CIR Testing and Exercising
Test Design
Designing a test is not as simple as it may sound. Various factors are involved in designing a test that can evaluate the effectiveness of the response plan and not bore the testees.
1. Principles
The approach to testing is governed (Goh, 2006) by these principles:
- Resources identified for prevention and response to cyber security incidents should be made available during testing;
- Designers of the plan should not be involved in the testing because their judgement may be biased;
- Importance of achieving a successful outcome increases in direct proportion to the scope of the test;
- All relevant parties, including support teams, have to be involved in the test;
- Established Service Level Agreements (SLA) are met; and
- The test should be realistic, exciting and practical without consuming too much time and resources
2. Constraints
The following are some constraints (Goh, 2006) that organisations have when designing a test:
- Conducting tests should not impede business operations
- Not all of the components of the plan can be tested simultaneously
- Business operations with a higher priority may take precedence over the test
- Uninteresting or repetitive testing may undermine the enthusiasm of testees
- Take into consideration the cultural differences between headquarters and outside offices
3. Extent
As the organisation progresses (Goh, 2006) from plan design to plan maintenance, the components required to be tested increase.
During plan design, the majority of the components of the plan have not been finalised and documented. Therefore, although the strategies to mitigate or respond to cyber security incidents have been developed and approved, it is not advisable to test them as the relevant parties still have not received the plan.
Once the plan has been documented and distributed to the respective parties, only a few components are tested. The participants lack the knowledge and skills to perform all the documented procedures immediately.
Hence, the test will start slow and easy, allowing participants to adapt to the simulated situation. As the number of tests increases, the participants are more accustomed to the stress levels and more capable of performing the documented procedures.
Once the desired outcomes are achieved, the organisation will increase the tested components, raising the test's difficulty and complexity. Ultimately, the majority of the components in the test will be included.
Related Topics for CIR Testing and Exercising
Overview of Testing and Exercising | Test Design | Types of Tests |
Scheduling | 9.7 Baseline for Success Criteria | Back To: Table of Content |
Do You Want to Continue BCM Training onsite or online?
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 9 Testing and Exercising 9.4 Test Design
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.