1. BCS 307 - BUSINESS CONTINUITY
PLANNING
JOHN AMBELE MWAIPOPO
INFORMATION SCIENCE DEPARTMENT
JORDAN UNIVERSITY COLLEGE
2. Training, Testing, and Auditing
Layout of this Lecture
Training for emergency response, disaster
recovery, and business continuity
Testing your business continuity and
disaster recovery plan
Performing IT systems audits
3. Introduction
Training includes training staff on their roles and responsibilities related
to the BC/DR plan as well as training them in the specific skills they’ll
need to carry out their roles effectively.
Testing is the process of testing the plan, and there are various methods
for doing so.
There is the process of auditing the IT systems that form the foundation
of most BC/DR plans.
There’s an interrelationship between testing, training, and auditing.
Training, testing, auditing, and plan maintenance are all bound together.
Business continuity and disaster recovery project progress.
4. Testing the plan trains staff and maintains the plan.
Training staff tests and maintains the plan.
As you train staff and test your plan, you will find areas that require
modification.
These modifications are made through the change management process
defined as part of the plan maintenance phase.
The information you glean from training and testing can be extremely
useful in honing your plan in advance of a disruptive event.
Testing and training go hand in hand.
Introduction
Training, testing, and auditing activities.
5. Training For Disaster Recovery And Business Continuity
Two distinct parts of disaster recovery and business continuity training.
First is the actual physical response to the disruption or emergency.
It involves evacuating a building if there’s a fire, grabbing a fire extinguisher to douse
a fire in the server room, or finding the water main if there’s flooding inside the
building.
These actions all require some basic training, so responders know what to do and
how to do it safely.
The second aspect of training has to do with ensuring that the various response
teams know how to implement the BC/DR plan and that they have the skills needed
to do so.
For example, provide periodic training for IT staff so they can stay up to date on the
latest threats and security measures or training for alternate BC/DR staff on
performing a system restore and verification routine.
6. Emergency response
BC/DR team should have an emergency response team (ERT) identified and these
team members should be trained in appropriate emergency response activities.
Each company should identify the likely emergency responses needed and provide
training in these activities.
If your firm is located in an area prone to flooding, earthquakes, hurricanes, or
tornados, you should provide training in emergency response related to these
events.
Basic first aid and CPR (Cardiopulmonary resuscitation) training should be part of all
emergency responders’ training, and some companies find it useful to provide this
training to all employees.
Specialized skills for the ERT might include firefighting techniques or building
evacuation procedures.
Training For Disaster Recovery And Business Continuity
7. Emergency response
Specialized skills require training in order to protect the safety of the responders
and to enable the responders to be effective.
Your local fire or police department may provide this type of training or may be
able to recommend firms that provide this type of training.
BC/DR plan should include the designation of an ERT as well as a list of required
training/skills, certification requirements (if any), as well as periodic refresher
courses.
The ERT leader should be responsible for managing this.
He or she should ensure team members have the training and/or certifications
required and should arrange for the periodic testing and refreshing of these skills.
Training For Disaster Recovery And Business Continuity
8. Disaster recovery and business continuity training overview
Disaster recovery is a crucial step that can mean the difference
between the company’s eventual recovery and failure.
Training can help improve the chances for eventual success.
Disaster recovery and business continuity training includes
defining the scope and objectives for the training, performing a
needs assessment (gap analysis), developing training,
scheduling and delivering training, and monitoring/measuring
training.
You may choose to perform training while testing your plan.
Training For Disaster Recovery And Business Continuity
9. Training scope, objectives, timelines, and requirements
Develop a training project plan that ties in with the BC/DR project plan.
The training plan should include a statement of scope (what is and is not
included) as well as a list of high-level objectives.
These objectives should include objectives for each of the implementer
groups (emergency responders, crisis management team (CMT), damage
assessment team, disaster recovery team, etc.).
Timelines for training various teams should be developed.
Keep in mind that some people may be members of more than one team, so
training schedules and training subjects should take that into consideration.
Then, develop requirements for training that meet those objectives.
Training For Disaster Recovery And Business Continuity
10. Training For Disaster Recovery And Business Continuity
Computer incident
response team (CIRT).
Develop scope, an
objective statement, a
timeline, and a set of
requirements for
your training.
Testing your project
plan, also find areas
that should be
addressed by
training.
Revise these plans
once or twice as you
go through the
training and testing
phases.
11. Performing training needs assessment
Needs assessment phase is essentially a gap analysis.
