Incident Response Plan

profilesepola
bd_ch_10_sect_07.html
Home>Computer Science homework help>Incident Response Plan

Testing Contingency Plans

Very few plans are executable as initially written; instead, they must be tested to identify vulnerabilities, faults, and inefficient processes. Once problems are identified during the testing process, improvements can be made, and the resulting plan can be relied on in times of need. The following strategies can be used to test contingency plans:

  • Desk check The CP testing strategy in which copies of the appropriate plans are distributed to all individuals who will be assigned roles during an actual incident or disaster; each individual reviews the plan and validates its components. —The simplest kind of validation involves distributing copies of the appropriate plans to all individuals who will be assigned roles during an actual incident or disaster. Each of these individuals performs a desk check by reviewing the plan and creating a list of correct and incorrect components. While not a true test, this strategy is a good way to review the perceived feasibility and effectiveness of the plan and ensure at least a nominal update of the policies and plans.

  • Structured walk-through The CP testing strategy in which all involved individuals walk through a site and discuss the steps they would take during an actual CP event. A walk-through can also be conducted as a conference room talk-through. —In a structured walk-through, all involved individuals walk through the steps they would take during an actual incident or disaster. This exercise can consist of an on-site walk-through, in which everyone discusses their actions at each particular location and juncture, or it may be more of a talk-through A form of structured walk-through in which individuals meet in a conference room and discuss a CP plan rather than walking around the organization. , in which all involved individuals sit around a conference table and discuss, in turn, their responsibilities as the incident unfolds.

  • Simulation The CP testing strategy in which the organization conducts a role-playing exercise as if an actual incident or disaster had occurred. The CP team is presented with a scenario in which all members must specify how they would react and communicate their efforts. —In a simulation, the organization creates a role-playing exercise in which the CP team is presented with a scenario of an actual incident or disaster and expected to react as if it had occurred. The simulation usually involves performing the communications that should occur and specifying the required physical tasks, but it stops short of performing the actual tasks required, such as installing the backup data or disconnecting a communications circuit. The major difference between a walk-through and a simulation is that in simulations, the discussion is driven by a scenario, whereas walk-throughs focus on simply discussing the plan in the absence of any particular incident or disaster. Simulations tend to be much more structured, with time limits, planned AARs, and moderators to manage the scenarios.

  • Full-interruption testing The CP testing strategy in which all team members follow each IR/DR/BC procedure, including those for interruption of service, restoration of data from backups, and notification of appropriate individuals. —In full-interruption testing, the individuals follow each and every IR/DR/BC procedure, including the interruption of service, restoration of data from backups, and notification of appropriate individuals. This exercise is often performed after normal business hours in organizations that cannot afford to disrupt or simulate the disruption of business functions. Although full-interruption testing is the most rigorous testing strategy, it is unfortunately too risky for most businesses.

At a minimum, organizations should conduct periodic walk-throughs (or talk-throughs) of each of the CP component plans. Failure to update these plans as the business and its information resources change can erode the team’s ability to respond to an incident, or possibly cause greater damage than the incident itself. If this sounds like a major training effort, note what the author Richard Marcinko, a former Navy SEAL, has to say about motivating a team:*

Marcinko, R., and J. Weisman. Designation Gold. New York: Pocket Books, 1998.

  • The more you sweat to train, the less you bleed in combat.

  • Training and preparation can hurt.

  • Lead from the front, not the rear.

  • You don’t have to like it; you just have to do it.

  • Keep it simple.

  • Never assume.

  • You are paid for results, not methods.

One often-neglected aspect of training is cross-training. In a real incident or disaster, the people assigned to particular roles are often not available. In some cases, alternate people must perform the duties of personnel who have been incapacitated by the disastrous event that triggered the activation of the plan. The testing process should train people to take over in the event that a team leader or integral member of the execution team is unavailable.

Listen webReader by ReadSpeaker Open/close toolbar