I've heard "tabletop" discussions for disaster recovery and business continuity planning recommended on several...
occasions. I'm trying to put one together at my enterprise. Who should I make sure is involved and are there any topics that I should be sure to discuss that might not be obvious?
For those who aren''t familiar with a tabletop exercise, this is essentially an informal simulation of an emergency or disaster scenario. Key stakeholders gather together and talk though how an enterprise or other organization would respond during such an event. It''s a good practice to conduct such exercises at least periodically in order to simulate practical implementation of a disaster recovery or business continuity plan.
To get one started, first, include representatives of all of the various groups within IT, as well as someone from the applications team if it''s not part of IT. Depending on how broad the simulations are going to be, it might also be a good idea to include someone from the facilities and physical security departments, as they are often relevant during actual business continuity or disaster recovery (BC/DR) events. For instance, if the simulation is going to include someone locking themselves in the data center or an issue with the physical infrastructure such as the HVAC systems, non-infosec folks can be very handy during the drills.
Most people who work through these discussions include topics such as major virus outbreaks as well as natural disasters like fires, tornados, earthquakes, etc. In addition, it''s a good idea to discuss events that don''t necessarily wipe out a data center but might have a major effect on business. Is the data center near a major highway, rail line or manufacturing facility? If so, what would happen if there were a large chemical spill preventing the staff from leaving or getting to the data center?
Another issue to consider is flooding. While key assets may be protected from floods, will the rising water create access issues for staff? Another possible discussion topic is the failure of a single business-critical application. What would happen, for instance, if a central database server is unavailable due to a freak fire or an electrical short?
Finally, don''t assume staff will be available. As part of the exercise, pretend that various groups or key members of teams are inaccessible for one reason or another, and don''t allow them to participate in that portion of the exercise. How well or badly do things go then?
Dig Deeper on Information Security Incident Response-Detection and Analysis
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ...continue reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security...continue reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.