Review current skill sets against required expertise to carry out various functions and determine
what sort of training would best fill the gap.
Training needs become evident during the testing of the plan.
As you test your plan, you’ll see areas where specialized or updated skills and knowledge will be
required to successfully execute the plan.
Make note of these potential skill gaps during your plan testing and circle back to include these in
your training plans.
A training needs assessment should be performed on the same periodic basis as your plan testing
schedule or on some other periodic basis.
People leave the company, are promoted, or change jobs.
You need to ensure that at any given moment, your organization has the skills it needs to
implement your BC/DR plan successfully.
Training For Disaster Recovery And Business Continuity
12. Developing training
Companies have limited time or funds available for training, much less for BC/ DR
training.
Companies that train their employees benefit not only from improved productivity but
greater loyalty as well.
Targeted training to maintain or improve skills, especially those related to mission-
critical business functions, can be accomplished relatively quickly and often at a
reasonable cost.
As with other risk factors in BC/DR planning, the risk of having untrained personnel
can easily be mitigated through training, and it may also help drive productivity
within the organization.
When developing training, create clear, specific, measurable outcomes.
A measurable outcome means that it either was or was not accomplished.
Training For Disaster Recovery And Business Continuity
13. Developing training
Either Veronica can restore the database from backups using the written
procedures or she can’t.
Either Baraka can safely shut power off to the manufacturing floor or he can’t.
Keep in mind that not all training for your BC/DR plan will be extensive
training.
Some may be as simple as showing Sylivester where the power shut off is and
how to perform a power shutdown for the manufacturing floor.
Other training, such as how to restore various IT systems that are closely
integrated or interconnected, may require training in several knowledge areas
as well as hands-on experience.
Training For Disaster Recovery And Business Continuity
14. Developing training
Training should provide some sort of materials (printed, soft copy, Web
based, etc.) that capture and reinforce the skills and knowledge
presented.
The training should also be designed to use several elements such as
written, classroom lecture, hands-on (lab), and field (exercises).
Use a final quiz or exam to ensure students have grasped the key
concepts and can apply them appropriately.
The final test or exam should reflect the training outcomes identified.
Training For Disaster Recovery And Business Continuity
15. Scheduling and delivering training
Scheduling and delivering training is a secondary challenge after getting the training
budget approved.
Find various training programs online that people can attend on their own schedule.
If you use a flexible online learning system (either your own or an external one), be sure
to set timelines and test for knowledge along the way.
Some online courses are better than others, and some test knowledge better than others.
Verify the quality of the training in advance and find ways to verify that students learned
the required materials.
Develop training that moves quickly, is interesting, engaging, and relevant to the
students, it’s much more likely you’ll be able to get students to attend your training
sessions.
Get the training scheduled and delivered in a reasonable timeframe.
Training For Disaster Recovery And Business Continuity
16. Monitoring and measuring training
First step in monitoring and measuring training is the development of
clear objectives and outcomes for the training.
If you don’t know what should be accomplished in training, you won’t be
able to determine if the training was effective.
Exams and hands-on demonstrations of skills can be extremely effective
in testing and verifying knowledge.
Physical skills such as using a fire extinguisher or performing CPR, both a
test of knowledge and a demonstration of skills are best.
Logical skills are such as restoring a server or verifying user permissions.
Training For Disaster Recovery And Business Continuity
17. Monitoring and measuring training
Verify that the training occurred and that several basic concepts were
retained by students.
Monitoring involves ensuring key personnel have actually attended
required training and have not somehow accidentally fallen through the
cracks.
If staff members leave or move into different positions, replacements
need to be trained, so you need to develop some method of periodically
checking your key BC/DR staff positions and ensure individuals are still in
place and ready to perform their assigned BC/DR duties.
These vary widely from one company to the next.
Training For Disaster Recovery And Business Continuity
18. Training and Testing For Your Business Continuity And
Disaster Recovery Plan
Four basic ways to train staff regarding the BC/DR plan, and these also test the plan.
These are paper walk-throughs (or tabletop exercises), functional exercises, field
exercises, and full interruptions.
Team leaders, need to know how and when to activate the plan as well as how to
notify, assemble, and manage their teams.
They need to know how to:
• Use the plan effectively.
• Understand their individual and team roles and responsibilities.
• Notify, assemble, and manage their team members.
• Operate as a cross-functional team member.
• Communicate across organizational boundaries in a stressful situation, often without
the aid of common communication tools such as phones, e-mail, or other devices.
19. Most basic part of the training is understanding the plan and how to utilize it.
The role of training is both to familiarize people with the plan elements and
processes and to reinforce the basic knowledge of the plan.
The plan document is accessible immediately upon notification of a
disruptive event and someone starts managing the plan.
Having a team well versed in the initial steps of the plan will provide an
effective early response.
Everyone involved with the BC/DR implementation needs to understand
their specific roles and responsibilities once a plan is activated.
Training should address both the BC/DR process itself as well as the specific
skills needed by team members to be effective in their designated roles.
Training and Testing For Your Business Continuity And
Disaster Recovery Plan
20. For example, a database administrator may be part of the IT damage assessment
team.
He/She may be an outstanding DBA but may not have the specific skills to know how
to approach the IT damage assessment process.
He/She should be trained in the process of performing the IT damage assessment as
well as in the overall BC/DR process.
That way, he/she will understand how and when the IT damage assessment is
performed, how it impacts other BC/DR activities, and how to perform the duties of
that role.
Team leaders head up their individual teams (be sure to assign alternates or backups
for key roles) and they must also be able to work effectively as part of the ERT
(Emergency response team) or CMT (Crisis management team).
That means there has to be a leader assigned or selected for the CMT.
Training and Testing For Your Business Continuity And
Disaster Recovery Plan
21. Training should address the communication needs across the
organization.
There are numerous communication needs throughout the life-cycle of
a disaster and the team should understand this.
Training should address the various communication groups (groups to
whom the CMT should communicate), the appropriate frequency and
content of the communication, and the appropriate distribution
mechanism.
Four commonly used methods of training: paper walk-throughs,
functional exercises, field exercises, and full interruptions
Training and Testing For Your Business Continuity And
Disaster Recovery Plan
22. Training and Testing For Your Business Continuity And
Disaster Recovery Plan
Relative disruption and accuracy of BC/DR plan test methods.
23. Paper walk-through
If you can manage to schedule a paper walk-through of your BC/ DR
plan once a year, you’ve scored a major victory.
You want to know if your BC/DR plan will work if needed, and the only
way to determine that is to test it out.
A paper walk-through will take time to step through but it’s time well
spent.
There are eight discrete steps you can take to run an effective paper
walk-through.
These steps also apply to the other types of training (functional, field,
etc.).
Training and Testing For Your Business Continuity And
Disaster Recovery Plan
24. Steps taken to run an effective paper walk-through.
1. Develop realistic scenarios
The first step is to develop realistic scenarios based on those risks determined by
your assessment to be the highest risk, highest likelihood, and highest impact for
your walk-through.
Focus on the things most likely to occur.
Start with a fire in the building, since statistically speaking, that’s the disaster
most likely to strike businesses.
Create scenarios that involve your highest risk/impacts.
Remember, you will likely need to perform several walk-throughs based on
various threats.
Training and Testing For Your Business Continuity And
Disaster Recovery Plan
25. 2. Develop evaluation criteria
The key to any successful test of your plan, whether it’s a paper walk-
through or a full interruption, is to have criteria by which you’ll evaluate the
success of that training.
For your paper walk-through, you might develop criteria that include:
• How well participants were able to follow and utilize the plan.
• How well participants were able to communicate across team lines.
• How well the checklists or defined steps worked to achieve the stated
objectives.
• How confident participants felt with their implementation of the plan.
• How confident participants feel about implementing the plan in the future.
Training and Testing For Your Business Continuity And
Disaster Recovery Plan
26. 3. Provide copies of the plan
Members of the CMT should be given the latest copies of the plan in advance of the walk-
through.
Required to look through the plan prior to the walk-through.
Training and Testing For Your Business Continuity And
Disaster Recovery Plan
Individual team members that might be
participating, such as ERT should be provided their
section of the plan.
Create a flowchart of your plan’s processes in order
to help individual team members visually see and
understand how things should proceed.
Sample flowchart of BC/DR plan (partial).
27. 4. Divide participants by team
Members of different team needs to sit together in a walk-through.
It makes it easy to follow the flow of the walk-through and helps confer or make notes
among themselves.
Also reduce cross-talk and interruptions.
Team members should attend the training and work alongside their counterparts.
Vendors designated as team members, should also be included in the training.
5. Use checklists
Provide copies of these checklists and ensure the team uses these checklists.
If they find steps that are out of order, missing, or redundant, they can correct the
checklists quickly.
Checklists help maintain direction and forward progress during the walk-through.
Training and Testing For Your Business Continuity And
Disaster Recovery Plan
28. 6. Take notes
Someone should be tasked with keeping notes about the overall flow, level of readiness,
gaps in the plan, ambiguities, procedural errors, etc.
If you run the walk-through with various teams, each team should be responsible for
keeping notes on their process and their section of the plan as well.
7. Identify training needs
Keep and eye open for additional training needs as you train staff in the use and
implementation of the plan.
Ask training participants to make a note of any skills they believe they need in order to
effectively carry out the BC/DR plan.
Identify skills gaps and develop a list of training needs from these run-throughs.
Prioritize and sort through the training requests to determine what is high priority and
what can wait (or is not needed) on the long wish list requests.
Training and Testing For Your Business Continuity And
Disaster Recovery Plan
29. 8. Develop summary and lessons learned
At the end compile and summarize the notes collected.
Summarize the lessons learned from the exercise and schedule a follow-up meeting.
This follow-up meeting should be held a day or two after the walk-through (i.e., not
immediately following the walk-through, but not 4 weeks later) so that participants have
a chance to think about the walk-through and bring their thoughts, suggestions, and
feedback to the follow-up meeting.
Use the data collected from this process to modify future walk-through sessions and to
modify the BC/DR plan as needed.
Flag your team members in manner so that if someone leaves or is promoted, you either
notify the alternate or designate and train a replacement.
Training and Testing For Your Business Continuity And
Disaster Recovery Plan
30. Functional exercises
Functional exercises train staff in critical procedures or functions needed to
respond to and address the disruption.
They are used to test some of the plan’s functionality.
Plan a field or full-scale interruptions to test all the functionality.
Perform a paper walk-through along with functional exercises.
They make use of scenario-based scripts and run for 2-3 hours.
The ERT and CMT teams have to respond to the scripted events using their
training and BC/DR plan.
Training and Testing For Your Business Continuity And
Disaster Recovery Plan
31. Have clear objectives and outcomes identified for functional exercises training.
For example, teaching staff how to restore a database from the cloud pulled across the
Internet from a remote data vault. List the key knowledge you expect staff to gain. This
might include:
• How to determine that the database needs to be restored (i.e., is the local copy destroyed,
corrupted, offline, etc.)
• How to access the data vault backups (location, login credentials, accessing data, etc.)
• How to restore the data (what order, what locations, what settings, etc.)
• How to verify the restore (verification of file names, sizes, locations; sample test scripts,
etc.)
A functional test of the BC/DR plan follows the same path. Testing some of the functions
of your plan, develop step-by-step instructions and have participants use those steps to
test the function.
Training and Testing For Your Business Continuity And
Disaster Recovery Plan
32. Field exercises
Field exercises involve fairly realistic exercises based on likely scenarios.
From time to time, local emergency responders (LER) exercise their skills by
practicing scenarios using full-scale field exercise.
Companies practices their emergency and disaster recovery response using full-
scale field exercises, by coordinating such exercises with local emergency
responders (LER).
LER may test their skills and train your staff in the process.
Having excellent resource this will help test and hone your skills also provide
valuable input into your disaster planning.
Most companies barely have the time or resources to do an annual paper
walkthrough of their plan, so it’s not likely you’ll be able to run through a real-world
Training and Testing For Your Business Continuity And
Disaster Recovery Plan
33. Companies working in a dangerous industry (hazardous chemicals, explosives,
power, etc.), you may want (or be required by law) to perform field exercises to
assess and improve readiness.
It’s not until a situation is unfolding, even in a simulated manner, where some
problems with a plan come to light.
Paper walk-throughs and functional exercises may leave knowledge gaps or plan
problems that you just won’t know about until a real situation presents itself.
Field exercises can reduce the risk of plan gaps but at a much greater expense of
time and resources.
For some companies, this investment makes sense.
Training and Testing For Your Business Continuity And
Disaster Recovery Plan
34. Full interruption test
Like a field exercise, a full interruption test can be for the organization or just for
specific systems within the organization.
It activates all components of the plan and interrupts all mission-critical functions.
The full interruption test will also activate the alternate work sites or facilities and
off-site storage facilities, and the plan is actually implemented in whole.
This type of full interruption test can be announced or unannounced.
Clearly, an unannounced test simulates a real disruption or disaster more
accurately than an announced test, but is also more disruptive.
Most companies are unlikely to be willing to disrupt their operations long enough
to perform a full interruption test.
