Table top exercises to prove your DR and BC plans

The US president runs war games once every three to six months.    The staff choose a situation, create a scenario around it then initiate it to see what will happen.

In Australia, Jeffery Robinson a renown QC created “hypotheticals”.    A TV program where a given situation is used to create a process of response.   If this happened what will be the reaction from these people.

In my navy days we had the operational readiness evaluation, ORE for short.   This was used to ensure and maintain a war ships fighting capability in any number of situations.  This is a slightly different process with the use of smoke bombs and scare charges but it was all designed to prove the readiness of the ship.

Three totally different situations to find out if something is going to work or not.   In today’s business world disaster recovery and business continuity planning are thought of as something that everyone goes through the process of but the it will never happen to us attitude prevails.   In addition to this, a quick restore of data to another point in the cloud or server will not prove a business continuity plan..

I think that Christchurch, Japan, Joplin and Sandy may have changed that attitude.

One of the best ways to prove a plan is to create scenarios around it to make sure it will work in all situations.   How can you do that without shutting down serious and critical components of a business?

One of the best ways is to work out a number of scenarios.   Get all parties in a boardroom, classroom or office, employ an external referee with the problems and no understanding of your business except for what they can find on the Internet and see what happens.   Video and record everything so it can be used in the final analysis of the test.

Here are three:

  1. A new super virus has got through your external defenses and your end point protection and has shut down a number of servers and workstations.    What do you do?
  2. A serious chemical fire has erupted two streets away from your office and has closed down your area.   Your staff, clients, deliveries and products can not go in and out for five days.   What is your response?
  3. your CEO has met with a serious accident.   He will not be at work for six months but he was in the process of securing critical funding for an expansion of the business, without which the business could fold.   What do you do?

Each of these scenarios are targeted at a specific component of your business continuity plan.    A role playing or table top testing environment will see the development of the proper responses without additional impact on the business.   This will define roles and positions as well as business capabilities and requirements.   It will also find weaknesses in the BC plan before you have to use it in a real situation.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.