the goals of the organization.

Subscribe to HORNE Cyber Blog

COMMENTS

THIS POST WAS WRITTEN BY Jordan Herring

Jordan serves as a cyber risk supervisor for HORNE cyber where he focuses on assurance services specific to cybersecurity.

Find me on: