Testing & Validation Program Development (T&VPD)

As a follow-up to the Simulation and Continuity of Operations (CoOP) strategy development, this activity focuses on defining the actual test and organizational capabilities required to meet the organization’s strategic resiliency goals. The prior activity defined critical dependencies and partnerships required to keep the business up and running during a disruptive event. During this portion of the planning lifecycle, the methods, pre-negotiated agreements, communications, escalation methods, and rules of engagement are documented and agreed upon by all key stakeholders.

Critical 3rd parties are engaged to verify they understand your organization’s expectation of them in response to a realized threat or disruptive event. This activity frequently addresses specific types of testing ranging from infrastructure, application, and organizational crisis response. The use of red, blue, and purple teaming exercises allows for a broad range of scenarios and response planning.

Good practices frequently recommend leveraging internal teams to conduct preliminary testing to verify key stakeholders understand their roles, responsibilities, and escalation procedures. The use of external testers can be limited to a small scope of assets or threat scenarios (e.g., internet-facing properties). More comprehensive red teaming exercises can approach the threat posed by a very capable bad actor and include targeted social engineering as well as facility intrusion attempts in addition to cyber threat vectors. The desired target capability for most organizations should consist of at least a bi-annual purple teaming exercise that involves a simulated event against production systems, critical facilities and provides for the participation of industry partners to achieve a level of realism that cannot be simulated in more controlled testing scenarios.

Below is a high-level list of testing and validation considerations that should be included in verifying an organization’s Continuity of Operations (CoOP) response to a disruptive event.

• Overall organizational ecosystem & critical partners response (e.g., utilities)
• Public relations engagement
• Social media monitoring and engagement
• Reputation & brand protection considerations
• Supply chain & alternate supplier contingency planning
• Alternate facility contingency planning (Hot & cold sites or remote backup teams)
• Law enforcement & regulators engagement
• Commercial responders (forensics, insurance, payment brands)
• Application & hosting provider testing (static, dynamic, continuous, penetration)
• Network & infrastructure hosting or providers (mobile, cloud, SaaS, PaaS, IaaS)
• Data protection & loss prevention
• Critical service interruption (reciprocal agreements)
• Disruptive activist shareholder
• Facility and physical plants