Disaster Recovery and Business Continuity Testing Approaches and Methods

Previous page
Table of content
Next page

As a part of regular testing and maintenance, organizations can opt to perform either full or partial testing of recovery and continuity plans, though most organizations do not perform full-scale tests because of resource constraints. To continue to improve recovery and continuity plans, organizations can perform a paper, walk-through, or preparedness test. Tests should be scheduled during a time that causes minimal disruption to the normal operations of the organization. It is important that all key team members participate in testing and that the test process addresses all critical areas of the plan. The testing methods employed by the organization will vary from simple to complex, and each method has its own objectives and benefits. The following sections give examples of testing methods.

Paper Test

A paper test is the least complex test that can be performed. This test helps ensure that the plan is complete and that all team members are familiar with their responsibilities within the plan. With this type of test, the BCP/DRP plan documents are simply distributed to appropriate managers and BCP/DRP team members for review, markup, and comment.

Walk-Through Testing

A walk-through test is an extension of the paper testing, in that the appropriate managers and BCP/DRP team members actually meet to discuss and walk through procedures of the plan, individual training needs, and clarification of critical plan elements.


Of the three major types of BCP tests (paper, walk-through, and preparedness), a walk-through test requires only that representatives from each operational area meet to review the plan.


Preparedness Test (Full Test)

A preparedness test is a localized version of the full test in which the team members and participants simulate an actual outage or disaster and simulate performing the steps necessary to effect recovery and continuity. This test can be performed against specific areas of the plan instead of the entire plan. This test validates response capability, demonstrates skills and training, and practices decision-making capabilities. Only the preparedness test actually takes the primary resources offline to test the capabilities of the backup resources and processing.


Of the three major types of BCP tests (paper, walkthrough, and preparedness), only the preparedness test uses actual resources to simulate a system crash and validate the plan's effectiveness.


Full Operational Test

A full operational test is the most comprehensive test and includes all team members and participants in the plan. The BCP team and participants should have multiple paper and preparedness tests completed before performing a full operational test. This test involves the mobilization of personnel, and disrupts and restores operations just as an outage or disaster would. This test extends the preparedness test by including actual notification, mobilization of resources, processing of data, and utilization of backup media for restoration.

Per ISACA, the test should strive to accomplish the following tasks:

  • Verify the completeness and precision of the business continuity plan

  • Evaluate the performance of the personnel involved in the exercise

  • Appraise the training and awareness of the nonbusiness continuity members

  • Evaluate the coordination among the business continuity team and external vendors and suppliers

  • Measure the capability and capacity of the backup site to perform prescribed processing

  • Assess the vital records retrieval capability

  • Evaluate the state and quantity of equipment and supplies that have been related to the recovery site

  • Measure the overall performance of operational and information systemsprocessing activities related to maintaining the business entity

During the test, detailed documentation and observations should be maintained. This documentation should include any problems incurred and suggested solutions. This documentation should be used during analysis of the test, with the success of the plan measured against plan objectives. During this analysis, team members and management should be able to evaluate against specific or general measurements associated with the plan. Per ISACA, these measurements might include the following:

  • Time The elapsed time for completion of prescribed tasks, delivery of equipment, assembly of personnel, and arrival at a predetermined site.

  • Amount Amount of work performed at the backup site by clerical personnel and information systems processing operations.

  • Count The number of vital records successfully carried to the backup site versus the required number, and the number of supplies and equipment requested versus those actually received. Also, the number of critical systems successfully recovered can be measured with the number of transactions processed.

  • Accuracy Accuracy of the data entry at the recovery site versus normal accuracy. Also, the accuracy of actual processing cycles can be determined by comparing output results with those for the same period processed under normal conditions.

It is important for organizations to remember that a BCP plan is a living document and will change according to the needs of the organization. The testing, maintenance, and analysis will provide the organization with a BCP plan that is viable in the event of a disaster. The plan should include a regular review and testing schedule to allow for changes in business strategy, the introduction of new applications, vendor or contract changes, and the disposition of applications or systems. The organization should appoint a business continuity coordinator to ensure that periodic testing and maintenance of the plan are implemented. The coordinator should also ensure that team members and participants receive regular training associated with their duties in the BCP and maintain records and results of testing.

The organization should implement an independent party (internal or external IS auditor) to review the adequacy of the business continuity process, to ensure that the board and management expectations are met. The independent review should include assessing the identification of critical business processes, team and individual skill sets, testing scenarios and schedules, and the communication of test results and recommendations. The IS auditor should directly observe tests and training, and report on the effectiveness of the BCP.


Previous page
Table of content
Next page
Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
VBScript Programmers Reference
Mastering Delphi 7
Microsoft WSH and VBScript Programming for the Absolute Beginner
Web Systems Design and Online Consumer Behavior
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy