Testing Your Business Continuity and Disaster Recovery Plans
Running Tabletop Exercises for Business Continuity Plans
So you have Business Continuity and Disaster Recovery Plans…what’s next? How can you know if these plans will work when you need them most? You need to regularly test your Business Continuity and Disaster Recovery Plans to ensure all employees are trained and all procedures will accomplish their intended goals in AWS. This can be done through tabletop exercises and group trainings. Once you test your plans in a variety of scenarios, you can review it for gaps and improve it for future, real-world implementation.
To learn more about resiliency in and of the cloud, visit the AWS documentation on recovery in the cloud.
Sometimes we get the response that an organization does not feel that they need to complete annual business continuity plan testing or disaster recovery testing because they’re in the cloud and they are relying upon the services that AWS provides and, therefore, there is no need to perform testing. A client told me recently that their business continuity strategy was to wait for AWS to come back up if the region they were in went down. That is not a good strategy and we’re missing the point of the test because you have to consider scenarios that could impact your business. This would come out of your risk assessment process that you complete or your business impact analysis that you complete. You would identify scenarios that could potentially harm your business in the terms of cost, regulatory fines, embarrassment, or lack of contractual fulfillment to your clients. With those scenarios, you should plan a test in order to see how you would do in that situation. What if a region went down and you waited for AWS to come back up and your data was lost because you had not taken the responsibility of backing up that data? Or you thought you were backing up that data and it turns out that you did not have that data backed up? These are all things that would be good scenarios to test on.
Let’s talk about a couple of types of tests. You could conduct a Business Continuity Plan test. If you have a plan to continue operations due to a critical member of your team not being available or a critical location or process not being available, or you plan on continuing operations when the AWS region is down or experiencing outages. What is your plan to continue operations? Does there need to be communication with your employees or communication with your customers? Does there need to be some type of alternative method of delivering your services? Those would all be great examples of a test of your Business Continuity Plan.
When it comes to testing disaster recovery, you are testing your procedures to actually restore from a disaster. Let’s say you have had an outage – a hacker has breached your environment they have destroyed information. Or a disgruntled employee has deleted files that you did not want to be deleted. They tried to damage systems. We have heard stories about disgruntled employees going in and deleting virtual machines from environments. So how do you restore from that? How do you recover? Those would be good tests of your procedures and also good tests to determine if your data in your backup is actually there.
A lot of times, when people go to perform these tests, they discover that what they thought they were backing up was not actually there. If you are not performing data backup and if you are not managing your versions properly, then you do not know where to go back and find what you need in order to restore to the recovery point that you have identified in your risk assessment or your data backup strategy. Those are a couple of types of tests that you should be performing, not only for compliance purposes, but for the overall health of your organization.