Documentation
Support
Home
Expansion Pack

Annual Exercise

Edited

Organization and IT will meet for 3 hours and 20 minutes (to allow time for breaks) annually to conduct risk planning and simulation activities.  The agenda for the three hour session documented by this wiki.  > Periodic tests shall be performed by designated personnel authorized by organizational management to test the execution of business continuity and disaster recovery plans through: > > Conducting disaster role-playing (“table-top”) sessions that allow participants to “walk through” the facets of the BCP, gaining familiarity with their responsibilities given a specific emergency scenario(s). > Perform a simulation of a possible disaster scenario with different realistic scenarios that test the effectiveness of BCP. > Wherever possible, accommodate any work stoppages due to the real testing of the BCP and DRP by appropriately scheduling simulations and other testing exercises. > > After the completion of business continuity and disaster recovery plans, an assessment report shall be submitted to management. The results should clearly indicate whether the exercise/test was successful or not including corrective actions. Documented plans shall be updated based on the results of the tests performed. {.is-info} # Preparation Tasks | | Task | Details (Fill this out with materially significant details) | Links/Supplements (Fill this out with materially significant details) | | --- | --- | --- | --- | | ▢ | Copy this page as a sub-page and name it "YYYY-annual-exercise" | | | | ▢ | Select a date for the table-top meeting | | | | ▢ | Select a date for real-world exercise | | | | ▢ | Select a date for risk assessment update | | | | ▢ | Select Participants and attach "Owner" information for any business process or asset that is tracked. | | | | ▢ | Participants must all prepare the following items:Review owner information and decide whether it is missing items.Understand the Recovery Point and Recovery Time objective for each asset they are responsible for.Review the risk assessment information found under vendor inventory. | | | | ▢ | Select a security incident from  past events/incidents and it will be the first walk-through. (This requires an established incident tracking process to exist) | | | | ▢ | Create or Select the second scenario from Disaster Planning for table-top walkthrough.  This scenario must affect a mission-critical system that affects customers directly.  “It stops our customers, immediately, from being able to conduct business.” | | | | ▢ | Create or Select the third scenario from Disaster Planning for table-top walkthrough.  This scenario must be a mission-critical system that affects the organization primarily and should have a material impact on our customers as well.   “It stops us from doing business.” | | | | ▢ | Prepare the scenarios/update them as needed. | | | # Structured Meeting Agenda Three hours will go by fast here.  We're doing everything at once.  This agenda is fixed.  | Start Time (0-200 minutes) | End Time (0-200 minutes) | Agenda Item | Details | | --- | --- | --- | --- | | 0 | 10 | Introduction and Syllabus | | | 10 | 20 | Review Backup Policy | Review Backup Policy (general)Q&A of expectations for mission-critical systems.Present Backup Audit Log performance.Present Disaster Response Procedures and determine alignment with present business needs. | | 20 | 30 | Breach Notification Discussion | Review breach notification team, process, and materials. | | 30 | 40 | Cyber Incident Response Process | Present the documentation. | | 40 | 55 | Review Past Results | Review past success and failures. In the event of lack of information recap last Risk Planning Meeting or review Security Incident Reporting. | | 55 | 60 | Reset/Break | | | 60 | 85 | Table-Top 1 | | | 85 | 90 | Reset/Break | | | 90 | 115 | Table-Top 2 | | | 115 | 120 | Reset/Break | | | 120 | 175 | Table-Top 3 | | | 175 | 180 | Reset/Break | | | 180 | 200 | Chaos Monkey Briefing | Brief all parties about upcoming chaos monkey tests.Tests/Scenarios (allow for nomination of new scenarios)TimeframeExpected impacts | | N/A | | Chaos Monkey Report | Chaos Monkey is expected to be completed within 14 days of this meeting and provide brief results of each test. | # Real Environmental Tests. Real Environmental Tests are specific, realistic, and targeted failures often based on past experience.  They are intended to test our detection, communication, and recovery knowledge.  Each test needs specific break and fix documentation to be valid and must be detected and solved within 24 hours from the moment it is started.  We are interested in results. Failure is a result, as is a detection and resolution.    > Note, not all of these tests need to be disruptive. We can test things we have mitigation activities for and simply make sure they work as expected.   {.is-warning} | Item | Scheduled Date | Lessons Learned / Briefing Notes | | --- | --- | --- | | | | | | | | | # Risk Assessment Game Risk assessments need not be formal or boring.  Especially in this context, they can be engaging and have some semblance of fun. If time allows, we can play a risk-assessment game to encourage risk-thinking and explore new ideas.  There are two variants already in existence and the goal of this game is to include more staff than the core BCP team. 1. BENTO:BLOCKS.   This game has been created by our team and it has two modes of play.  Both require players to pull blocks with generic terms on them and are used to facilitate a discussion about risks, controls, and mitigations.  A note taker documents what is said and that info can be turned to actionable insights about our operation. 2. BENTO:CARDS.  While a more elaborate version can be custom developed for your organization, a basic version includes three decks of cards:  Thing, Action, Consequence.  A card is randomly selected from each to form a phrase.  Team conversation ensues. 3. BENTO:CHOICE.  You do you. Follow our risk assessment guidance.