Standard:
YALE-MSS-3.2: Test the Disaster Recovery Plan
YALE-MSS-3.2.1: Test the Disaster Recovery (DR) plan once a year
Low Risk Endpoint
Not Required
Moderate Risk Endpoint
Not Required
High Risk Endpoint
Not Required
Low Risk Server
Not Required
Moderate Risk Server
Not Required
High Risk Server
Upcoming
Required for HIPAA
Low Risk Mobile Device
Not Required
Moderate Risk Mobile Device
Not Required
High Risk Mobile Device
Not Required
Low Risk Network Printer
Not Required
Moderate Risk Network Printer
Not Required
High Risk Network Printer
Not Required
Details
Test the DR plan regularly; a reasonable recommendation is once a year.
Common options for testing include the following:
- Paper test: individuals read and annotate recovery plans.
- Walkthrough test: groups walk through plans to identify issues and changes.
- Simulation: groups go through a simulated disaster to identify whether emergency response plans are adequate.
- Parallel test: recovery systems are deployed and tested to see if they can perform actual business transactions to support key processes. Primary systems still carry the full production workload.
- Cutover test: recovery systems are deployed to assume the full production workload. You disconnect primary systems.
The choice of a testing option is driven by multiple factors. A complex system may require more than just a paper test. If testing happens frequently, perhaps setting up a cutover test each time doesn't make sense. If it's difficult to find availability for all test participants, maybe a tabletop simulation requiring everyone is a poor option. The type of testing selected should fit the scope and needs of the system and its team.