ABSTRACT
Everything an information security practitioner deals with requires some form of testing to ensure that
the information technology or resource is within configuration specifications. This applies to ensuring
that business continuity (BC) and disaster recovery (DR) plans are documented and executable as
per the business continuity strategy and that the capabilities are deployed as part of an overall business
continuity program for the enterprise. Testing BC/DR plans is done with regard to justifying the
economic benefit of having BC/DR capabilities in place. A company that decides not to test its BC/DR
plans will not know if those capabilities and documented procedures will work during a disaster and thus
jeopardize survivability of the enterprise. The information security professional may be asked to assume
the role of testing coordinator or facilitator. This role, in most organizations, is responsible for
coordinating and facilitating testing of all BC/DR plans, which requires a thorough understanding of
the plans to ensure that the business continuity policy will be met, attaining appropriate funding for the
overall testing of these plans, identifying the types of testing that should be conducted, scheduling testing
to minimize its impact on business operations, and developing scenario-based test plans that clearly state
the scope, purpose, and objective for testing.