What best practices have you found for business continuity testing? Do you prefer tabletop exercises or full simulations? How often do you test without notice?

1.1k views4 Comments

Director of IT in Software, 201 - 500 employees
Tabletop exercises are good to be done periodically and can help identify some gaps but the best way of testing your BCP/DR plan is to test failing over the actual production systems to your DR site periodically. Ideally, you'd like to have a full DR test at least once a year and then test quarterly the most important services to make sure the plan is actually working. DR is easier to be tested then BCP which will likely include other departments and executives/management but is overall more beneficial to a business than just testing DR plan.
CEO in Software, 11 - 50 employees
The only way to know if your DR/BCP processes work is if you execute them. 

Tabletop exercises: 
Tabletop exercises are great for modeling and can ID weaknesses in plan design or process. Keys to testing in Tabletop and real world testing is break things during execution of the activity. Breaking things include; The external phone service you planned to use also being down, the person coordinating/crisis manager is hurt, what happens if someone loses access to keys or workbooks, etc., etc.. 

Real World testing:
In real world testing you'll find whether assumptions of network availability, service mappings, human availability and human access to necessary leadership and resources are all working and backed up the way they need to be. As an example; it's easy to make the assumption that "we can all come into the office and create a war room". However, what happens if the office is where the disaster is? 

Bottom line, anything that can break will break and it will happen at the worst possible moment
Chief Information Technology Officer in IT Services, 201 - 500 employees
In my area, the first step is to develop a business continuity plan that outlines the critical functions and processes of the educational institution. The plan should include information on how to respond to various scenarios, such as natural disasters, cyber attacks, and pandemics. We conduct regular testing and involve all stakeholders. It is also important to review and update the plan
Overall, these best practiceshelp ensure my organisation to be prepared and to respond to unexpected disruptions and continue to operate effectively.
Board Member in Healthcare and Biotech, 1,001 - 5,000 employees
One of my learning was all about the B in BCP and their participation during the exercise. Left as an IT initiative, we found that while we tested the systems for specific types of transactions, there were finer nuances that we missed. This was true for full simulations, tabletop exercises rarely have the same level of rigor as full tests.

Frequency, we did one tabletop followed by annual full simulation every 6 months. The audit report wanted us to conduct the tabletop every quarter.

Never had any without notice, though we did have a major failure at the data center once. Fortunately we met the SLA for RPO and RTO; the learning was that the DR needs to be 100% capacity and not 50% loading which we had created due to budget constraints and assumptions on 50% people logging into the systems.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
40.7k views131 Upvotes319 Comments

Patch management: to reduce attack surface and avoid system misconfigurations39%

Malware and ransomware prevention: to protect endpoints from social engineering attacks59%

Malware and fileless malware detection and response: to protect against malicious software49%

Threat Hunting: to detect unknown threats that are acting or dormant in your environment and have bypassed the security controls33%

Not planning to change endpoint security strategy9%



Yes — always.37%

No, I don't mind sharing my data49%

Not yet, but I might opt out soon9%

Don’t know — I need to check!4%