1 / 22

Disaster Recovery and Business Continuity Plan Testing: Practice Makes Perfect

Disaster Recovery and Business Continuity Plan Testing: Practice Makes Perfect. B.J. Block, Information Security Analyst. March 22, 2007. The University of Rochester. Private University established 1850 Current Enrollment 5,000 Undergraduate 3,500 Graduate 400 Medical

teenie
Download Presentation

Disaster Recovery and Business Continuity Plan Testing: Practice Makes Perfect

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Disaster Recovery and Business Continuity Plan Testing:Practice Makes Perfect B.J. Block, Information Security Analyst March 22, 2007

  2. The University of Rochester • Private University established 1850 • Current Enrollment • 5,000 Undergraduate • 3,500 Graduate • 400 Medical • Attached Medical Center • Located in Upstate New York

  3. Disaster Recovery Best Practices

  4. Benefits of Testing • Identify oversights and errors • In the test • With the participants • Reinforce strategies and roles • Participants’ roles and responsibilities • Assure stakeholders and audit • Plan effectiveness

  5. Benefits of Testing

  6. Pre-Test Planning Guide • Gain management approval • Create a budget and aquire funding • Define test objectives and/or scope • Create a team and establish effective communication • Set date and location of test

  7. Choosing a Test • Start small and work your way up • Tabletop drill uses less resources, produces lesser results • Simulations uses more resources, but your results are more in depth • Test type selected depends on your goals, environment and risk you are willing to take on

  8. Types of Tests • ISO 17799/27001 defines six types of disaster recovery tests: • Tabletop • Simulation • Technical recovery at primary site • Technical recovery at secondary site • Test of supplier, facilities and service • Complete rehearsals

  9. Identify Test Resources • Participants • Employees, customers, etc. • Observers • Management, audit, etc. • Vendors • Hardware and software providers • Network and system resources • Equipment needed

  10. Describe Anticipated Results • Set up milestones • Identify the distinct phases of the test • Participants/observer roles • Each person has a role to fill • Set up an end point • Recovered • Timeline

  11. Debrief of Test • Lessons learned • Feedback from observers and participants • Write up for management, customer, and audit

  12. Test Results • Follow up to the debrief • Update processes and procedures • Decide on continuing efforts • Retest same test • Plan for next steps • Testing is a never ending process

  13. Case Study: University of Rochester • Disaster Recovery Plan • Documented some systems, but not all • Parts were tested, but not all • Many pieces were in place • Needed to come together

  14. Case Study : Continued • Human Resource Computer Systems • All aspects of HR from hiring to firing and everything in-between • Size • Secure information • Legal regulations • Contractual obligations

  15. Test Planning • Leadership support for the disaster recovery test • Defined scope • One and done • Defined time frame • March 23rd • Defined team members • All players all the time

  16. Managing the Plan • Manage the leadership expectations • Redefined scope • Redefined time frame • Redefined team members

  17. Defining Scope and Timeline • Stage out testing • Tabletop February • Component/Modular March • Parallel April/May • Disaster June • Each one managed separately, but built off each other • Mitigate risk

  18. Team Composition • Members from all areas • HR, OS, DBA, Networking, Application, DR • Subject experts for each portion of the test • Open communication is a must

  19. Are we done yet?

  20. Are we done yet?

  21. Disaster Recovery Ongoing process

  22. Disaster Recovery

More Related