|
Pre-plan
and coordinate plan exercises, and evaluate and document plan
exercise results.
Develop processes to maintain the currency of continuity
capabilities and the Plan documents in accordance with the
organization’s strategic direction. Verify that the Plans will
prove effective by comparison with a suitable standard, and report
results in a clear and concise manner.
A. The Professional’s Role
is to:
1. Pre-plan
and Coordinate the Exercises
2.
Facilitate the Exercises
3. Evaluate
and Document the Exercise Results
4. Update
the Plan
5. Report
Results/Evaluation to Management
6.
Coordinate Ongoing Plan Maintenance
7. Assist
in Establishing Audit Program for the Business Continuity Plan
B. The Professional Should
Demonstrate a Working Knowledge in the
Following
Areas:
1.
Establish an Exercise Program
a. Develop an exercise strategy that does not put the
organization at risk,
is
practical, cost-effective, and appropriate to the organization, which
ensures
a high level of confidence
in recovery capability
b. Employ a
logical, structured approach (effectively analyze complex
issues)
c.
Create a suitable set of exercise guidelines
2.
Determine Exercise Requirements
a. Define
exercise objectives and establish acceptable levels of
success
b. Identify
types of exercises, and their advantages and
disadvantages
(1)
Walk-throughs/tabletop
(2)
Simulations
(3)
Modular/component (call trees, applications,
etc.)
(4) Functional
(specific lines of business)
(5)
Announced/planned
(6)
Unannounced/surprised
c.
Establish
and document scope of the exercise (participants, timing,
etc.)
3. Develop Realistic
Scenarios
a. Create
exercise scenarios to approximate the types of incidents the
organization is likely to experience and the problems associated
with these incidents
b. Map
scenarios identified to different test types
4.
Establish Exercise Evaluation Criteria and Document
Findings
a. Develop
criteria aligned with exercise objectives and scope
(1) Measurable
and quantitative
(2)
Qualitative
b. Document
results as per criteria identified
(1) Expected
versus actual results
(2) Unexpected
results
5. Create
an Exercise Schedule
a. Develop
a progressive, incremental schedule
b. Set
realistic time scales
6. Prepare
Exercise Control Plan and Reports
a. Define
exercise objectives and select an appropriate scenario
b. Define
assumptions and describe limitations
c.
Identify resources required to conduct the exercise, identify
participants; ensure all understand the objectives and their
roles
d. Identity
exercise adjudicators (umpires), and clearly identify all roles and
responsibilities
e. Provide
an inventory of items required for the exercise and specifications
for the exercise environment
f.
Provide a timetable of events and circulate to all
participants, facilitators, and adjudicators
g. In the
event of a real situation occurring during an exercise, you may want
to have a predetermined mechanism for cancelling the exercise and
invoking your real business continuity process
7.
Facilitate Exercises
a. Execute
the exercise(s) as planned above
b. Audit
exercise actions
8. Post-Exercise
Reporting
a. Provide a cogent,
comprehensive summary with recommendations,
commensurate with levels
of confidentiality requested by exercise
umpire/adjudicator or as
specified by the subject organization
9. Feedback
and Monitor Actions Resulting from Exercise
a. Conduct
debriefing sessions to review exercise results and identify action
items for improvement.
b. Identify
actions and owners for recommendations; confirm owner
acceptance
c.
Confirm time schedules for completing or reviewing agreed
actions
d. Monitor
(and escalate where necessary) progress to completion of agreed
actions
10. Define Plan
Maintenance Scheme and Schedule
a. Define
ownership of plan data
b. Prepare
maintenance schedules and review procedures
(1) Select
tools
(2) Monitor
activities
(3) Establish
update process
(4) Audit and
control
c.
Ensure that scheduled
plan maintenance addresses all
documented
recommendations
11. Formulate Change
Control Procedures
a. Analyze
business changes with business continuity planning
implications
b. Set
guidelines for feedback of changes to planning function
c.
Develop change control procedures to monitor
changes
d. Create
proper version control—develop plan reissue, distribution, and
circulation procedures
e. Identify
plan distribution list for circulation
12. Establish Status
Reporting Procedures
a.
Establish reporting procedures
(1)
Content
(2)
Frequency
(3)
Recipients
13. Audit Objectives
a.
Recommend and agree upon objectives for BCM-related
audits.
b.
Audit the BCP’s Structure, Contents, and Action
Sections
(1) Determine if
a section in the BCP addresses recovery considerations
(2) Evaluate the
adequacy of emergency provisions and procedures
(3) Recommend
improved positions if weaknesses exist
c.
Audit the BCP’s Documentation Control
Procedures
(1) Determine
whether the BCP is available to key personnel
(2) Review update
procedures
(3) Demonstrate
that update procedures are effective
(4) Examine the
provision of secure backup copies of the BCP for emergency
use
(5) List those
individuals with copies of the BCP
(6) Ensure that
BCP copies are current
Copyright
2004 DRI International
|