Planning for Disaster Recovery/Business Continuity Testing
Once a disaster recovery and business continuity plan (BCP) is validated, approved and implemented, it must be regularly tested. Vigorous testing will identify gaps in the plan or business process changes and assure the plan is accurate and complete. As you prepare test schedules and plans, take into account these considerations.
BCP Test Schedules
At the beginning of each fiscal year, the BCP team should discuss test plans and schedules for the upcoming year. When making test schedules, consider:
- The risk effect of the business process as identified in the business impact assessment and risk assessment
- Successes and failures from previous tests
- New or significantly changed business processes and/or supporting technologies
- Significantly planned changes in business processes or supporting technologies in the upcoming year
- Test types as identified below
Testing Standards & Requirements
Testing is the only way the organization can evaluate and refine its ongoing business continuity process. Company leadership should appoint a team responsible for test plan development and ensuring the tests are performed.
To improve the plan, consider the following while developing a test:
- Purpose and objectives
- Timing and scheduling
- Assumptions and constraints
Various test scenarios should be planned that identify the disaster type, damage level, recovery capability, availability of staff, equipment and backup resources and time/duration of the test. Test plans should identify the person responsible and the estimated time required to perform each action.
To ensure quality results from each planned recovery test, consider these summaries of each test type:
A checklist test can help determine whether the plan is current—whether adequate supplies are stored at the backup site, telephone numbers are current, quantities of emergency forms are adequate and copies of the plan and necessary supplemental documentation are present. Using this testing technique, the various teams review the plan and ensure key materials and supplies are current and available. The checklist test, which should occur at least annually, ensures the organization complies with BCP requirements.
Table Top Test
A table top test, or a simulation/structured walk-through test, is typically performed on a departmental basis and involves a detailed walk-through of the plan’s various components by each team member.
During a table top test, business units simulate the disaster so that normal operations aren’t interrupted. A disaster scenario is established that identifies the type of disaster that occurred and plan components to be tested.
Testing should include notification and temporary operating procedures and backup and recovery operations. During the simulation test, these elements can be tested: hardware, software, personnel, data and voice communications, procedures, forms and supplies, documentation, transportation, utilities and hot-site processing. A combination of checklist and simulation testing should be attempted to determine initial enhancements to the plan before attempting more extensive testing.
Off-Site Application Recovery Test
Application recovery tests ensure that applications can be recovered at third-party locations if a disaster occurs. This type of test requires interaction from vendors, information technology and business unit leaders. As such, it’s one of the more difficult and expensive tests.
Alternate Site Test
Alternate site tests for critical systems can be performed in conjunction with the checklist or simulation tests. During this test, the operating system and one or more applications are brought up at the alternate site and test or sample transactions are processed against the backup files. All reports produced at the alternate site are then balanced using the prior day’s reports and the test or sample transactions.
Telecom & Network Communications Test
Communications tests can be performed independently or in conjunction with alternate site tests. During communications tests, alternate communications lines or routes are tested to various degrees. Test or live transactions can be routed through alternate communications lines to ensure the quality and reliability of the alternate communications network. Similar types of tests can be performed for voice communications.
Calling Tree Tests
Calling tree tests can be performed independently or in conjunction with other tests. During a calling tree test, the call tree for key teams and/or business processes can be used. A keyword should be used during the test so the communication can be validated at the test’s completion.
During a calling tree test, parameters should be established for time limits, and alternative communication methods should be considered if a block in the calling tree occurs.
Test Results Reporting & Executive Reporting
All tests should have clearly defined goals and objectives before they begin. Test results should be documented and included in the BCP for historical purposes.
Furthermore, results of each scheduled test should be reported to the leadership team as well as any affected business process leaders.