⬡ PBQ ACTIVITY

Facilitate a BCDR Tabletop
Exercise

You are a disaster recovery specialist at a university. Use the scenario to plan and facilitate a Business Continuity and Disaster Recovery tabletop exercise for your team.

□ Scenario

You are a disaster recovery specialist working for a local university. The IT services team you lead just finished writing an updated Business Continuity and Disaster Recovery (BCDR) plan. The university has a variety of goals with stakes in research, education, and healthcare. The BCDR plan addresses the steps required to resume normal business operations, which systems and departments are mission-critical, and the responsibilities of leaders and personnel in various disaster scenarios.


The BCDR plan addresses several disaster scenarios, ranging from IT-centric DDoS attacks to physical disasters resulting in destroyed servers and disks or lost work areas. It defines recovery tasks and sub-tasks, the personnel responsible, and prioritizes the tasks by department and function. The BCDR plan includes a timeline for tasks to be accomplished. It also lists critical vendors, contact information, and specific types and quantities of resources required to achieve partial and complete recovery.


The next step is testing the procedures laid out in the BCDR plan. Your task is to plan tests for your team's BCDR plan and determine the scope and nature of the tests. You also write up a detailed fictional scenario for use in these tests. The scenario consists of multiple disruptions. In the scenario, a fire breaks out in the server room in the administrative building, compromising over 80% of the student account data. This incident occurs during a wave of influenza, and 30% of staff members are at home sick. The fire has also affected about 10% of the servers containing patient medical data in the nearby health services administration building.

Key Points in the BCDR Plan:

  • At least two heads of departments to "call" a disaster
  • A single "warm" site is available that can be quickly converted for use
  • Maps of meeting points for employees, including routes
  • Vendor contact information
  • Communication plans – who is responsible for informing whom?
  • Alternative process flows for failures in primary processes
  • Easy-access checklists for what to do and what not to do
  • Which systems to recover, in which order, and how to do so
  • Non-technical responsibilities of end users

Scope of Testing:

  • Non-recoverable systems or irretrievable data loss
  • Missing dependencies, software errors or missing recovery-time objectives
  • Lack of familiarity and comfort with disaster recovery processes on the part of employees, staff and department leaders

To return this interactive to its initial state, click Reset.

▣ Evaluation Results

0/0
Score
Based on the scenario, use the dropdown selectors, checkboxes, and radio selectors to appropriately facilitate BCDR testing through the tabletop exercise.
Phase 1 Scope — You gather relevant staff for a roleplay-style tabletop exercise based on the scenario.
Gather:
Phase 2 Pre-Emergency Mitigation — You ask the BCDR team what can be changed to prevent an event such as that described in the scenario.
Despite a secure solution being in place, cloud database storage for PII is suggested. Based on liability best practices, should you take the suggestion?
Explain your reasoning:
Phase 3 Pre-Emergency Preparedness — You question the BCDR team regarding what can be done to prepare for an event such as in the scenario.
Select two sets of guidelines (in any order) that are relevant to being prepared for this scenario:
Phase 4 Emergency Response — You ask the BCDR team how they would respond to the event. Identify what you, as the facilitator, are looking for in the team's responses.
Phase 5 Post-Emergency Recovery — You ask the BCDR team what actions should be taken to recover after the event.
As the facilitator of the tabletop exercise, clarify what you are looking for in staff responses to the recovery phase: