Business Continuity Plan/Disaster Recovery
-
I'm looking for thoughts on BCP and IT Disaster Recovery testing. We have a legacy mainframe and some in house hosted apps along with some cloud services. The challenge at present is how to test some of our cloud services that we do not control. For example, a service we utilize but don't host either onsite or in the cloud. We 100% rely upon the provider to be available but it can be difficult to test during DR as some providers just say "we're still up, so test away" but we don't want to test with live data. Just curious how others handle those items and how you pass your testing and auditing of testing if you can't actually test some of those critical components with live data during annual testing scenarios.
I just started watching the new IS operations and business resiliency course for ideas. Thanks for any thoughts. -
Hey James,
I believe in this instance there are really only 2 options that you can do in order to run your tests. Option 1 is to do a tabletop recovery plan test which is just sitting down with the necessary people and walk through a scenario. Obviously this option is the safest as you're not taking anything down and super cheap because it's just a meeting of people.
Another option would be to do a Simulated Failover recovery plan test. All what this would entail is operating as if your primary site is down but without actually taking anything down.
I unfortunately don't have any other experience with this topic. These are things I learned from my Server+ certification exam which I recently passed. Hopefully one of the great minds at ITPRO will speak to this topic as well.
-
Thanks for the input Andrew. Much appreciated.
-
Sorry I didn't see this post earlier, and thanks to @Andrew-Despres for throwing out some ideas.
As a CISA, I can tell you that a Full test would be wonderful for your BCP and DRP, but most recovery tests fall short of a full-scale test of all operational portions of the corporation. However, this shouldn't preclude full or partial testing because one of the purposes of the disaster recovery tests is to determine how well it works.
As an auditor, I would first find out if there is any regulation that requires a full-test for your organization. If not, then testing should be according to your risk strategy that is in place from your senior management. At that point you have options of DRP tests like:
-
Checklist Review - Recovery checklists are distributed to all members of a recovery team to review and ensure that the checklist is current
-
Structured walk-through - Team members physically implement the plans on paper and review each step to assess its effectiveness, identify enhancements, constraints and deficiencies.
-
Parallel Test - The recovery site is brought to a state of operational readiness, but operations at the primary site continue normally
-
Full interruption test - Operations are shut down at the primary site and shifted to the recovery site in accordance twith the recovery plan.
When it comes to your outside Vendors and how they incorporate into the BCP/DRP, one of the major components of any SLA or contract should be the responsibilities of the provider in case of disaster with THEIR equipment, infrastructure, connectivity, etc. As an IS auditor, that's what I would be looking for. If there are not clear responsibilities outlined in a SLA about business continuity/disaster recovery, we would mark down a non-conformity and suggest re-negotiating the agreement, having both parties agree to responsibilities decided ahead of time. That way, you can do a full-test by simply disconnecting the vendor from your systems. Insurance and other entities will be insistent on knowing what and who is responsible for recovery.
Hope that helps James! Feel free to post some follow up questions if you have them.
-