Business Continuity Testing #BCAW2016 day 3

News and information from the Advent IM team.

Another post from Del Brazil – Advent IM Security Consultant for Business Continuity Awareness Week 2016

The author has recently posted an article about the importance of business continuity to an organisation and how it can help to ensure its survival in the event of a major disruptive event. All business continuity plans must be tested to assess their effectiveness, whether they are appropriate to the business needs and that all staff are aware of their responsibilities and actions in the event that a plan in invoked.

Image courtesy of surasakiStock at FreeDigitalPhotos.net

Image courtesy of surasakiStock at FreeDigitalPhotos.net

A prime example would be a business which has recently moved to a cloud based service and yet their business continuity plans still reflect that they host their own environment or provide their own IT services. Should this plan be invoked, the likelihood of it being able to assist the business to sustain its critical business outputs, is minimal.

The recent events at Manchester United’s Old Trafford football stadium is another prime example, of when planning business continuity or disaster recovery exercises can go drastically wrong. It has emerged that the external security firm organising the previous weekends tests, failed to recover all of their test equipment, resulting in the training Improvised Explosive Device (IED) actually being treated as real. This caused the match to be abandoned and the stadium evacuated, even before the teams had taken to the field. This not only caused embarrassment to the external security firm tasked to arrange the exercise but also the club. This is far outweighed by the cost and inconvenience to the supporters of both teams. The policing agencies were left with no choice but to treat the dummy IED as a potential real time incident, culminating in a controlled explosion taking place. Clearly, there was a failure in not only the planning of the test but also in its execution. The external security firm has admitted to failing to correctly collect all of the dummy IED and also to signing official documentation stating that all dummy IEDs have been recovered.

Although the evacuation of the stadium was carried out in a safe and controlled manner and in line with any documented plan, it was clear that the failure was in the planning of the previous weekend’s exercise and that any pre-match security checks failed to highlight or discover the dummy IED. There are clear lessons to be learned here and the author is sure that as he writes this blog that an analysis of the events is taking place, with rectification measures being highlighted.

A crucial element to any business continuity process is the planning and execution of a sensible testing regime. There are many methods of testing business continuity plans but the main ones are detailed below:-

1. Document Check – This ensures that the personnel nominated at key players in the execution of the plan are still within the organisation and that their contact details are correct.
2. Desktop Exercise – This is the most common exercise as it provides a degree of assurance that those personnel assigned specific business continuity roles, are aware of their roles and that any plans are effective ‘on paper’.
3. Walk Through Exercise – This is the next step after the Desktop Exercise, as this provides a further level of assurance that the necessary equipment is available and that staff fully understand their role during a disruptive event.
4. Partial Test – A Partial Test is potentially a more disruptive exercise as without careful planning which includes all of the previous exercises/tests the impact the day to day operations maybe severely impacted if all departments are not aware of the exercise taking place. This involves a portion, element or department of the organisation being ‘turned off’ or being unavailable. The intention is to test the functionality and effectiveness of a specific part of a business continuity plan.
5. Full Test – Full Test of an organisation’s business continuity plan is not to be considered lightly, as it has the potential to have a substantial impact on the critical business outputs if not correctly planned. As the title states, it’s a full test of the business continuity plan which may involve making the premises unavailable to staff for example, thus testing the Estates Business Continuity Plan with a view to potentially occupying alternative premises or instructing staff to work from home.
As with anything business continuity related, planning is essential as any failure of any area of the plan may result in the organisation being unable to recover from a disruptive event. The same can be said for any testing regime that may be considered, the golden rule with testing is ‘Little Impact – High Frequency as opposed to High Impact – Low Frequency.’ A prospective testing regime may look like:-

  • January Document check
  • February Document check Desk Top Exercise
  • March Document check Walk Through Test
  • April Document check Desk Top Exercise
  • May Document check Partial Test
  • June Document check Desk Top Exercise
  • July Document check Walk Through Test Full Test
  • August Document check Desk Top Exercise
  • September Document check Partial Test
  • October Document check Desk Top Exercise
  • November Document check Walk Through Test
  • December Document check

iStock_000015534900XSmallThe above list is only a guide as dependent upon the organisation, this regime may not be possible due to working practices or business outputs.

It is imperative that during any exercise that a record of events is maintained in order for a ‘lessons learned’ meeting to take place after the event. This not only provides assistance in identifying areas that need to be addressed, but also provides a clear audit trail for any certification purposes whether it be for ISO 22301 – Business Continuity Management or ISO 27001- Managing Information Security Management Systems.

The best advice the author can give in this blog is to test on a regular basis but ensure that any test is comprehensively planned and that any planning regime follows a logical sequence. In essence if you fail to plan then your plan is likely to fail.

Share this Post

%d bloggers like this: