Presentation is loading. Please wait.

Presentation is loading. Please wait.

Disaster Recovery and Business Continuity Plan Testing: Practice Makes Perfect B.J. Block, Information Security AnalystMarch 22, 2007.

Similar presentations


Presentation on theme: "Disaster Recovery and Business Continuity Plan Testing: Practice Makes Perfect B.J. Block, Information Security AnalystMarch 22, 2007."— Presentation transcript:

1 Disaster Recovery and Business Continuity Plan Testing: Practice Makes Perfect B.J. Block, Information Security AnalystMarch 22, 2007

2 University of Rochester 2 The University of Rochester o Private University established 1850 o Current Enrollment 5,000 Undergraduate 3,500 Graduate 400 Medical o Attached Medical Center o Located in Upstate New York

3 University of Rochester Disaster Recovery Best Practices Business continuity plans “should be tested and updated regularly to ensure they are up to date and effective” ISO 17799/27001 3

4 University of Rochester Benefits of Testing o Identify oversights and errors In the test With the participants o Reinforce strategies and roles Participants’ roles and responsibilities o Assure stakeholders and audit Plan effectiveness 4

5 University of Rochester Benefits of Testing NO BAD TESTS Test the Plan Drill the Participants Assure the Stakeholders 5

6 University of Rochester Pre-Test Planning Guide o Gain management approval o Create a budget and aquire funding o Define test objectives and/or scope o Create a team and establish effective communication o Set date and location of test 6

7 University of Rochester Choosing a Test o Start small and work your way up Tabletop drill uses less resources, produces lesser results Simulations uses more resources, but your results are more in depth o Test type selected depends on your goals, environment and risk you are willing to take on 7

8 University of Rochester Types of Tests o ISO 17799/27001 defines six types of disaster recovery tests: Tabletop Simulation Technical recovery at primary site Technical recovery at secondary site Test of supplier, facilities and service Complete rehearsals 8

9 University of Rochester Identify Test Resources o Participants Employees, customers, etc. o Observers Management, audit, etc. o Vendors Hardware and software providers o Network and system resources Equipment needed 9

10 University of Rochester Describe Anticipated Results o Set up milestones Identify the distinct phases of the test o Participants/observer roles Each person has a role to fill o Set up an end point Recovered Timeline 10

11 University of Rochester Debrief of Test o Lessons learned Feedback from observers and participants Write up for management, customer, and audit 11

12 University of Rochester Test Results 12 o Follow up to the debrief Update processes and procedures Decide on continuing efforts Retest same test Plan for next steps o Testing is a never ending process

13 University of Rochester Case Study: University of Rochester o Disaster Recovery Plan Documented some systems, but not all Parts were tested, but not all Many pieces were in place Needed to come together 13

14 University of Rochester Case Study : Continued o Human Resource Computer Systems All aspects of HR from hiring to firing and everything in-between Size Secure information Legal regulations Contractual obligations 14

15 University of Rochester Test Planning 15 o Leadership support for the disaster recovery test Defined scope One and done Defined time frame March 23rd Defined team members All players all the time

16 University of Rochester Managing the Plan 16 o Manage the leadership expectations Redefined scope Redefined time frame Redefined team members

17 University of Rochester 17 Defining Scope and Timeline o Stage out testing Tabletop February Component/ModularMarch ParallelApril/May DisasterJune o Each one managed separately, but built off each other o Mitigate risk

18 University of Rochester 18 Team Composition o Members from all areas HR, OS, DBA, Networking, Application, DR o Subject experts for each portion of the test o Open communication is a must

19 University of Rochester Are we done yet? We are about halfway there Completed tabletop and component tests Few windows of opportunities per month to test on actual hardware due to payroll 19

20 University of Rochester Are we done yet? Completed some testing and documented our plans to satisfy audit Communication is one of the keys to staying on track Disaster recovery is still secondary to primary operations 20

21 University of Rochester Disaster Recovery Ongoing process 21

22 University of Rochester Disaster Recovery Questions 22


Download ppt "Disaster Recovery and Business Continuity Plan Testing: Practice Makes Perfect B.J. Block, Information Security AnalystMarch 22, 2007."

Similar presentations


Ads by Google