Disaster Recovery and Business Continuity

Plan Testing:Practice Makes Perfect

B.J. Block, Information Security Analyst

March 22, 2007

University of Rochester 2

The University of Rochester

o Private University established 1850

o Current Enrollment• 5,000 Undergraduate• 3,500 Graduate• 400 Medical

o Attached Medical Center

o Located in Upstate New York

University of Rochester

Disaster Recovery Best Practices

3

University of Rochester

Benefits of Testing

o Identify oversights and errors• In the test• With the participants

o Reinforce strategies and roles• Participants’ roles and responsibilities

o Assure stakeholders and audit• Plan effectiveness

4

University of Rochester

Benefits of Testing

5

University of Rochester

Pre-Test Planning Guide

o Gain management approvalo Create a budget and aquire fundingo Define test objectives and/or scopeo Create a team and establish effective

communicationo Set date and location of test

6

University of Rochester

Choosing a Test

o Start small and work your way up• Tabletop drill uses less resources,

produces lesser results• Simulations uses more resources, but

your results are more in depth

o Test type selected depends on your goals, environment and risk you are willing to take on

7

University of Rochester

Types of Tests

o ISO 17799/27001 defines six types of disaster recovery tests:• Tabletop• Simulation• Technical recovery at primary site• Technical recovery at secondary site• Test of supplier, facilities and service• Complete rehearsals

8

University of Rochester

Identify Test Resources

o Participants• Employees, customers, etc.

o Observers• Management, audit, etc.

o Vendors• Hardware and software providers

o Network and system resources• Equipment needed

9

University of Rochester

Describe Anticipated Results

o Set up milestones• Identify the distinct phases of the test

o Participants/observer roles• Each person has a role to fill

o Set up an end point• Recovered• Timeline

10

University of Rochester

Debrief of Test

o Lessons learned• Feedback from observers and

participants• Write up for management, customer,

and audit

11

University of Rochester

Test Results

12

o Follow up to the debrief• Update processes and procedures• Decide on continuing efforts• Retest same test• Plan for next steps

o Testing is a never ending process

University of Rochester

Case Study: University of Rochester

o Disaster Recovery Plan• Documented some systems, but not all• Parts were tested, but not all• Many pieces were in place• Needed to come together

13

University of Rochester

Case Study : Continued

o Human Resource Computer Systems• All aspects of HR from hiring to firing

and everything in-between• Size• Secure information• Legal regulations• Contractual obligations

14

University of Rochester

Test Planning

15

o Leadership support for the disaster recovery test• Defined scope

• One and done

• Defined time frame• March 23rd

• Defined team members• All players all the time

University of Rochester

Managing the Plan

16

o Manage the leadership expectations• Redefined scope• Redefined time frame• Redefined team members

University of Rochester 17

Defining Scope and Timeline

o Stage out testing• Tabletop February• Component/Modular March• Parallel April/May• Disaster June

o Each one managed separately, but built off each other

o Mitigate risk

University of Rochester 18

Team Composition

o Members from all areas • HR, OS, DBA, Networking, Application, DR

o Subject experts for each portion of the test

o Open communication is a must

University of Rochester

Are we done yet?

19

University of Rochester

Are we done yet?

20

University of Rochester

Disaster Recovery

Ongoing process

21

University of Rochester

Disaster Recovery

22