Year 2000 Business Impact Analysis

Year 2000 Business Continuity and Contingency Planning

4.0 Testing

The objective of business continuity testing is to evaluate whether individual contingency plans are capable of providing the desired level of support to the agency’s core business processes and whether the plans can be implemented within a specified period of time. In instances where a full-scale test may be too costly, the agency may consider end-to-end testing of key contingency plan components. An independent audit of the plan can validate the soundness of the proposed contingency strategy. Similarly, a legal review can provide assurance that the plans comply with government regulations and that liabilities and exposures are being adequately addressed.

Key Processes
4.1 Validate business continuity strategy
4.2 Develop and document contingency test plans
4.3 Establish test teams and acquire contingency resources
4.4 Prepare for and execute tests
4.5 Validate the capability of contingency plans
4.6 Rehearse business resumption teams
4.7 Update the business continuity plan based upon lessons learned and re-test if necessary
4.8 Update disaster recovery plans and procedures

4.1 Validate business continuity strategy

Develop and implement a strategy for validating the business continuity plan within the time that remains. A typical strategy defines a minimum number of individual and joint exercises that combine training with testing. There are several common techniques that can be employed, including reviews, rehearsals, and quality assurance audits.

4.2 Develop and document contingency test plans

Define and document the contingency test plans. Review the test plans and make needed changes. Ensure that management approves the plans. Disseminate the documents, provide guidance, and establish a help desk. Test plans should address the following:

test objectives,
test approach,
required equipment and resources,
necessary personnel,
schedules and locations,
test procedures, and
expected results and exit criteria.

4.3 Establish test teams and acquire contingency resources

Establish test teams responsible for preparing and executing the contingency plan tests.
Test preparation may include leasing a test facility and hiring and training needed staff.

4.4 Prepare for and execute tests

Assign responsibilities to test team members, including executives, observers, and contractors.

4.5 Validate the capability of contingency plans

Validate the functional capability of each contingency plan. Examine test results for accuracy and consistency and note discrepancies. For each contingency plan, ensure that

there is adequate capability to manage, record, and track the contingency transactions through the alternative business process;
the manual activities in particular, and the alternative business process in general, meet an acceptable level of performance;
an acceptable level of quality control is provided to critical parts of the alternative business process, and an acceptable level of integrity and consistency is provided to alternative databases;
an acceptable level of security is provided to the data captured by an alternative data capture mechanism;
contingency database requirements have been defined for alternative implementation modes, and contingency bridges can provide conversion from the contingency environment back to the “normal” production environment; and
any functional differences between the normal business process and the alternative business process can be reconciled or adjusted at the database level.

4.6 Rehearse business resumption teams

Rehearse business resumption teams to ensure that each team and team member is familiar with business resumption procedures and their roles.

4.7 Update the business continuity plan based upon lessons learned and re-test if necessary

Resolve shortcomings and problems noted during testing and update each continuity plan. When under time constraints, prioritize the problem areas. For example, procedural problems involving internal administrative functions are not as serious as technical problems directly affecting the resumption of operations. Ongoing changes in systems, software, applications, communication, and operations will also require updates to the plan. A re-test may be required to ensure that the problems do not recur and that the updated plan does provide the specified capability.

4.8 Update disaster recovery plans and procedures

Update disaster recovery plans. Ensure that all newly developed or acquired contingency applications and other software components are included in the disaster recovery update cycle. Overview| |Initiation| |Business Impact Analysis| |Contingency Planning| |Testing The Disaster Center Year 2000 Page| |The Disaster Center Index Page

Formated from text provided by: The United States General Accounting Office Accounting and Information Management Division HTML format Copyrighted by The Disaster Center 1998