Tech Time: Maintaining a Business Continuity Testing Strategy
“Yes, annually.” Were I to ask executives at your credit union if you perform a regular disaster test, I suspect that would be the answer. The question of how this testing fits into the credit union’s business resumption testing strategy is what I hope to answer with this article.
Your credit union’s business continuity or resumption testing strategy is the enterprise-level plan developed to determine—through completion of various exercises and training—how well it is prepared to prevent, protect, mitigate, respond and recover when a business-interruption event occurs.
- Enterprise-level means the strategy extends beyond just examination of computer systems, networks, and IT personnel to include all employees, departments and areas.
- Training includes spending time, money and resources to provide initial training to employees on business resumption tasks and any additional training needed based on exercise results.
- To prevent, protect, mitigate, respond and recover requires plan, exercise, and training objectives look beyond just how well the credit union is able to recover from an interruption and include objectives for all the areas/responsibilities.
In addition, your strategy should provide for the following objectives:
- Identification and involvement of key stakeholders—Internal stakeholders include credit union personnel and the board of directors. External stakeholders could include various vendors, auditors and regulators. Once identified, accompanying roles, duties and requirements for stakeholders then should be outlined.
- Development and management of a multi-year training and exercise program—Similar to other enterprise strategies, the testing strategy should build upon and support a common set of objectives while examining and planning exercises and training for multiple (three to five) years.
- Progressive exercise development and management—Exercises should be planned and managed based on increasing levels of complexity over time.
- Rolling summary of exercise reporting—A rolling summary of issues, concerns, trends, outcomes and results should be used when reporting to stakeholders, to assist in analysis and determination of how well the strategy is meeting credit union objectives.
- Full resource identification and provisioning—The strategy should identify and outline how the full range of needed resources (staff, equipment, tools, funds, budgets, training, etc.) will be developed, managed and utilized.
In creating the strategy and the (multi-year progressive) exercise program, the credit union should identify, at a high strategic level, the priorities to be used for development of exercise objectives. For example, exercises involving fires, tornados and hurricanes will make the preservation of human life a priority. For cybersecurity exercises, a priority may be meeting system recovery-point and recovery-time objectives.
When developing the corresponding training program, ensure its objectives and priorities should align with and support exercise priorities and objectives.
In working through the testing strategy, the credit union should ensure the guidelines or requirements for exercises are built around the following principles:
- Capability-based and objective-driven—Exercise objectives should be aligned with the credit union’s current capabilities and not include items knowingly beyond what can be reasonably expected for credit union personnel and involved stakeholders (e.g., vendors) to achieve. Exercise objectives should also follow S.M.A.R.T. (specific, measurable, achievable, relevant and time-bound) objective principles.
- Progressive complexity over time—Developed exercises, priorities and objectives should increase in complexity over time as goals, milestones and objectives are achieved and capabilities expand. For example, the credit union may start using just one office for an exercise and then expand it to include another, then another, then more, until all offices are included.
- Risk-based—The exercise objectives, priorities and capabilities tested should be based on completion of appropriate risk assessments (i.e., examination of threats, frequency determination and impact analysis.)
- Standardized methodology—Exercise development and planning should examine and align with incident and security management best practices and necessary credit union core capability areas (e.g., incident prevention, protection, mitigation, response and recovery). Exercises should also be designed, conducted, and evaluated using a single set of tools (questionnaires, forms, reports, etc.) to ensure interoperability and unified understanding of exercise goals, requirements and results.
The credit union of today is not the credit union of yesterday, nor is it likely to be the credit union we see tomorrow. To ensure the credit union can continue operations in the face of changing challenges—just as it utilizes loan, share, asset, IT and personnel strategies to meet current and future obligations—the testing of business resumption abilities needs to have a developed strategy. Through strategic testing and training, the credit union can better prepare and more effectively ensure it is there for its members when difficulties arise.
Jim Benlein, CISA, CISM, CRISC, owns KGS Consulting LLC, Silverdale, Wash., and offers insights to CU’s on information technology governance, information security, and technology risk management.