CRISC

Course
Time
5 hours 20 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers testing the business continuity plan using the following methods: - Checklist test - Structured walk-through (table top) test - Simulation test Drills: - Parallel Test - Full-interruption test After a test has been conducted or a disaster has taken place, it is important to focus on what happened, what should have happened, what should happen next. Do not focus on who was at fault as this is counterproductive. The instructor rounds off this lesson with a review of the unit, including: - BCP vs. DRP - Common terms - Roles and responsibilities - Summary of BCP sub-plans - Additional frameworks

Video Transcription

00:04
So as I mentioned before, the degree of testing is going to determine my degree of confidence in the plan. The more thorough I tested, the more I can be assured that the plans actually gonna work. So what we have is we have five on this slide. In the next, we have five different types of tests.
00:22
Each one increases in the degree of reliability. So, for instance,
00:26
we start with the checklist test, which is exactly what it sounds like. I'm gonna pass out a checklist to my manager's department managers, and I'm essentially going to say, Hey, did I think of everything? And they're gonna go check, check, check
00:39
and get back to me and provide additional feedback. But this being paper based, you don't get a lot of assurance with that. The benefit, however, is we're not really risking any sort of down time. This is something very quick and very easy to do.
00:53
Um, if we want a little more reliability, what we'll do is we'll take that checklist we've just handed out to all our managers and will bring those managers together, and we'll go through the checklist together. That way, we'll get a little better feel for interdependencies across departments.
01:08
Ah, lot of times facilitated discussions can bring up new ideas and new concerns.
01:14
When we bring those managers together and we talk about the checklist now, we have what's called a tabletop test.
01:22
Still, paper based, Very much still paper base. And another name for this is a structured walk through.
01:30
Be very careful here, because when you give me the term walk through, I kind of imagine going through the motions, right. That's what walk through means in my head. As a matter of fact, I always call this in my head a structured talk through because that's really what it is. This is still paper based. Were sitting around a table essentially going Yep, yep.
01:49
Oh,
01:49
have you thought about this very much paper based If I really want to go through the motions, the first type of tests that does that is called the simulation test. And with the simulation tests, we go through the motions right up to the point where we would leave the building.
02:07
Now we start to get risky. When we look at the last two types of tests a parallel tests and a full interruption test. The reason these air risky is that a portion of processing a portion of our transactions are gonna be processed at the off site facility.
02:24
So if they're certain controls that aren't effective or that aren't in place or don't work the way we anticipated them, we're gonna lose live transactions.
02:35
The parallel test means maybe 10% of transactions or processed at the offsite facility and the rest of our process that are permanent facility. So we don't pull down everything. We're doing the majority of our transactions as normal. But a few of them are handled in parallel at the off site location
02:54
full on eruption. Test, though, is the greatest risk because we shut down the permanent facility and we bring up the offsite facility so you can see the potential for risk. Their ah lot of companies that air Monday through Friday. 8 to 5 companies on Friday afternoon are gonna shut down the permanent facility on Monday morning. They're going to re open
03:15
at the offsite facility so they have a team working over the weekend
03:19
to make sure the transition goes smoothly.
03:22
Definitely anticipate questions on the type of tests. The 1st 3 are paper. I'm sorry. The 1st 2 are paper based simulation test gives us that actual going through the motions, but we don't have a lot of risks because we're not relocating. The parallel test has us perform some transaction
03:42
at each facility.
03:43
Full interruption task puts all of the transactions at the offsite facility, so you can see the risk for that
03:51
now after the incident, whether it's a real live incident or it's a test we've gotta review and its senior management's responsibility to make sure that we go back over what's happened and we review it.
04:03
The purpose of drills
04:06
is always to improve and really the purpose of any type of testing. Help me find a way to get better. We're not looking back and trying to figure out who didn't do what they were supposed to were always looking forward. How can we make sure that we're better this time than the last
04:25
focus on what happened again? You know what? You want to be careful about being too backwards thinking you wanna look at what happened, but really, you want to focus your thoughts on how to get better?
04:38
I'm gonna trust I've already talked about change management. Enough again, nothing on this exam happens on the fly. Everything has a thoroughly vetted process in order to make changes, and a big part of that process is documentation.
04:54
Because of that, the same thing applies to our business continuity plan itself. So we've written our plan. It's in motioned. We've distributed to the people that need to know. Now, Um,
05:06
we need a strategy every year to go back and look at that plan. We also need a strategy in the event of a major change. We go back and look at the plan. So that's part of change management for the business continuity plan itself very, very important.
05:20
And we know changes do not get made to this plan without following the change control procedure.
05:27
Um, we need to have somebody to keep the plan in date. There needs to be an individual or team that's responsible for making sure it's reviewed on a regular basis and making sure that they're analyzing the current environment for risks that would lead to a change in the plan.
05:44
We need to name those folks. It needs to be part of their job description and they need to be evaluated on their performance.
05:51
Oh, and then this last slide talks about additional BCP frameworks. Not testable. But I included this slide because I mentioned very early on the Disaster Recovery Institute.
06:03
Um, Business Continuity Institute I mentioned missed 800-34. I cannot stress enough. I don't need you memorizing the slide, but we talked about Demings plan Do check Act. We looked at the seven stages and those seven stages
06:21
mapped most closely in this state 134.
06:25
But you can see the same elements happen. You know, we start with Project Initiation. What do we do? We get our policy. We get our business impact analysis. We look at the controls that are in place. We developed the plan. We test the plane, we maintain the plan. So this just shows us the flow
06:45
off business continuity planning
06:51
as ah result we've completed. And by the way, I just gonna move quickly through this. This isn't estate 134. This is the plan Do Check Act that we've already talked about from Deming.
07:03
And then ultimately that brings us to our wrap up. We've talked about the difference between a Business continuity plan and disaster recovery plan. We said that disaster recovery plan is part of the business continuity plan, and it's more focused on restoring critical operation.
07:19
We've gone through the common terms. Make sure you know the terms and the lingo that we've talked about in this class. Make sure you know, there's metrics like recovery point, objective recovery time objectives. Ah, the different roles and responsibilities focusing on what senior management's responsible for functional management, Business continuity team.
07:40
But also make sure you know
07:42
the rescue, recovery and salvage team as well
07:46
the various sub plans of the business Continuity plan. Really, the most important one to be familiar with is that disaster recovery plan,
07:55
the seven phases of BCP just know the flow of processes. Start with policy.
08:01
First action item is gonna be the B. I. A. Look, a recovery strategies to be in place. Figure out your plans, right. The plan. Test the plan, maintain the plan.
08:13
And then there's additional frameworks. Not so much testable, but they're for your edification if you will.
08:20
So that wraps up the Business Continuity planning chapter. This is highly testable. Spend time here do lots of review questions here. This chapter alone can make or break you on the exam

Up Next

CRISC

Archived Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor