Continuity of Operations – CompTIA Security+ SY0-501 – 5.6

Maintaining the technology for an organization can be a challenge in the best of circumstances. In this video, you’ll learn about planning for disaster with tabletop exercises, after-action reports, failover plans, and more.

<< Previous Video: Geographic Considerations Next: Security Controls >>


If you’ve built a plan for a security incident, it’s always a good idea to use that plan in a test, but putting together a full-scale test of a disaster drill can cost a lot of money and a lot of time. A lot of the logistics and thinking through the process can be done by analyzing the process in real time.

You don’t necessarily have to have a physical drill with everyone involved if you’re really just trying to determine if your plan is viable. Because of this, it’s common to get all the key players together in a room around a table and have what’s called a tabletop exercise. This is where you don’t actively participate in a disaster drill, but you do step through the process with everyone in the room and talk about exactly what happens at what time.

If you’re planning a tabletop exercise, there needs to be some idea of the total scope. Will this be an internal group of people going through a disaster drill or do we need to bring in third parties from the outside– from law enforcement and other organizations– to also participate in the drill? We also need to think about how large the scope will be for this disaster. Will this be contained in a single room because we had a pipe break? Or will this be a very large-scale disaster that involves many different people?

If possible, you’ll have everyone in the room that will need to participate in this tabletop exercise. And it may be the case that they don’t know what they’re walking into. They only know that they’re coming to participate in the tabletop exercise, and only then do you provide them with the details of what the disaster drill might be.

During this tabletop exercise, you’ll be able to put into action all of these plans that you have made, but you also need to be flexible. During a disaster, not every piece of information will be available and not all resources will be available to you. In that particular case, you need to use this tabletop exercise to find out where the gaps might be and what some contingencies might be if a real disaster was to occur.

Once the disaster exercise is over, we can then look back at how we did. To be able to do that, we need to understand what the total scope was of the exercise and what the objectives were to get everything back up and running. Our after action report could also include the methodology of the disaster drill so that we know exactly what the explanation was for the entire exercise.

It’s useful to include in an after action report details about the things that worked very well and information about the things that didn’t work well at all. You need to be able to plan for the next drill, and having that information will help you understand everything that is correct in your plans and the things that need to be updated. This means that we may be updating procedures, we may be adding new tools to our toolbox, and anything else that can help us prepare for the next disaster, should it occur.

Many organizations will have a disaster recovery site that they can use if something does occur with the primary location. This recovery site is usually prepared and has data synchronization or any other resources you need to bring that site up and running. When a disaster is called, all of your business processes will then failover to this disaster recovery site.

This site may remain up and running for weeks or even months, depending on the scope of the event. And eventually you’ll need to revert back to the original location. This is a relatively involved process to make the switch over to the disaster recovery site, and it’s just as complex to move everything back to the original location. It’s important to document things as they occur in both directions so that as you move things into the disaster recovery site, you’ll understand what the challenges might be for moving things back.

It’s also a good idea to have an alternative business practice. We know that when disasters strike, everything can be disrupted, even the technology that we rely on every day to perform our business processes. So there needs to be some type of alternative. If you’re processing transactions on a computer or over the network, maybe you want to be able to process those transactions on paper and provide paper receipts. Instead of automated credit card approvals, you may have to pick up a phone and manually process those approvals.

The time to roll out this alternative business practice is not when a disaster occurs. You want to have gone through the practice and understanding of exactly what it takes to keep everything up and running, even if a disaster has occurred around you.