When first created, your business continuity plan may cover all of the risks you can anticipate. It has a current list of your company’s assets, resources, sensitive data, partners, and all of the other information needed. However, over time, risks that were once identified as priority threats may become less so. Other risks to your company may be identified that didn’t exist when the plan was written. Your assets are also likely to change. Personnel come and go, and new IT security technology or resources may change how you should respond to a scenario. If these changes aren’t incorporated into your business continuity plan, the plan won’t be as effective or as helpful as it should be. Here are ways of testing your plan.
Who Should Test Your Plan?
The team that originally wrote your business continuity plan should be there when you revisit it. The original team is familiar with the plan, but you want to make sure you bring in fresh eyes too. Someone heavily invested in the process may not think of new risks or be able to see how the scenarios have changed. Having outside points of view is always helpful.
Again, just like with writing your plan, you want to be sure every department is represented. You should have everyone from C-level employees to administrative assistants represented. Each level of your business sees processes and problems differently, so you want to make sure you’re covering every possible angle and understand the effects of a disruption at each level.
How Often Should Your Plan Be Tested and Updated?
Ideally, you’ll evaluate your business continuity plan yearly. Some years, this may be nothing more than updating your lists of assets, resources, and personnel. Other times, though, you may have a new cyber risk to evaluate and plan a scenario for. You may also need to remove some scenarios that are no longer relevant. If a major threat turns up outside of this annual update, you may want to address it as quickly as possible rather than wait for the next regular update meeting.
How Do You Test Scenarios?
One of the most common ways of testing a scenario is through a tabletop walkthrough. You present the scenario to your team. For example, “An employee fell for a phishing scam and credit card information for 10,000 customers has been stolen.” Your team then works through the scenario, creating a list of everyone who would be affected, how the business should react, and what long-term damage you should prepare for.
Many of the solutions and issues that the team comes up with may be similar to what you’ve already outlined. That’s fine, and you can check those responses off and not focus too much on them. However, you may have new resources or information that leads the team to new solutions. You may also determine that a scenario is no longer a risk. Some scenarios may be downgraded from high risk to low threat, while others may be discarded completely. New scenarios may be added and may need a full write-up of responses and long-term effects.
You should also do a full security risk assessment when you update and test your business continuity plan. CyberCompass is here to assist you with that assessment. We provide ten different cybersecurity scans and also check to make certain your company is compliant with all necessary regulations. Contact us today to discuss your particular needs.