As a part of regular testing and maintenance, organizations can opt to perform either full or partial testing of recovery and continuity plans, though most organizations do not perform full-scale tests because of resource constraints. To continue to improve recovery and continuity plans, organizations can perform a paper, walk-through, or preparedness test. Tests should be scheduled during a time that causes minimal disruption to the normal operations of the organization. It is important that all key team members participate in testing and that the test process addresses all critical areas of the plan. The testing methods employed by the organization will vary from simple to complex, and each method has its own objectives and benefits. The following sections give examples of testing methods. Paper TestA paper test is the least complex test that can be performed. This test helps ensure that the plan is complete and that all team members are familiar with their responsibilities within the plan. With this type of test, the BCP/DRP plan documents are simply distributed to appropriate managers and BCP/DRP team members for review, markup, and comment. Walk-Through TestingA walk-through test is an extension of the paper testing, in that the appropriate managers and BCP/DRP team members actually meet to discuss and walk through procedures of the plan, individual training needs, and clarification of critical plan elements.
Of the three major types of BCP tests (paper, walk-through, and preparedness), a walk-through test requires only that representatives from each operational area meet to review the plan. Preparedness Test (Full Test)A preparedness test is a localized version of the full test in which the team members and participants simulate an actual outage or disaster and simulate performing the steps necessary to effect recovery and continuity. This test can be performed against specific areas of the plan instead of the entire plan. This test validates response capability, demonstrates skills and training, and practices decision-making capabilities. Only the preparedness test actually takes the primary resources offline to test the capabilities of the backup resources and processing.
Of the three major types of BCP tests (paper, walkthrough, and preparedness), only the preparedness test uses actual resources to simulate a system crash and validate the plan's effectiveness. Full Operational TestA full operational test is the most comprehensive test and includes all team members and participants in the plan. The BCP team and participants should have multiple paper and preparedness tests completed before performing a full operational test. This test involves the mobilization of personnel, and disrupts and restores operations just as an outage or disaster would. This test extends the preparedness test by including actual notification, mobilization of resources, processing of data, and utilization of backup media for restoration. Per ISACA, the test should strive to accomplish the following tasks:
During the test, detailed documentation and observations should be maintained. This documentation should include any problems incurred and suggested solutions. This documentation should be used during analysis of the test, with the success of the plan measured against plan objectives. During this analysis, team members and management should be able to evaluate against specific or general measurements associated with the plan. Per ISACA, these measurements might include the following:
It is important for organizations to remember that a BCP plan is a living document and will change according to the needs of the organization. The testing, maintenance, and analysis will provide the organization with a BCP plan that is viable in the event of a disaster. The plan should include a regular review and testing schedule to allow for changes in business strategy, the introduction of new applications, vendor or contract changes, and the disposition of applications or systems. The organization should appoint a business continuity coordinator to ensure that periodic testing and maintenance of the plan are implemented. The coordinator should also ensure that team members and participants receive regular training associated with their duties in the BCP and maintain records and results of testing. The organization should implement an independent party (internal or external IS auditor) to review the adequacy of the business continuity process, to ensure that the board and management expectations are met. The independent review should include assessing the identification of critical business processes, team and individual skill sets, testing scenarios and schedules, and the communication of test results and recommendations. The IS auditor should directly observe tests and training, and report on the effectiveness of the BCP. |