I've heard "tabletop" discussions for disaster recovery and business continuity planning recommended on several...
occasions. I'm trying to put one together at my enterprise. Who should I make sure is involved and are there any topics that I should be sure to discuss that might not be obvious?
For those who aren''t familiar with a tabletop exercise, this is essentially an informal simulation of an emergency or disaster scenario. Key stakeholders gather together and talk though how an enterprise or other organization would respond during such an event. It''s a good practice to conduct such exercises at least periodically in order to simulate practical implementation of a disaster recovery or business continuity plan.
To get one started, first, include representatives of all of the various groups within IT, as well as someone from the applications team if it''s not part of IT. Depending on how broad the simulations are going to be, it might also be a good idea to include someone from the facilities and physical security departments, as they are often relevant during actual business continuity or disaster recovery (BC/DR) events. For instance, if the simulation is going to include someone locking themselves in the data center or an issue with the physical infrastructure such as the HVAC systems, non-infosec folks can be very handy during the drills.
Most people who work through these discussions include topics such as major virus outbreaks as well as natural disasters like fires, tornados, earthquakes, etc. In addition, it''s a good idea to discuss events that don''t necessarily wipe out a data center but might have a major effect on business. Is the data center near a major highway, rail line or manufacturing facility? If so, what would happen if there were a large chemical spill preventing the staff from leaving or getting to the data center?
Another issue to consider is flooding. While key assets may be protected from floods, will the rising water create access issues for staff? Another possible discussion topic is the failure of a single business-critical application. What would happen, for instance, if a central database server is unavailable due to a freak fire or an electrical short?
Finally, don''t assume staff will be available. As part of the exercise, pretend that various groups or key members of teams are inaccessible for one reason or another, and don''t allow them to participate in that portion of the exercise. How well or badly do things go then?
- Check out this video series on disaster recovery.
- Forensic incident response with SIMs and IAM: Learn how to integrate these two technologies.
Dig Deeper on Information Security Incident Response-Information
Related Q&A from David Mortman
Learn when Social Security numbers can be used for patient identification without violating HIPAA patient confidentiality requirements. Continue Reading
Do U.S. passport numbers count as personally identifiable information? Learn more about guidelines for PII in this security management expert ... Continue Reading
In order to protect student personal data, FERPA was enacted in 1974. But does protecting that data allow for FERPA educational records to be sent ... Continue Reading