CHAPTER 18: BUSINESS CONTINUITY PLAN AND TESTING
‘The best way to get management excited about a disaster plan is to burn down the building across the street.’22 – Dan Erwin
All critical infrastructure service providers should be prepared for worst-case scenarios. Serious preparation begins with doing the things the organisation can do itself, such as creating a business continuity plan that sets out the actions taken in the case of various incidents. Worst-case scenarios could include a fire, flood, earthquake, act of vandalism or a cyber attack. Cyber attacks should be differentiated by type and target in a business continuity plan because the activities needed for business continuity and recovery are different for different types of attacks. If risk analyses have been prepared, they are an input during the preparation of a business continuity plan.
An information system disaster recovery plan should also be prepared. How should people act when an information system stops working, and what should be done to recover it? How are working information systems guaranteed? Who sends failure notices? Who reacts to them and how quickly? Which action is taken? How are different parties informed?
Business continuity and disaster recovery plans should be regularly tested. Plans that look good on paper are not much use if it’s unknown whether they would actually work.
There are several ways to test a business continuity plan. Table-top testing is the most reasonable and cheapest option: people gather at a table and an emergency is simulated in the course of testing. The scenario for primary testing could be one that carries the biggest risk and causes the most damage, or one that is easy to organise to make the participants understand how the relevant exercises work. The purpose of these exercises is to assess whether everyone understands the plan and their role and duties, whether there is information exchange and how it works, whether the necessary resources have been identified and are available, whether there are any faults in the plan, whether goals will be reached, whether changes should be made in the plan and whether extra training should be given.
While a table-top exercise is usually the most reasonable option for starting the testing process, the test that is the most realistic and probably the most expensive is causing an actual disruption. For some critical infrastructure service providers, of course, carrying out such a test is out of the question and impossible. The critical infrastructure service may be interrupted in full or in part during such testing. A part of the service or the provision of the whole service in a certain region may be suspended. The focus can be only on testing IT systems. For example, critical infrastructure service providers that use two server rooms can interrupt the functioning of one of the server rooms and then check whether the systems will work (or stay working) from the second server room. Such testing needs thorough and careful preparation to avoid causing real damage to the operating systems and clients, but they give the best understanding of the situation. It is important to assess the results of the tests, draw conclusions and make the necessary changes to the business continuity plan.
There has been a movement towards sectoral, national and international cyber training in recent years. Participating in such training is good for critical infrastructure service providers because they don’t have to contribute to its preparation. It also gives their employees experience that can be implemented in organising cyber security and help guarantee the continuity of services.
Business continuity and disaster recovery plans should also be prepared at the state level, which help prepare for the interruption of critical infrastructure services and coordinate recovery.
Lesson 18: Prepare business continuity and disaster recovery plans and test them at reasonable intervals.