What best practices have you found for business continuity testing? Do you prefer tabletop exercises or full simulations? How often do you test without notice?

Security & GRCBusiness Continuity & Disaster RecoverySecurity Strategy & Roadmap+1 more
1.2k views4 Comments
Sort By:
Oldest
Director of IT in Software2 years ago
Tabletop exercises are good to be done periodically and can help identify some gaps but the best way of testing your BCP/DR plan is to test failing over the actual production systems to your DR site periodically. Ideally, you'd like to have a full DR test at least once a year and then test quarterly the most important services to make sure the plan is actually working. DR is easier to be tested then BCP which will likely include other departments and executives/management but is overall more beneficial to a business than just testing DR plan.
2
CEO in Software2 years ago
The only way to know if your DR/BCP processes work is if you execute them. 

Considerations: 
Tabletop exercises: 
Tabletop exercises are great for modeling and can ID weaknesses in plan design or process. Keys to testing in Tabletop and real world testing is break things during execution of the activity. Breaking things include; The external phone service you planned to use also being down, the person coordinating/crisis manager is hurt, what happens if someone loses access to keys or workbooks, etc., etc.. 

Real World testing:
In real world testing you'll find whether assumptions of network availability, service mappings, human availability and human access to necessary leadership and resources are all working and backed up the way they need to be. As an example; it's easy to make the assumption that "we can all come into the office and create a war room". However, what happens if the office is where the disaster is? 

Bottom line, anything that can break will break and it will happen at the worst possible moment
Chief Information Technology Officer in IT Services2 years ago
In my area, the first step is to develop a business continuity plan that outlines the critical functions and processes of the educational institution. The plan should include information on how to respond to various scenarios, such as natural disasters, cyber attacks, and pandemics. We conduct regular testing and involve all stakeholders. It is also important to review and update the plan
Overall, these best practiceshelp ensure my organisation to be prepared and to respond to unexpected disruptions and continue to operate effectively.
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
Board Member in Healthcare and Biotech2 years ago
One of my learning was all about the B in BCP and their participation during the exercise. Left as an IT initiative, we found that while we tested the systems for specific types of transactions, there were finer nuances that we missed. This was true for full simulations, tabletop exercises rarely have the same level of rigor as full tests.

Frequency, we did one tabletop followed by annual full simulation every 6 months. The audit report wanted us to conduct the tabletop every quarter.

Never had any without notice, though we did have a major failure at the data center once. Fortunately we met the SLA for RPO and RTO; the learning was that the DR needs to be 100% capacity and not 50% loading which we had created due to budget constraints and assumptions on 50% people logging into the systems.

Content you might like

We are a large manufacturing company with over 17,000 associates, about half of whom have company-provided cell phones. We average two lost devices per week, which seems low, but executive management is concerned and wants to know if our numbers are typical compared to other companies. My questions are: 1. Do other companies also struggle with lost or stolen devices? 2. What is the average number of lost devices per week? 3. Are there repercussions for associates who lose devices due to carelessness or negligence?

Mobile Device Management (MDM)Mobile DevicesSecurity+2 more
VP of IT in Retail3 days ago
My previous organization implemented a strict one-strike policy for lost or damaged devices. While the first incident was considered an accident, repeat offenders were required to reimburse the company for the lost or damaged ...read more
82 views1 Comment

What is your primary deciding factor in adopting enterprise search?

Strategy & ArchitectureCloudEnd-User Services & Collaboration+26 more

TCO19%

Pricing26%

Integrations21%

Alignment with Cloud Provider7%

Security10%

Alignment with Existing IT Skills4%

Product / Feature Set7%

Vendor Relationship / Reputation

Other (comment)

View Results
5.7k views3 Upvotes1 Comment

Any recommendations for a comprehensive GenAI learning platform?

EngineeringData & AnalyticsSecurity Strategy & Roadmap+4 more
IT Manager in Constructiona month ago
Hello,
the topic is so broad, what are you focused on?
Read More Comments
4.8k views2 Upvotes5 Comments

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Applications & PlatformsCloudData & Analytics+15 more
Head of Enterprise Architecture MERCK Group in Healthcare and Biotecha year ago
Strategy & Architecture
Read More Comments
39k views5 Upvotes34 Comments

In the past 6 months, have you seen an uptick in targeted cyberattacks on telehealth devices and networks?

Security & GRCNetworkThreat & Vulnerability Management+2 more

No Increase16%

1-5% increase47%

6-25% increase24%

26-50% increase6%

51-75% increase1%

76%+1%

Other2%

View Results
1.7k views1 Upvote