Testing Business Continuity and Disaster Recovery Plans

Everything an information security practitioner deals with requires some form of testing to ensure that

the information technology or resource is within configuration specifications. This applies to ensuring

that business continuity (BC) and disaster recovery (DR) plans are documented and executable as

per the business continuity strategy and that the capabilities are deployed as part of an overall business

continuity program for the enterprise. Testing BC/DR plans is done with regard to justifying the

economic benefit of having BC/DR capabilities in place. A company that decides not to test its BC/DR

plans will not know if those capabilities and documented procedures will work during a disaster and thus

jeopardize survivability of the enterprise. The information security professional may be asked to assume

the role of testing coordinator or facilitator. This role, in most organizations, is responsible for

coordinating and facilitating testing of all BC/DR plans, which requires a thorough understanding of

the plans to ensure that the business continuity policy will be met, attaining appropriate funding for the

overall testing of these plans, identifying the types of testing that should be conducted, scheduling testing

to minimize its impact on business operations, and developing scenario-based test plans that clearly state

the scope, purpose, and objective for testing.