Business continuity planning is a process that is vital to your organization. There is always the possibility that your organization’s critical business processes could be negatively affected for reasons that are often beyond your control, so it's best to be prepared. If a disruption occurs, it’s essential that your organization has a plan to address any potential issues and ensure that your organization can still serve your customers.

However, if you’ve never enacted your plan, it’s hard to be confident that your plan will be sufficient. Testing your business continuity plan (BCP) helps to continuously improve your ability to recover successfully from various scenarios, whether it be a natural disaster or a communications failure. The good news is that there’s not just one way to test your BCP. Here are four steps to help you build a better business continuity plan testing program and ensure you are prepared for any situation that may come your way.

______________________________________________________________________________________________

The first step to better BCP testing is to incorporate different testing methods. You can utilize various methods to test the usability and effectiveness of your business continuity plan. Some of the possible test methods provided by the FFIEC include:

• Tabletop Exercise: A tabletop exercise (sometimes referred to as a walk-through) is a discussion during which personnel review their BCP-defined roles and discuss their responses during an adverse event simulation. The goal of a tabletop exercise is to determine whether targeted plans and procedures are reasonable, personnel understand their responsibilities, and different departmental or business unit plans are compatible with each other.
   
• Limited-Scale Exercise: A limited-scale exercise is a simulation involving applicable resources (personnel and systems) to recover targeted business processes. The goal of a limited-scale exercise is to determine whether targeted systems can be recovered and whether personnel understand their responsibilities as defined in the plan.
   
• Full-Scale Exercise: A full-scale exercise simulates full use of available resources (personnel and systems) prompting a full recovery of business processes. The goal of a full-scale exercise is to determine whether all critical systems can be recovered at the alternate processing site and whether personnel can implement the procedures defined in the BCP. For example, a full-recovery exercise might simulate the complete loss of primary facilities.

______________________________________________________________________________________________

Step two is to understand how often to test. Although there is no hard-and-fast standard for determining how often to test your business continuity plan, some general guidelines are typically recommended. Note that each of these timeframes will depend on your organization’s industry, size, personnel, available resources, and current BCP maturity levels. Don’t take these timelines as gospel, as they are strictly that: guidelines.

SBS recommends reviewing each of your emergency preparedness plans (business continuity, disaster recovery, incident response, and pandemic preparedness) throughout the course of a given year. Testing would typically include an annual tabletop test of all four individual EPP plans, testing multiple scenarios for threats you identify as a higher risk to your organization. Be sure to test the scenarios you believe to be the highest risk to your organization most frequently. You can use your business continuity risk assessment to help identify which threats are particularly impactful/probable to the organization.

Additionally, a limited-scale exercise is recommended at least annually, but such a test is largely dependent on the size and complexity of your organization and the maturity of your failover procedures. For example, if your organization’s goal is to have a fully-functional failover DR backup site, but you have not yet achieved full-failover mirroring and backups, implementing this complex backup process and testing to ensure everything works correctly from failover to failback may take years to achieve. In comparison, testing file-level restores from nightly backups is something any organization can do quickly and frequently today.

However, if your organization has any significant changes in processes, systems, or plan details, you may want to perform these tests more frequently. To reiterate, these timelines are highly dependent on your organization; it may not be feasible or logical to perform some of these tests at a particular frequency. Base this decision on your organization and its specific needs.

If you are looking for somewhere to start and what should be prioritized for testing, refer to your business impact analysis. This is an excellent way to not only identify your most critical processes, but also the assets/systems you rely on the most. Systems that you require to keep your most critical processes functioning should be tested more frequently, allowing you to validate proper recoverability and the timeframes of that recovery. Most organizations benefit greatly by having a testing schedule documenting their plans. This allows for a strategic approach to testing involving the organization's processes, systems, and vendors deemed necessary.

______________________________________________________________________________________________

Including your vendors is the next step in improving your BCP testing. In the course of your testing cycle (whether a tabletop test, limited-scale exercise, or full-scale exercise), you’ll want to ensure your critical vendor partners are included in the testing process to whatever extent possible. Involving your vendors in this process not only allows you to test to a greater degree of accuracy and usability but also allows your vendors a chance to provide feedback that may be valuable to your plans or testing process.

______________________________________________________________________________________________

Finally, step four is to document your testing. Be sure to document the results of any testing performed, along with any actionable findings from those tests. Following up on these items and incorporating recommendations resulting from tests is the most important process in the BCP testing lifecycle. Testing, documenting the results of your testing, and implementing processes to improve your BCP is the best way to strengthen your organization’s response processes.

Testing, documenting the results of your testing, and implementing processes to improve your BCP is the best way to strengthen your organization’s response processes.

______________________________________________________________________________________________

Resources and Testing Options

Numerous additional resources that your organization may use or participate in to continue maturing your BCP testing program are widely available. Here is a list of organizations and resources to help you perform such testing on your own organization’s BCP:

• FS-ISAC (Financial Services Information Sharing and Analysis Center) Exercises - https://www.fsisac.com/Exercises: A range of exercises, performed throughout the year, in which your organization can register and participate, including simulated cyber-attacks on payment and insurance systems, cyber-range, and regional exercises.
• US-CERT (United States Computer Emergency Readiness Team) - https://www.us-cert.gov/ccubedvp/business: A suite of resources focused on cybersecurity resilience and BCP testing resources.
• FDIC Cyber Challenge - https://sbscyber.com/resources/fdic-resource-a-community-bank-cyber-exercise: A set of vignettes created to encourage community financial institutions to discuss operational risk issues and the potential impact of information technology disruptions on common banking functions.
• Department of Homeland Security/FEMA Business Continuity Planning Suite - https://www.ready.gov/business-continuity-planning-suite: Video training series focusing on BCP basics, why a BCP is important, and best practices on generating and updating a BCP.
• FEMA (Federal Emergency Management Agency) Independent Study Courses - https://training.fema.gov/is/crslist.aspx: Free courses provided by FEMA covering a wide range of topics, including DR response (fires/flooding/earthquake/tornado), pandemic response, effective communication, damage assessment, and more. FEMA also maintains Emergency Planning Exercises and free downloadable tabletop exercises here, https://www.fema.gov/emergency-planning-exercises.

Other Sources

• https://ongoingoperations.com/business-continuity-test/
• https://dynamicquest.com/3-ways-test-business-continuity-plan/
• https://www.ready.gov/business-continuity-planning-suite
• BCM (ffiec.gov)

Updated by: Cole Ponto
Senior Information Security Consultant - SBS CyberSecurity, LLC

SBS Resources:

• A key piece to any Information Security Program is a high-quality business continuity plan (BCP). Let SBS help design and test a comprehensive plan that encompasses four areas: business impact analysis, business continuity, disaster recovery, and pandemic preparedness. A well-structured plan can help mitigate the negative effects of a natural disaster, unexpected power outage, widespread illness, and many other unexpected events. Learn more.

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.