Training and Testing For Your Business Continuity And
Disaster Recovery Plan
35. There are numerous reasons for testing the plan.
Clear reason is making sure the plan will work in the event of a real disruption or disaster.
Testing serves these purposes:
• Checks for understanding of processes, procedures, and steps by those implementing the plan.
• Validates the integration of tasks across the various business units and management
functions.
• Confirms the steps developed for each phase of the plan’s implementation.
• Determines whether the right resources have been identified.
• Familiarizes all involved parties with the overall process and flow of information.
• Identifies gaps or weaknesses in the plan.
• Determines cost and feasibility.
Training will test the plan.
Testing BC/DR Plan
36. Test evaluation criteria
Develop clear evaluation criteria for your tests before embarking on the testing
phase.
Create test criteria by going through various checklists or steps in your BC/DR plan
and create corresponding questions.
Example involving the notification step in the activation of the plan.
1. Was the primary team member able to begin the notification process successfully?
2. How many team members were contacted?
3. How long did it take to notify team members?
4. Were there any missing or incorrect phone numbers?
5. How many team members were contacted via their primary methods vs. alternate
methods?
Testing BC/DR Plan
37. 6. How many team members were not on the notification list?
7. Were there any names on the notification list that should not have been?
8. Would this have worked if phone systems were out?
Create a set of questions for each phase of the plan and use these to evaluate the test
results.
Measure the performance against the ability to complete each step, the thoroughness
of each step, the effectiveness of each step, and the accuracy and validity of each step.
Recommendations
Develop recommendations based on test results.
Recommendations results in modifications to the BC/DR plan, and other areas.
For example, you might find areas in which staff needs additional training. You might
find through these tests that there are areas of the business not included in the plan.
Testing BC/DR Plan
38. An audit is the systematic examination against defined criteria.
Companies are required to comply with laws or regulations, audits must be
performed.
Audits may help your BC/DR planning and may need to be included in your plan.
IT SYSTEMS AND SECURITY AUDITS
Auditing IT systems involves a set of tasks that help reduce the risk of an intrusion or
attack.
Audits are concerned primarily with ensuring the company maintains data
confidentiality, integrity, and availability, because these are the areas that typically
come under attack.
The risks can disable a company’s critical business functions; it disables the
company’s entire operations and creates a significant legal or financial liability for
the firm as well.
Performing IT Systems and Security Audits
39. An IT systems audit typically focuses on conducting a systematic evaluation of the
security of various IT systems by measuring how well it conforms to established
criteria or requirements.
It includes an assessment or review of the network and systems’ physical
configuration and environment, the configuration of the software, the handling
(storage, transport, access, etc.) of data, sensitive data in particular, and user access.
Security audits are often performed in conjunction with compliance efforts.
Hardening systems is a risk mitigation strategy that is employed by virtually every
company using IT systems today.
Hardening systems, consists of taking actions to minimize the attack footprint of a
system or network.
Performing IT Systems and Security Audits
40. This includes actions such as removing network protocols not in use, disabling ports
or services not being used, removing unused user accounts, reducing permissions to
the least possible, and automating the updating of antivirus and antispyware data
files, to name just a few examples.
Systems auditing include several key elements:
• Ensuring IT risk mitigation strategies are in place and properly
implemented/configured.
• Ensuring systems identified by the BC/DR plan are still in place and functioning.
• Identifying areas where new technology has been implemented and may not be
incorporated into the BC/DR plan.
• Identifying areas where technology has been retired or modified, resulting in the need
to revise the BC/DR plan.
• Reviewing the processes identified in the BC/DR plan with respect to IT systems to
ensure the steps and processes are still correct, complete, and relevant.
Performing IT Systems and Security Audits
41. • Verifying IT incident response team (CIRT, CERT) is intact with clear understanding of
roles, responsibilities, and how to implement the IT-specific segments of the BC/DR
plan.
• Reviewing data regarding various systems to ensure they are compliant with the
BC/DR plans. These systems include operating systems, networking and
telecommunications equipment, database and applications, systems backups, security
controls, integration, and testing. Any of these areas is subject to frequent change.
An audit can help assure the BC/DR plan will still work if implemented.
Key is to identify how IT systems have changed (or remained the same) and assess
how and where that impacts the BC/DR plan.
Most IT systems are not static and even gradual changes over time can end up
creating a significant change to the way a BC/DR plan must be implemented.
Performing IT Systems and Security Audits