What best practices have you found for business continuity testing? Do you prefer tabletop exercises or full simulations? How often do you test without notice?
Sort By:
Oldest
Director of IT in Software2 years ago
Tabletop exercises are good to be done periodically and can help identify some gaps but the best way of testing your BCP/DR plan is to test failing over the actual production systems to your DR site periodically. Ideally, you'd like to have a full DR test at least once a year and then test quarterly the most important services to make sure the plan is actually working. DR is easier to be tested then BCP which will likely include other departments and executives/management but is overall more beneficial to a business than just testing DR plan.CEO in Software2 years ago
The only way to know if your DR/BCP processes work is if you execute them. Considerations:
Tabletop exercises:
Tabletop exercises are great for modeling and can ID weaknesses in plan design or process. Keys to testing in Tabletop and real world testing is break things during execution of the activity. Breaking things include; The external phone service you planned to use also being down, the person coordinating/crisis manager is hurt, what happens if someone loses access to keys or workbooks, etc., etc..
Real World testing:
In real world testing you'll find whether assumptions of network availability, service mappings, human availability and human access to necessary leadership and resources are all working and backed up the way they need to be. As an example; it's easy to make the assumption that "we can all come into the office and create a war room". However, what happens if the office is where the disaster is?
Bottom line, anything that can break will break and it will happen at the worst possible moment
Chief Information Technology Officer in IT Services2 years ago
In my area, the first step is to develop a business continuity plan that outlines the critical functions and processes of the educational institution. The plan should include information on how to respond to various scenarios, such as natural disasters, cyber attacks, and pandemics. We conduct regular testing and involve all stakeholders. It is also important to review and update the planOverall, these best practiceshelp ensure my organisation to be prepared and to respond to unexpected disruptions and continue to operate effectively.
Board Member in Healthcare and Biotech2 years ago
One of my learning was all about the B in BCP and their participation during the exercise. Left as an IT initiative, we found that while we tested the systems for specific types of transactions, there were finer nuances that we missed. This was true for full simulations, tabletop exercises rarely have the same level of rigor as full tests.Frequency, we did one tabletop followed by annual full simulation every 6 months. The audit report wanted us to conduct the tabletop every quarter.
Never had any without notice, though we did have a major failure at the data center once. Fortunately we met the SLA for RPO and RTO; the learning was that the DR needs to be 100% capacity and not 50% loading which we had created due to budget constraints and assumptions on 50% people logging into the systems.