THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Business Continuity Testing & Evaluation ScenariosWhen it comes to Business Continuity Planning (BCP), nothing makes an IT Security Pro more nervous than testing the plan they just created. Whether you live in the Northwestern US, or in Europe, planning for a disaster or business interruption is an important aspect of evaluating the planning process. Whether you are looking to perform a functional test, or just a table-top test, determining the type of scenario can be a daunting task, even scary to even contemplate. Testing & Evaluation As part of the evaluation process, IT Security Pros will have to test the BCP in order to determine any gaps or areas that should be addressed that may have been missed during the planning process. This process is perhaps the most important part of planning for a disaster. Measuring the effectiveness of the planning process will allow the organization to determine if they need additional controls or assets in order to deal with the possible incident. Testing of the BCP should be only to the level that you need to have in order to validate the planning process. There are several levels of testing, and I have listed a few of them here for you:
Choosing a test scenario is important to help to establish guidance that will help the stakeholders or decision makers to “visualize” the events. This is where some creativity may be expressed, as to how realistic you want to be. The basic rule of thumb here is to keep it realistic enough that the company can realistically plan for dealing with the various scenario that is addressed in the testing process. Some examples might be:
Evaluation
Evaluating how your business did during the testing process can be difficult do to how you set up the overall testing and evaluation strategy that you will be using. Evaluation can take many forms, but the focus is to provide feedback to leadership as to how well the company will or won’t do in case of a significant business impacting event. Some sample metrics are below:
Communications Communication in case of a disaster is one of the most important aspects that an organization should address prior to the testing and evaluation process. Asking the following questions may help:
Summary While you will not be able to plan for every major disaster that may occur (see zombie apocalypse/ asteroid impact). Your BCP should be robust enough to be able to deal with multiple types of events. Testing and evaluation of the planning process will help to validate the plan and show the business where potential improvements may need to be made. One plan will not fit all situations, so flexibility will be the name of the game when developing your plan. With the focus of the plan being on the services or products that your business provides being one of the main drivers, it is also important to remember that without your employees and staff, those capabilities will not be able to be carried out. The company can always replace equipment or where it conducts business, but you can’t replace your personnel.
0 Comments
|
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|