• United States



by David Geer

3 MORE tabletop exercises for business continuity

Oct 22, 20127 mins
Business ContinuityDisaster RecoverySecurity

Practice makes perfect - so put your BC/DR plans to the test

This set of 3 tabletop exercises has proven popular over the intervening years, so here’s another troika for testing your processes for resilience or recovery.

You know the drill: Appoint a moderator, gather a team representing multiple departments within the organization (and ideally some outside business partners as well) and work through a scenario, one stage at a time. Allow interaction and discussion after each segment’s information is released.

Does each department have the necessary processes in place to handle the given sequence of events? How will the necessary communication take place? What unforeseen employee needs might arise? Are business partners adequately prepared?

Modify these exercises to best fit your particular organization’s profile.

scenario one:

Chemical Explosion

Segment One: Rail cars carrying a highly flammable chemical compound explode near the data center, taking out a section of track and a stretch of two-lane road at an adjacent crossing, spewing toxins into the air. Data center employees hear the blast and begin frantically contacting family, colleagues and emergency services. Emergency services deploy and call for a general evacuation, including the data center and its attached offices.

Segment Two: Due to the toxins, the fire department insists that the data center evacuate immediately. Data center technicians can’t fire up the diesel engines because they may spark, igniting the toxins, so the data center must go completely dark.

Fearful employees, including some of the people needed to switch the data center over to the disaster recovery (DR) or backup site, leave to pick up children and elderly family members.

All this leaves the data center without the time or expertise to declare a disaster, cut over to the remote DR site, and power down and close the facility properly. The data center loses untold quantities of data in the process.

Segment Three: Management attempts to notify team leaders to interact with each other to escalate communications and response as everyone is leaving. But in the panic, and with smartphones tied up contacting loved ones, the chain of communications breaks down.

The fire department informs management that their designated meeting place is inside the danger zone and they must pick a new meeting place and inform all employees to go directly there. Management does not have a second location in place further out and chooses a parking lot near a busy highway intersection, during rush hour and the evacuation of the larger area.

Segment Four: Not everyone receives updates about the new meeting place, so while some go to a safe meeting spot, others go to the original meeting area, and still others don’t show up at all. The wind picks up, moving the toxic air toward the first meeting area. Reporters, who are asking lots of questions, meet the people who make it to the furthest meeting place. These employees are not the marketing-savvy media relations executives, so they are not able to give appropriate status updates and instead say things to the media that are inappropriate, inaccurate and misleading, causing further confusion and panic.

-With suggestions from Bob DiLossi, director of crisis management at Sungard Availability Services

scenario two:

Primary Supplier Cannot Deliver

Segment One: The enterprise receives a call from a primary vendor, a supplier of raw materials for the company. The vendor-supplier has experienced significant damage to its manufacturing plant from a hurricane, and there are no forecasts as to when the plant will be back up and running. At this time, the vendor can only speculate that it will be able to ship 30 percent of the usual order. This material is a critical component of the enterprise’s finished product and is usually most available from this single-source vendor, with few if any other vendor-suppliers.

Segment Two: Upon further inspection by the vendor and the regulatory agencies in the vendor’s industry, the vendor has shut down the plant with its damaged facilities and equipment until it makes all necessary repairs. The vendor will not make any product deliveries for at least two or three months. Without critical supplies, the enterprise cannot provide finished products or services to its customer base. There is a small reserve of materials onsite that will last about 35 days.

Segment Three: The enterprise will need to qualify an alternative material supplier that meets requirements laid out by client agreements and industry regulations. If the enterprise does manage to identify a supplier, it may be located overseas, creating new logistics challenges.

The enterprise starts looking closely at two potential qualifying vendors, one in China and one in a small, volatile developing country in the east.

Segment Four: When vetting the potential vendor in China, the enterprise uncovers a trail of broken contracts in which the foreign vendor supplied diluted raw materials that were deemed unsatisfactory. The enterprise turns to the one remaining producer of the raw materials.

As the enterprise is about to reach full approval for the new supplier, an internal conflict breaks out in the small eastern nation, a coup ensues and powers opposing the new leadership call for boycotts of the small country’s exports, including raw materials, putting pressure on the enterprise’s international relations.

-With suggestions from Mark Madar, director of risk management and quality assurance at CBIZ Risk and Advisory Services

scenario three:

Angry IT guy

Segment One: A systems engineer or administrator who foresees imminent layoffs is working on internal systems. The enterprise has upgraded his access rights and turned off monitoring systems so he can complete his work. Due to fears of termination, he installs back doors everywhere.

Because the enterprise elevated his administrative privileges and disabled the monitoring systems, and because he uses stealthy back doors that are set to activate after the company fires him, IT has no visibility into what he has done or what will happen in the coming months.

Segment Two: The enterprise fires the systems guy, along with many of his colleagues and friends, in a massive layoff. Once the back doors open, he siphons off stores of intellectual property and customers’ personally identifiable information. He next launches a malicious, stealthy attack that renders multiple data backups useless. The data center is unaware of this until some time later, when it tries to restore data in a crisis.

Segment Three: During the crisis, the data center discovers that the data is corrupted and so attempts to restore from backups. Finding the disk-based backup data unrecoverable, IT must rely on tape backups, losing the most recent week’s data, which was not yet archived.

In the meantime, the disgruntled ex-employee finds a buyer for the stolen data on the black market and sells it for less than its true worth.

Segment Four: The black market data buyer is part of a hacker group that holds stolen data for ransom. On a highly visible website, the hackers publish just enough of the data to prove they have it, and demand a larger sum than they paid for it to return the data without publishing or re-selling it further.

While the enterprise mulls its options, regulatory bodies get wind of the data-protection fiasco. The media reports on the shocking debacle just as affected parties and customers launch a massive lawsuit. As e-discovery begins, the enterprise realizes it will not be able to produce at least a week’s worth of data.

-Based on suggestions from Brian Barnier, principal analyst at ValueBridge Advisors, and Jeremy Suratt, senior solutions marketing manager at Iron Mountain’s Data Backup and Recovery practice