Train for business continuity in your organization
Ultimately, your business processes are realized by interactions between your employees, partners, and customers. You can build a terrific business continuity plan, but if you don't train your users, administrators and partners on it, it won't be nearly as successful as it would be if you had. Train your users when they're hired and run refresher training annually. Your technical staff should regularly review and make the necessary updates.
Be sure to include these key topics in your service resiliency training:
- the locations of critical business continuity resources such as call tree outlines and emergency procedures
- clear definitions of all participant roles and responsibilities during an incident
- Incident policy guidelines and standard operating procedures
- Available alternative forms of communication, such as emergency phone bridges, social media pages, or mobile phones
- Alternative means of connectivity, including the use of Microsoft 365 mobile or web applications in the event rich clients are unavailable
Plan the exercise and exercise the plan
You should regularly practice your continuity plans and update them based on what was learned from the practice. If you don't test them, your continuity plans quickly become outdated and most tabletop exercises are insufficient preparation for addressing the issues you encounter in real world test. A standard practice is to exercise each Business Continuity Plan (BCP) within 12 months (at a minimum) of the last validation. Microsoft recommends integrating continuity exercises into your routine operations more frequently, which may involve taking systems offline or temporarily disabling primary methods of communication.
When considering test scenarios, you'll need to balance the potential impact to your business of injecting faults into your production environment against the benefit of highly polished business continuity processes and skill set. During each exercise, pay special attention to any assumptions that turned out to be incorrect, and identify any gaps in the processes you've established. A failed Disaster Recovery test exercise isn't necessarily a bad thing, as it allows you to identify problems in the plan and correct them before a real disaster strikes. Make sure you include these points in your exercise planning.
- Ensure that all BCP documentation is updated and available in secure, redundant repositories.
- Train all users and stakeholders regarding the processes and procedures you've established for the drill.
- Establish the goals of the exercise, define success criteria, and choose whether you'll notify users prior to the test or not, as this will reveal whether prior training has been effective.
- Record a detailed timeline during the test to track all actions taken by the Incident Management team.
- Test backup communication services to ensure they can fulfill the needed role.
- Test your call-tree to ensure that critical resources can be engaged using the alternative solution.
- Determine if the test was a pass or fail according to the success criteria established earlier. Any failed test should be redone within 3-6 months.
- Perform a post drill review to identify any missteps, or unanticipated gaps or issues that arose during the incident.
- Track any gaps or issues in your internal issues-management system and assign them to the proper owner for remediation.