Pub. 3 2014 Issue 8
November 2014 29 l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s BUSINESS CONTINUITY: TEST THE PLAN, PLAN TO TEST W E HAVE ALL HEARD THE PHRASES “up to snuff,” “hit the mark,” “cut the mustard,” and “make the cut.” These idioms are similar in definition, indicating some process or procedure has proven to be effective. Many organizations spend a great deal of time and effort in the development stage of their business continuity plan, but too often fail to provide an appropriate avenue for testing or validating the plan. The Responsibilities section of the FFIEC’s IT Examination Handbook, Business Continuity Planning (a.k.a. FFIEC BCP Booklet) states Board and Senior Management responsibilities include, “ensuring the BCP is regularly tested on an enterprise-wide basis and reviewing the BCP testing program and test results on a regular basis.” When visiting Washington D.C. last summer, I was privileged to tour the Smithsonian National Air and Space Museum. Until that visit, I was unaware the Wright Brothers had more than one claim to fame. Their exhibit in the museum not only details their exploits in flight, but also chronicles their bicycle building and maintenance business. On display were several models, ranging from the early prototypes to the finished product. This illustration of increasing complexity is a good model to use as we begin to build our business continuity test plan. Many organizations want to develop a strong, accurate testing policy and various scenarios specific to their organization, but do not know how to get started. My usual words of encouragement are simply, “start small, but dream BIG.” The Strategies section of the FFIEC BCP Booklet expresses, “Testing objectives should start simply, and gradually increase in complexity and scope. The scope of individual tests can be continually expanded to eventually encompass enterprise-wide testing and testing with vendors and key market participants.” Your first attempt at testing should be something you are very familiar with, such as restoration of a file from your backup media. This exercise may seem trivial, but this small test verifies the viability of your enterprise backup solution. Different media types, locations, and testing frequency should be incorporated to ensure you have more than one usable backup. Another method of simplifying your BCP testing plan involves creating templates for types of tests that are performed repeatedly. Assorted scenarios can be developed and modified slightly for multiple uses. Walk-through drills provide the capability of testing separate aspects of the plan while assessing the readiness of affected individuals. Many businesses shy away from full scale (interruption) testing or what I call, ‘pull the plug’ testing. It’s good for companies to approach this level of testing with caution. The Strategies section of the FFIEC BCP Booklet states testing should not “jeopardize normal business operations.” However, if these types of events are planned and scheduled so they are not detrimental to everyday business operations, they can be extremely beneficial. Of course, value provided by this type of test is dependent on your size and complexity. Often overlooked, an important aspect of business continuity testing involves documentation and evaluation. I have questioned many individuals about their lack of documented BCP tests and they point to their forehead and say, ‘It’s all up here!’ Unless your auditors, examiners, and management are psychic, they will never see your results. Quoting the Evaluation section of the FFIEC BCP booklet, “Once tests have been executed and documented, test results should be evaluated to ensure that test objectives are achieved and that business continuity successes, failures, and lessons learned are thoroughly analyzed.” Schedule a meeting with your disaster recovery team to discuss results of your BCP testing. Celebrate successes, but focus on failures and how they can be avoided in the future. Like so many things in life, if we are not deliberate in our planning, a successful outcome is probably not going to happen. You do not want to experience a failed process restoration 24 hours after your building has blown away. Update your calendar with specific testing dates that will not be disruptive to your overall business operations. Attach reminders to these dates several days in advance to allow time for scheduling and readiness. Upon returning from vacation last summer, I did some more research on the Wright Brothers bicycling enterprise. Even though the bicycle business was moderately successful and the resulting product was skillfully produced, this business venture only lasted a few years. Why? Because the Wright Brothers’ real passion was aeronautics; the bicycle business existed to fund their experiments in flight. Following their first flight at Kitty Hawk, the Wright Brothers were focused on aeronautics research for the remainder of their lives. Similarly, once your business continuity plan is developed you never fully reach completion. An important aspect of BCP development continues to be the validation achieved through testing. How does your institution “stack up?” Is your pandemic plan “up to snuff?” Does your tornado training “cut the mustard?” Does your business continuity plan “hit the mark?” Troy Sell is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, business continuity planning, IT/ GLBA audits and security testing, and tandem – a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit our website at www.conetrix.com. By Troy Sell, Security+, CoNetrix
Made with FlippingBook
RkJQdWJsaXNoZXIy OTM0Njg2