DRJ's Fall 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 31, Issue 2

Full Contents Now Available!

Business continuity and disaster recovery plans must be tested. It is a part of every comprehensive methodology. Auditors insist. It is the scope, frequency, and amount of testing that is the greater question. How far is too far? How close to realism does an organization go?

In our experience, the first rule of testing is that it does not interrupt production IT processing or actual profit making business processes. The costs and ramifications are too large if anything goes wrong with the test. Therefore, realism is not an option.

This leaves simulated realism, or pretend. With careful preparation, we can pretend with similar volumes of telephone calls, and normal transaction levels, using real data for a test situation. In addition, we can do so without allowing the results of our test back into the “real world.” Simulation involves isolating the testing environment, and isolating the test participants. Isolation allows:

- Practice of the recovery processes without fear of the impact of error
- Verification that all records that are required are available
- Confirmation that the documentation is complete and understandable
- Record of the problems encountered
- Affirmation that the right participants and the correct number are involved

 

 Simulating a “real” situation and practice of recovery processes prepares the recovery team members for the “real” thing – a disaster. We must never lose sight of that objective.

In a complex and integrated environment, an enterprise test of the entire business continuity program is a massive undertaking with incredible value. While component testing verifies the correctness of each unit, and provides necessary recovery process training, there is no substitute for bringing the entire program together at one time in one place. Testing always requires a substantial investment in time, resources, and dollars. Enterprise tests require even more.

An enterprise test must be conducted in a time of lower business volumes with only the number of recovery staff that would be allowed seats in an actual recovery. Supplemental documentation and materials must be restricted to mirror the information resources that would be available in a disaster. Close monitoring of participants and careful observation are required to prevent “cheating.” It sounds harsh but this is where realism counts. These observations need to be made at a test, so participants have the opportunity to devise other methods of recovery, validation and operations before the disastrous event really does occur. Any manipulation of this process undermines the positive results of a test.

If you cannot validate your data during the test without using information obtained from the “office” then you have to get creative. There must be some means of verifying the validity of the test as it progresses so if there are problems with the process, they can be corrected, documented, and you can move on. Daily offsite transmissions of hash totals, critical reports, or key balance statements are some creative ways of validating data in the recovery test and during an actual recovery. The important point is that you do not need access to your primary location to obtain the information.

Simulated realism is extremely difficult. It requires a tremendous effort in planning and preparation. Recovery efforts are planned for extended periods of time to respond to a wide variety of scenarios. Testing every process and every possible team member is not achievable. Therefore, selection criteria must be agreed upon by your management that allows the testing to be performed within budget and time constraints. The preparation effort ensures that plans are current, understood, and operable for the test. Observation logs maintained by participants and monitors will document the process, gaps, time durations, and successes. Post-test activities include careful review of the logs, action item execution, and routine maintenance. Without this last step, the plans will not progress to a level of efficiency that will meet longer-term audit expectations.

Realism in testing is absolutely necessary. It is not a myth. However, testing recovery is really pretending that you have had a disaster. Therefore, testing is pretending reality. Really. Really.


Marylaine Canavan is practice leader for consulting services of Agility Recovery Solutions, the premier provider of portable on-site recovery and business continuity solutions across the United States and Canada. Formerly GE Capital IT Solutions Disaster Recovery Services, the company has operational facilities in Toronto and Atlanta, and inventory in 35 states and two provinces. For more detailed information, please visit www.Agilityrecovery.com, or www.agilityrecovery.com/direct/.