Business continuity planning is a process that is vital to your organization. There is always the possibility that your organization’s critical business processes could be negatively affected for reasons that are often beyond your control, so it's best to be prepared. Your organization’s critical business processes might be negatively affected by a variety of reasons often beyond your control. If a disruption does occur, it’s extremely important that your organization has a plan in place to address any potential issues and ensure that your organization is still able to serve your customers.
However, if you’ve never enacted your plan, it’s hard to be confident that your plan will be sufficient. Testing your Business Continuity Plan (BCP) helps to continuously improve your ability to successfully recover from various scenarios, whether it be a natural disaster or a communications failure. The good news is that there’s not just one way to test your BCP. Here are four steps to help you build a better Business Continuity Plan testing program and ensure you are prepared for any situation that may come your way.
Step 1: Incorporate Different BCP Testing Methods
There are a variety of methods you can utilize to test the usability and effectiveness of your Business Continuity Plan. Some of the possible testing methods include:
- Plan Review: Typically involving higher-level management and department heads, a BCP review consists of analyzing the Business Continuity Plan and discussing potential improvements, as well as making sure contact information is up-to-date, recovery contracts are still in place and effective, and applicable business continuity and disaster recovery scenarios are appropriately covered. A plan review may also include training new managers on plan details so they can pass that knowledge down to their teams.
- Tabletop Exercise/Structured Walk-Through Test: At its core, a BCP Tabletop Test is a scenario-based role-playing exercise. The objective is to ensure all critical personnel in your organization are aware of and familiar with the relevant portions of the BCP, as well as their role in a disaster/event. Tabletop testing will typically include discussion of one or more disaster scenarios, during which the potential response procedures will be reviewed, responsibilities outlined, and process improvements uncovered.
- Walk-Through Drill/Simulation Test: A BCP Walkthrough Drill/Simulation Test is a more hands-on version of the tabletop exercise mentioned above. Whereas a Tabletop Test (as the name mentions) usually consists of sitting around a table and discussing plan details, the Walk-Through/Simulation Test incorporates actual recovery actions such as restoring backups, live testing of redundant systems, and any other relevant processes. In addition to critical personnel, any employees that would be involved in a BCP event should now be involved in the testing process. A Walk-Through Test may also include validation of response processes/systems, a simulated response at alternate locations, and varying degrees of actual notification and resource mobilization.
- Functional/Full Recovery Test: A BCP Functional/Full Recovery Test involves a complete process of spinning up your backup systems and processing transactions or data, although the Functional Recovery Test scope can vary from parallel testing (running your live and backup systems in conjunction) to a full failover test (completely transitioning operations to your backup systems). This test should be simulated as similarly to a “real-life” disaster as possible.
Step Two: Understand How Often to Test
Although there is no hard-and-fast standard for determining how often to test your Business Continuity Plan, there are some general guidelines that are typically recommended. Note that each of these timeframes is going to be dependent on your organization’s industry, size, personnel, available resources, and current BCP maturity levels. Don’t take these timelines as gospel, as they are strictly that: guidelines.
SBS recommends reviewing each of your Emergency Preparedness Plans (Business Continuity, Disaster Recovery, Incident Response, and Pandemic Preparedness) throughout the course of a given year. Testing would typically include an annual Tabletop Test and/or Walk-Through Test of all four individual EPP plans, testing multiple scenarios for threats that you identify as higher-risk to your organization. Be sure to test the scenarios that you believe to be the highest risk to your organization most frequently, and the scenarios you don’t believe to be that probably less frequently.
Additionally, a Functional Recovery Test is recommended at least every other year, but such a test is largely dependent on the size and complexity of your organization and the maturity of your failover procedures. For example, if your organization’s goal is to have a fully-functional failover DR backup site, but you have not yet achieved full-failover mirroring and backups, implementing this complex backup process and testing to ensure everything works correctly from failover-to-failback may take years to achieve. In comparison, testing file-level restores from nightly backups is something any organization can do quickly and frequently today.
However, if your organization has any major changes in processes, systems, or plan details, you may want to perform these tests more frequently. And again, these timelines are highly dependent on your organization; it may not be feasible or logical to perform some of these tests at a particular frequency. Base this decision on your organization and its specific needs.
Step Three: Include Your Vendors
In the course of your testing cycle (whether a Plan Review, Tabletop Test, Walk-Through/Simulation Test, or Functional Recovery Test), you’ll want to ensure your critical vendor partners are included in the testing process to whatever extent possible. Involving your vendors in this process not only allows you to test to a greater degree of accuracy and usability, but also allows your vendors a chance to provide feedback that may be valuable to your plans or testing process.
Step Four: Document Your Testing
Finally, be sure to document the results of any testing performed, along with any actionable findings from those tests. Following up on these items and incorporating recommendations resulting from tests is the most important process in the BCP testing lifecycle. Testing, documenting the results of your testing, and implementing processes to improve your BCP is the best way to strengthen your organization’s response processes.
Resources and Testing Options
Numerous additional resources that your organization may use or participate in to continue to mature your BCP testing program are widely available. Here is a list of organizations and resources to help you perform such testing on your own organization’s BCP:
- FS-ISAC (Financial Services Information Sharing and Analysis Center) Exercises - https://www.fsisac.com/Exercises: A range of exercises, performed throughout the year, in which your organization can register and participate, including simulated cyber-attacks on payment and insurance systems, cyber-range, and regional exercises.
- US-CERT (United States Computer Emergency Readiness Team) - https://www.us-cert.gov/ccubedvp/business: A suite of resources focused on cybersecurity resilience and BCP testing resources.
- FDIC Cyber Challenge - https://sbscyber.com/resources/fdic-resource-a-community-bank-cyber-exercise: A set of vignettes created to encourage community financial institutions to discuss operational risk issues and the potential impact of information technology disruptions on common banking functions.
- Department of Homeland Security/FEMA Business Continuity Planning Suite - https://www.ready.gov/business-continuity-planning-suite: Video training series focusing on BCP basics, why a BCP is important, and best practices on generating and updating a BCP.
- FEMA (Federal Emergency Management Agency) Independent Study Courses - https://training.fema.gov/is/crslist.aspx: Free courses provided by FEMA covering a wide range of topics, including DR response (fires/flooding/earthquake/tornado), pandemic response, effective communication, damage assessment, and more. FEMA also maintains Emergency Planning Exercises and free downloadable tabletop exercises here, https://www.fema.gov/emergency-planning-exercises.
Written by: Dan Klosterman
Information Security Consultant - SBS CyberSecurity, LLC
A key piece to any Information Security Program is a high-quality Business Continuity Plan (BCP). Let SBS help design and test a comprehensive plan that encompasses four areas: Business Impact Analysis, Business Continuity, Disaster Recovery, and Pandemic Preparedness. A well-structured plan can help mitigate the negative effects of a natural disaster, unexpected power outage, widespread illness, and many other unexpected events. Learn more.
Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.