Writen by Albert Streab
Disaster Recovery is not Business Continuity. Many companies do not have full business continuity plans. They say they do have business continuity plans but they really mean that they have a disaster recovery plan, usually meaning that they have alternative premises and possibly equipment that can be used in the case of a full scale disaster. Business continuity covers far more than just the IT systems. Think of all the paper records an organisation needs to continue working. Think of the most important asset of all to most organisations: its staff. Without its staff these organisation ceases to exist. A business continuity plan contains information for all staff and their activities in the case of problems affecting the organisation.
A preliminary to the testing of any plan is to establish some form of Business Continuity Group consisting of representatives from each of the main business areas, together with those responsible for finance, facilities and IT.
Once a business continuity plan exists it needs to be maintained and tested regularly. Once again, many organisations say their plan is tested but what happens is that they show that the major IT systems can be seen to be working on equipment at a disaster recovery site. Often there is no involvement other than from the IT Group.
It is essential that business continuity testing follows a risk based approach. This provides 2 main advantages. Firstly any business continuity must be aligned to the business and that the plan should be designed to cope with risks to the business. Secondly, by following a risk based testing approach to business continuity, this highlights the areas not to test, by prioritising the main risks to business and therefore identifying areas of negligible or zero risk.
Business continuity testing need not be onerous or expensive. There are a number of ways in which testing can take place; each is mentioned below.
Business continuity testing can be broken down into 2 main areas, desktop testing and physical testing.
Desktop testing can be a paper walkthrough where a group of people work through the plan looking for areas which require further work. It can also be scenario testing where a group sit and work through a scenario given to them, such as electrical failure, fire, bomb threat etc. The scenario is defined by a different group of people who then monitor the accuracy of the business continuity plan.
Physical testing means a form of business continuity testing that happens outside the conference room. This is broken down into a number of different tests. Firstly a communications test. Can everyone who needs to be notified during a problem actually be contacted? Second in physical testing is a disaster recovery test, where the IT systems are established on a secondary set of computers, and thirdly, a full relocation test, where the business areas relocate to another site. All of these tests are carried out in order to hone the business continuity plan and to provide assurance that it will be effective when required.
In summary, all business continuity plans need to be tested. Some companies believe that the testing would be too complex, time consuming or expensive. It is therefore essential to use a 3rd party group of experts to advise, help carry out and monitor the tests that are carried out. The 3rd party would also make suggestions regarding any changes believed necessary to the existing plan.
A Streeb is an experienced practitioner of business continuity testing at Acutest, an independent consultancy specialising in business continuity assurance and software testing services. For more information on this topic visit http://www.acutest.co.uk or send an email to enquires@acutest.co.uk
0 comments:
Post a Comment