Disaster Recovery and Business Continuity
Plan Testing:Practice Makes Perfect
B.J. Block, Information Security Analyst
March 22, 2007
University of Rochester 2
The University of Rochester
o Private University established 1850
o Current Enrollment• 5,000 Undergraduate• 3,500 Graduate• 400 Medical
o Attached Medical Center
o Located in Upstate New York
University of Rochester
Disaster Recovery Best Practices
3
University of Rochester
Benefits of Testing
o Identify oversights and errors• In the test• With the participants
o Reinforce strategies and roles• Participants’ roles and responsibilities
o Assure stakeholders and audit• Plan effectiveness
4
University of Rochester
Benefits of Testing
5
University of Rochester
Pre-Test Planning Guide
o Gain management approvalo Create a budget and aquire fundingo Define test objectives and/or scopeo Create a team and establish effective
communicationo Set date and location of test
6
University of Rochester
Choosing a Test
o Start small and work your way up• Tabletop drill uses less resources,
produces lesser results• Simulations uses more resources, but
your results are more in depth
o Test type selected depends on your goals, environment and risk you are willing to take on
7
University of Rochester
Types of Tests
o ISO 17799/27001 defines six types of disaster recovery tests:• Tabletop• Simulation• Technical recovery at primary site• Technical recovery at secondary site• Test of supplier, facilities and service• Complete rehearsals
8
University of Rochester
Identify Test Resources
o Participants• Employees, customers, etc.
o Observers• Management, audit, etc.
o Vendors• Hardware and software providers
o Network and system resources• Equipment needed
9
University of Rochester
Describe Anticipated Results
o Set up milestones• Identify the distinct phases of the test
o Participants/observer roles• Each person has a role to fill
o Set up an end point• Recovered• Timeline
10
University of Rochester
Debrief of Test
o Lessons learned• Feedback from observers and
participants• Write up for management, customer,
and audit
11
University of Rochester
Test Results
12
o Follow up to the debrief• Update processes and procedures• Decide on continuing efforts• Retest same test• Plan for next steps
o Testing is a never ending process
University of Rochester
Case Study: University of Rochester
o Disaster Recovery Plan• Documented some systems, but not all• Parts were tested, but not all• Many pieces were in place• Needed to come together
13
University of Rochester
Case Study : Continued
o Human Resource Computer Systems• All aspects of HR from hiring to firing
and everything in-between• Size• Secure information• Legal regulations• Contractual obligations
14
University of Rochester
Test Planning
15
o Leadership support for the disaster recovery test• Defined scope
• One and done
• Defined time frame• March 23rd
• Defined team members• All players all the time
University of Rochester
Managing the Plan
16
o Manage the leadership expectations• Redefined scope• Redefined time frame• Redefined team members
University of Rochester 17
Defining Scope and Timeline
o Stage out testing• Tabletop February• Component/Modular March• Parallel April/May• Disaster June
o Each one managed separately, but built off each other
o Mitigate risk
University of Rochester 18
Team Composition
o Members from all areas • HR, OS, DBA, Networking, Application, DR
o Subject experts for each portion of the test
o Open communication is a must
University of Rochester
Are we done yet?
19
University of Rochester
Are we done yet?
20
University of Rochester
Disaster Recovery
Ongoing process
21
University of Rochester
Disaster Recovery
22