Most companies have Business Continuity and Security Incident Plans as critical components of their Information Security Management System, not only because compliance regulations require a business continuity plan but also because companies continually evolve through development of new services or changing business processes. As well, customer expectations are increasing for company’s ability to continue to provide services regardless of the cause of an event. How do you determine if they will operate effectively when the need arises to use them?
ALSO READ: New and Future Healthcare Industry Security Threats
A business continuity plan and security incident plan outline the steps to take in the event of a business disruption. Testing ensures that the outline accurately reflects the process. Infrequent or no testing of a business continuity plan presents a substantial risk to any organization. Regular testing results in improvements, reduces risks, and ensures that the plan is appropriate for the business. Customers need assurance that BCPs are tested to maintain confidence in the company’s ability to meet their needs without interruption.
There are many ways to test your plans, such as tabletop, walkthrough, and simulation. One very effective approach is to conduct a 3rd party tabletop test. Tabletop enables testing of every aspect of the business continuity plan against a business interruption without the stress of a real incident.
When you engage a qualified 3rd party vendor to conduct your tabletop test it will provide insight on how effective your plans are and where the gaps may exist. This will allow you to strengthen and refine your plans, prepare your teams and be better prepared when a business interruption or security event occur.
The following are some key components to make a tabletop test effective:
- Use a qualified 3rd party vendor that has experience in conducting BCP and security tabletop tests.
- Make sure that the 3rd party vendor will include a complete analysis of the results, good and bad. Remember this was just a test, so if something in the process fails, you now can improve and rectify procedures prior to a real business disruption.
- Work with the vendor to develop a scenario that best fits your business and will engage all members of your BCP and Security incident management response teams.
- Ensure you include all members of your BCP and Security Incident response teams. They all need to be aware that there will be a tabletop test but none of them should know in advance the scenario that will be played out.
- If key vendors are critical to business continuity, consider including them in the tabletop test.
- Design your scenario so that all members participate, you need to make sure that the primary and secondary team members are tested.
- Include representatives from Senior Management
- Make sure you have a lessons learned session with 3rd party consultant and all participants.
- Lastly make the necessary adjustment based on lessons learned to better prepare your company for BCP and security incident events.
The last thing any company wants is to discover your BCP or security incident plan has gaps or completely fails when you need it most!
Marty Serro, Chief Information Officer, Chief Security Officer
Marty has over 35 years of diversified technology management experience in support, development, security, and implementation across varied industries. During Marty’s tenure, he has built global support infrastructure through innovative tools and a high-touch customer supporting infrastructure. Under his leadership, our security team has built an industry leading security framework that ensures client data protection at all times. Marty leads the company’s SOC2, ISO 27001, and HITRUST annual certifications and has established a robust security education and training program for all staff.