VII.F Exercise and Test Scenarios
Management should develop realistic exercise and test scenarios, based on risks, which simulate disruptions in business functions and help management determine the ability to meet both business requirements and customer expectations. The goal should not be to execute “perfect” exercises without issues; instead, it should be to continuously strengthen the business continuity program and validate the BCP(s). Management should identify and document assumptions used in developing each scenario. The scenarios should include threats that could affect third-party service providers and others, such as significant business partners. Exercises and tests should include communication processes with applicable stakeholders. Exercises demonstrate not only the ability to failover to an alternate site but also validate recovery objectives. Management should consider all reasonably foreseeable risks to connectivity and service-level agreements between the entity’s facility(ies), third-party service provider facilities, and with any applicable counterparties (i.e., entities on the other side of a financial transaction) with whom they transact significant or critical business.
Scenarios may include:
- Simultaneous attacks affecting both the entity and a third-party service provider.
- Cyber-related events (e.g., isolated malware attack, DDoS attack, data corruption, or a full-scale data center outage).
- Use of mirrored sites to demonstrate that alternate sites can effectively support customer-specific requirements, work volumes, and site-specific business processes.
- Processing a full day’s work at peak volumes.
To the extent possible, scenarios should include only resources that would be available during an event (e.g., backup files or equipment at the alternate site). Considering data and systems helps management verify the integrity of data backups (including access to encrypted data) and the adequacy of off-site systems and supplies, such as workstations and procedure manuals.
Management should develop exercise and test scripts to guide participants and meet objectives. Each script should document the procedures, which may include:
- Applications, business processes, systems, or facilities reviewed.
- Sequential steps for employees or external parties to perform.
- Procedures to guide manual work-around processes.
- A detailed schedule for completion.
- Methods for participants to record results, quantifiable metrics, and any issues.
VII.E Exercise and Test Plans
VII.G Exercise and Test Methods