Developing a Contingency Plan - Test, train and maintain
(Page 4 of 4 )
Testing, training and maintenance are essential follow-up activities that must be carried out after the completion of the plan. It is vital that the plan is thoroughly tested in all its aspects. An untested plan is worthless, as there is a high probability of it failing under the pressure of an actual emergency. For this reason, planning standards generally recommend a structured and comprehensive testing schedule covering at least the following areas:
System recovery. This involves ensuring that backup media can be located, that they are adequate to restore systems to a functioning state, and that if alternate hardware has been specified it is available and functioning. In short, the ability to get critical systems up and running within the required timeframe must be satisfactorily demonstrated.
Co-ordination of responsible parties. Testing should demonstrate that responsible teams and individuals understand and can carry out their assigned roles in an emergency. Given the human aspect to this, it is advisable that at least some testing is carried out under pressure situations to ensure that people are able to function under the stress of an actual emergency.
Notification procedures. The communication elements of the plan are easy to overlook but are in fact critical. Testing should ensure that communication procedures are viable and effective, and able to function properly under emergency conditions.
Training is essential to ensure that individuals are aware of the plan, its possible impact on them and their role within it. This does not apply only to active participants in emergency processes. In an emergency it is not unusual for almost every individual in an organization to be affected in some way. Some form of training is therefore necessary for everybody. Training usually consists of a combination of classroom and practical exercises designed to imitate real life scenarios as convincingly as reasonably possible. Practical exercises should ideally involve simulations of anticipated disruptions.
Maintenance is another frequently overlooked aspect of contingency planning. In a dynamic environment such as a typical business, and especially in the fast-changing landscape of IT, frequent reappraisal and review are essential. This part of the process shouldn't be left to chance: the maintenance schedule should be formally specified as part of the plan. Responsibility for maintenance will generally be the ultimate responsibility of the planning architect, although it will often devolve to committees, or sometimes different individuals will be made responsible for maintaining different sections of the plan. As a general rule the plan should be subject to annual review, although in many cases more frequent or even continuous review will be desirable. In all cases, procedures must be in place to update constantly changing details such as contact information on an as-needed basis.
Finally, the plan itself should be subject to the organization's security processes. It is in and of itself a piece of critical and sensitive documentation. Therefore its distribution should be appropriately controlled, backup copies should be stored offsite, and its contents themselves must be disaster proof.
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.
