Skip to content

Page350

DRP Testing, Training, and Awareness

Testing, training, and awareness must be performed for the “disaster” portion of a BCP/DRP. Skipping these steps is one of the most common BCP/DRP mistakes. Some organizations “complete” their DRP, and then consider the matter resolved and put the big DRP binder on a shelf to collect dust. This proposition is wrong on numerous levels.

First, a DRP is never complete, but is rather a continually amended method for ensuring the ability for the organization to recover in an acceptable manner. Second, while well-meaning individuals carry out the creation and update of a DRP, even the most diligent of administrators will make mistakes. To find and correct these issues prior to their hindering recovery in an actual disaster, testing must be carried out on a regular basis. Third, any DRP that will be effective will have some inherent complex operations and maneuvers to be performed by administrators. There will always be unexpected occurrences during disasters, but each member of the DRP should be exceedingly familiar with the particulars of their role in a DRP, which is a call for training on the process.

Finally, awareness of the general user’s role in the DRP, as well as awareness of the organization’s emphasis on ensuring the safety of personnel and business operations in the event of a disaster, is imperative. This section will provide details on steps to effectively test, train, and build awareness for the organization’s DRP.

DRP Testing

In order to ensure that a Disaster Recovery Plan represents a viable plan for recovery, thorough testing is needed. Given the DRP’s detailed tactical subject matter, it should come as no surprise that routine infrastructure, hardware, software, and configuration changes will alter the way the DRP needs to be carried out. Organizations’ information systems are in a constant state of flux, but unfortunately, many of these changes do not readily make their way into an updated DRP. To ensure both the initial and continued efficacy of the DRP as a feasible recovery methodology, testing needs to be performed.

The different types of tests, as well as their associated advantages and disadvantages, will be discussed below. However, at an absolute minimum, regardless of the type of test selected, these tests should be performed on an annual basis. Many organizations can, should, and do test their DRP with more regularity, which is laudable.

DRP Review

The DRP Review is the most basic form of initial DRP testing, and is focused on simply reading the DRP in its entirety to ensure completeness of coverage. This review is typically performed by the team that developed the plan, and will involve team members reading the plan in its entirety to quickly review the overall plan for any obvious flaws. The DRP Review is primarily just a sanity check to ensure that there are no glaring omissions in coverage or fundamental shortcomings in the approach.

Read-Through/Tabletop

Read-Through (also known as checklist or consistency) testing lists all necessary components required for successful recovery, and ensures that they are, or will be, readily available should a disaster occur. For example, if the disaster recovery plan calls for the reconstitution of systems from tape backups at an alternate computing facility, does the site in question have an adequate number of tape drives on-hand to carry out the recovery in the indicated window of time? The read-through test is focused on ensuring that the organization has, or can acquire in a timely fashion, sufficient level of resources on which their successful recovery is dependent.

Tabletop exercises represent a more thorough type of read-through test in which the team members responsible for recovery will talk through the proposed recovery procedures in a structured manner to determine whether there are any noticeable omissions, gaps, erroneous assumptions, or simply technical missteps that would hinder the recovery process from successfully occurring. As in the basic read-through, the tabletop exercise still involves only resources in a room discussing the process of recovery. One distinguishing characteristic of the tabletop exercise is the use of emergency or disaster scenarios that drive the discussions of the recovery process. Various disaster scenarios can be employed to ensure sufficient coverage exists despite the different possible emergency conditions.