The ability to quickly bounce back from a disaster – whether it’s a cyber attack, catastrophic hardware failure, or a devastating storm – is one of the highest priorities for IT departments. For that reason, disaster recovery and cyber security recovery plans are some of the most difficult, most important work an IT professional will ever do. But once the planning is complete, how does one know the plans they’ve come up with will actually hold up to the fire?
In other words, what must one do to test one’s disaster recovery capabilities?
Unfortunately, the answer to that question isn’t a simple one. Testing a disaster recovery or cyber security recovery plan is an expensive, complicated, and time-consuming process – enough that even large enterprises only tend to do a full-scale test once a year at most.
“Disaster recovery plan testing is critical to identifying changes in the environment so that the plan can be updated or modified to include any new situations and to accommodate any altered conditions,” writes Tech Target’s George Crump. “Despite the importance of DR plan testing, full-scale tests can only be done periodically, because they’re time-consuming and often expensive to conduct. In reality, partial testing is more likely with a quarterly frequency at best.”
As for smaller-scale testing, you’ve got a few options at your disposal, with varying degrees of effectiveness.
The Paper Test
The easiest and most inexpensive test to perform. This just involves everyone responsible for drafting your recovery plans reading through and annotating where they deem it necessary. This process may or may not incorporate records from recent disasters or emergencies suffered by your organization.
The Walkthrough Test
This one’s closely related to paper testing. You have a group walk through a plan, and together identify any problematic elements or changes that need to be applied. Again, this process may make use of records from prior disasters.
Now we’re getting a bit more complex. Basically, this is a standard emergency drill. the company goes through a simulated disaster and determines how effective everyone was at fulfilling their roles. Think of a fire drill like you had back when you were a child – it’s something like that.
The big weakness of the simulation is that it’s very difficult to simulate a ransomware infection or cyber attack without the assistance of a cyber security consulting agency. Most businesses don’t have the resources or expertise to do so. If they did, they’d likely pen-test and secure their own systems without having to bring in external help.
The Parallel Test
This is closer to a full-scale DR test, and one of the more expensive and extensive options at your disposal. With a Parallel test, your business sets up temporary recovery systems to see if they can actually support the business while primary systems are shut down. It’s sort of like a stress test for these systems.
The Cutover Test
A full-scale DR test. Primary systems are disconnected, and secondary systems are built to assume the full workload of those systems. Understandably, this is one of the costliest tests you can possibly run – but it’s also one you need to run at least infrequently.
You’ll need to perform each of these tests on a regular schedule of some kind if you want to be assured that your disaster recovery plan is sound. Without testing, you’ve no idea whether or not what you’ve proposed will hold up during an actual emergency. And you don’t want to wait for a crisis to discover something like that – trust me.