Zombies, zombies Everywhere!!!

​Business Continuity Testing & Evaluation Scenarios

When it comes to Business Continuity Planning (BCP), nothing makes an IT Security Pro more nervous than testing the plan they just created.  Whether you live in the Northwestern US, or in Europe, planning for a disaster or business interruption is an important aspect of evaluating the planning process.  Whether you are looking to perform a functional test, or just a table-top test, determining the type of scenario can be a daunting task, even scary to even contemplate.

​Testing & Evaluation

As part of the evaluation process, IT Security Pros will have to test the BCP in order to determine any gaps or areas that should be addressed that may have been missed during the planning process.  This process is perhaps the most important part of planning for a disaster.  Measuring the effectiveness of the planning process will allow the organization to determine if they need additional controls or assets in order to deal with the possible incident.

Testing of the BCP should be only to the level that you need to have in order to validate the planning process.  There are several levels of testing, and I have listed a few of them here for you:

  1. Paper Test – Just a review of the plan and an evaluation against what is planned.
  2. Table-top Test – This is a full run through of the planning process and is a minimum that is required by most standards and current best practices.
  3. Partial Functional – Similar to the table-top test, but actual events are planned in order to make more realistic (network or power outages are planned during this time).
  4. Functional Testing – This is a full-on test of the plan and may directly impact customers or services that are offered by the organization. Failover testing, back-up sites, and plan communications may be exercised during this type of test.

Testing Scenario
Choosing a test scenario is important to help to establish guidance that will help the stakeholders or decision makers to “visualize” the events.  This is where some creativity may be expressed, as to how realistic you want to be.  The basic rule of thumb here is to keep it realistic enough that the company can realistically plan for dealing with the various scenario that is addressed in the testing process.  Some examples might be:

  • Earthquake (infrastructure/ network outage/ power outage)
  • Tornado (power outage/ severe building damage)
  • Hurricane (water damage/ offsite storage/ flooding)
  • Heat Event (building systems/ staffing numbers)
  • Pandemic (services/ resources/ management of changing dynamics)
  • Zombies (personnel/ infrastructure/ network & power outage)

These are only suggestions and focus areas may change depending on the needs of the company that is doing the testing and evaluation.

Evaluation
Evaluating how your business did during the testing process can be difficult do to how you set up the overall testing and evaluation strategy that you will be using.  Evaluation can take many forms, but the focus is to provide feedback to leadership as to how well the company will or won’t do in case of a significant business impacting event.  Some sample metrics are below:

  • Communication Timeframes
  • Evaluation of Event
  • Engagement of Staff
  • How well did decisions get made
  • Decision methodologies followed
  • Call Tree Notification Times
  • Client Notification Times
  • Time to respond to changing events
  • Client/customer notification times of potential impacts

These different metrics will help to provide the business the hard evidence that you will need in order to create a more responsive and comprehensive plan.

Communications

Communication in case of a disaster is one of the most important aspects that an organization should address prior to the testing and evaluation process.  Asking the following questions may help:

  • Who is our point of contact? (internal/ external)
  • How will a disaster be communicated to staff/ public?
  • How will an incident be communicated to customers/clients of the organization?
  • Who will handle medial inquires?

These questions should be documented in the planning process and all employees or staff members should understand this process and know where and how to access this specific information.  If you are not controlling this information, staff will make it up.  And chances are that this is more impactful than the company putting out the information themselves.

Summary

While you will not be able to plan for every major disaster that may occur (see zombie apocalypse/ asteroid impact).  Your BCP should be robust enough to be able to deal with multiple types of events.  Testing and evaluation of the planning process will help to validate the plan and show the business where potential improvements may need to be made.  One plan will not fit all situations, so flexibility will be the name of the game when developing your plan.

​With the focus of the plan being on the services or products that your business provides being one of the main drivers, it is also important to remember that without your employees and staff, those capabilities will not be able to be carried out.  The company can always replace equipment or where it conducts business, but you can’t replace your personnel.  

By admin