Developing IT Disaster Recovery Plan: Testing your Disaster Recovery Strategy
In this article, we discuss testing your strategy developed in the previous article. If you haven’t read the earlier articles in this series, I recommend you check them out.
Testing occurs at various stages, and at each stage, you need to test a different objective. When developing your ITDRP, you need to start testing your strategy before documenting them as a formal plan. How you test your DRP depends on your objectives. This article discusses different methods you can use to test your DRP at various stages for various objectives and then focuses on the tests you need to perform before documenting your strategy as a plan.
Testing objectives
The testing objective dictates whether your must test your DR strategy before documenting them, when you operationalize it, or during the maintenance phase as part of your continuous improvement.
For example, suppose your objective is to make sure the teams involved in disaster recovery understand their roles and responsibilities. In that case, you should be testing before documenting your strategy. Such testing involves a smaller audience, and there is no need for a real-time drill.
However, suppose your objective is to know whether your organization is ready for a total data center failure situation. You must operationalize your strategy and conduct many workshops with your relevant staff before conducting such a company-wide drill.
Also, the scale of your testing depends on the objectives. From the above examples, the first testing is small in scale; there are no real information systems involved, and usually limited to two hours of exercise conducted in a meeting room. However, for the later example where your organization is engaged, preparation must be robust to ensure the drill does not result in a real disaster or produce many false-positive, rendering the drill useless.
Figure 01: Some of the objectives to test for your DRP
We recommend the following test objectives to test your DRP at this phase:
Organization structure
Processes
Selecting the testing method
The method to test your ITDRP objectives depends on the maturity of your organization and the information technology department.
For example, performing an organization readiness exercise right after defining your recovery strategy will result in a needless disaster. Such testing will provide you with many false positives due to the lack of awareness among the staff and not real gaps. Likewise, never conducting an organizational readiness exercise even after five years of implementing your ITDRP will not give the management and the staff the required confidence.
Once you finalize your test objectives, you should select one of the following testing method:
Figure 02: Testing method or strategy for your ITDRP
We have discussed them in our BCP article on Testing, Documenting, and operationalizing your BCP (and recapped them here for your convenience). The suggested testing methods listed above depend on your test objectives and the timing of your tests.
Structured walkthrough — is suitable for awareness sessions where you conduct a walkthrough of your plan based on a scenario to your target audience. Senior management and your staff are ideal for this testing method.
Tabletop exercise — is suitable for testing the understanding of your IT DRP teams and even your organization. But it is more convenient for testing the teams involved in executing your IT DRP.
Simulation test — is ideal for testing the individual plans based on a real-life scenario. In this, you prepare a scenario modeled after a real-life disaster that is common to your location. Then explain the scenario and ask the team members to respond. Ensure the appropriate extended teams are present during the simulation.
Functional or real-time drill — This involves acting out with response in a fictitious scenario/drill. In this drill variant, the date is announced to staff ahead of time.
Full-fledged exercise or drill — This involves designing a real-life scenario on a real-time basis and then testing them unannounced on a particular day. We recommend this after you have used other testing methods to test your IT DRP for at least two years.
Where scenario is involved (real or fictional), they must be tailored to your audience since the scenario you select for your senior management will be different from the one you choose for your staff.
We recommend a structured walkthrough followed by a tabletop exercise to test your IT DRP strategy at this phase. Once you operationalize, you should conduct structured walkthrough exercises for the specific departments. Additionally, you should perform one simulation test within the first year of your IT DRP.
Preparing and facilitating
Once you identify your testing objectives and testing method, you should prepare the following:
kick-off presentation — prepare a concise presentation with fewer slides announcing the test, its objectives, scope, target audience, expected outcomes, and the post-test activities
awareness workshops contents — prepare a scenario that is likely applicable to your organization. Use presentations to document your draft recovery strategy to use during the test workshop. Use various media such as video, audio, and images to appeal to your audience visually
feedback capturing templates — for capturing your observations and obtaining feedback from your attendees.
Once you are ready, send invites to the respective stakeholder you have already identified in the process of documenting your IT DRP. Keep the communication concise and well-informed. During the testing, you need to play as a facilitator. Ensure you have an additional team member present with you to play an observer and document the reaction from the attendees.
A good facilitator guides the workshop while providing the flexibility for it to be productive. Be there to respond to any questions related to the strategy you have designed. Remember that the strategy is not finalized and be open to corrections. Once the session is over, collect the feedback, go back to your team, analyze the collected information, and update your strategy accordingly.
Now you are ready to present your strategy to the management. Having tested your strategy makes the approval of your management team easy.
Conclusion
We recommend you test your DR organization structure and the management processes using a structured walkthrough and scenario-based tabletop exercise. To do this, prepare the required materials for the workshops. Once done, organize the workshop with your ITDRP teams — both IT and management. Document your observations, and collect feedback from the attendees after the workshops. Finally, analyze the information you collected in the workshop and update your strategy to present to your management team.