How Often should Real-World DR plans be tested on production environments? I am getting blowback from my staff that the risks outweigh the benefits. I am looking to put these tests into practice while educating my staff that things can and will go wrong, which is why we do it on our timing, not when we are forced.

Testing
3.9k views9 Comments
Sort By:
Oldest
IT Manager in Construction8 months ago
For the production/live environment is a critical activity: you can choose between a full DR test or a test focused on the most crucial parts.
In my view, a DR should be focused on the worse scenario you can think about.

About the staff I see also here a dual approach: you can or you can't inform them during the test.
You will get insights on both cases but of course the Management must be informed early.

1 2 Replies
CISO8 months ago

Thank you for the comment. Yea I agree and it seems my train of thought is correct with the industry. Now to just get staff by in, focusing on one area at a time is a good start though thanks!

1
IT Manager in Construction8 months ago

Thanks to you Anthony!

lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
Director in Manufacturing8 months ago
We do fully recovery of our SAP ERP once a year which also includes logins by our business people in HR, Finance, Accounting (Receivables and Payables). If it’s really a business critical application you better confirm you can get it functional again and confirm how long it takes
3 1 Reply
CISO8 months ago

Thank you for your input. Ideally, I would like to get a few tabletop exercises and VM test environment simulations done and a full DR in prod once a year.

1
IT Manager in Construction8 months ago
Hello, in my view 1 time per year is enough.
CIO in Manufacturing8 months ago
Test business critical environments annually. Assuming you have performed a BIA, you need to know that you can recover on the established RTOs and RPOs. 
3 1 Reply
CISO8 months ago

Thank you, this is where I am aiming to get to.

CISO/CPO & Adjunct Law Professor in Finance (non-banking)8 months ago
I concur.

Test annually, and whenever you make a major change to your infrastructure or business processes. Most see the utility of testing when you go from physical to virtual servers or something similar, but changes in business process can be more material.  The DR plan should address recovery time objectives (RTOs), an estimate of how fast key systems can be restored. The order of restoration should be derived from the system’s importance to specific business processes, think welding robot software for an auto assembly line.  If your company is pivoting to make sweaters, then the welding robot software which previously was essential won’t be used any longer. The software supporting sweater production is now critical, so a revised DR plan and a new test is required.

As far as the person pushing back on testing - ask the naysayer if they are willing to accept responsibility (in writing) for the company’s inability to function after an incident.
1

Content you might like

I want to challenge a vendor on their anticipated testing effort for a proposed software delivery project, which seems way to low in my experience. The project is to migrate a dialer system to cloud, which includes a bunch of custom functionality. How much percentage of total capacity do you normally allocate to testing for such a cloud migration (test setup, execution of tests (if not automated), etc.)? I am looking for a figure like 20% of all development efforts should be allocated to testing. Any ideas?

CloudTestingSoftware Development
Head of Corporate Development8 months ago
At least a third, for most vendors that I have seen they will talk a big game, roll out tier 1 assets prior to contract closure and then after signing you get handed mediocre people who are literally just trying to do the ...read more
Read More Comments
3.5k views7 Comments

If your organization conducted a project to automate your software testing within the past two years, how long did it take to see a return on your investment?

EngineeringTechnical Product ManagementSoftware Development+14 more

0-3 months4%

4-6 months47%

6-12 months27%

Longer than 1 year7%

Have not seen a return on our test automation investment7%

Don't know4%

View Results
3k views2 Upvotes1 Comment

What’s your personal opinion on phishing tests — should cyber professionals rethink this as a method for security awareness training, or is it a necessary practice?

Awareness & TrainingSecurity Strategy & RoadmapTesting+1 more
CIO2 months ago
I believe that phishing tests are absolutely a necessary practice. Unfortunately, in today's environment, employees are often the weakest link in securing an organization. We need to ensure they are educated on the critical ...read more
Read More Comments
428 views10 Comments

When hiring a software tester, how important is it to you that a candidate is able to read and understand software code? (choose one)

EngineeringTechnical Product ManagementSoftware Development+4 more

Must-have17%

Very important60%

Nice to have18%

Not important at all3%

Don't know

View Results
791 views2 Upvotes1 Comment

How are you improving API security testing?

Security & GRCTestingThreat & Vulnerability Management+1 more
Director of IT in IT Services5 months ago
We're constantly refining our API security testing by leveraging the latest tools and techniques to stay ahead of potential vulnerabilities. I am not mentioning tool names and techniques as the tools and techniques are dependent ...read more
3.5k views1 Comment