S 6.12 Emergency preparedness exercises

Initiation responsibility: Agency/company management; IT Security Management

Implementation responsibility: Head of IT Section; staff responsible for emergency preparedness (contingency planning); Administrators

Emergency preparedness exercises serve to check the effectiveness of measures in the field of contingency planning. On the one hand, the effective and smooth execution of a contingency plan will be tested in an emergency preparedness exercise, and on the other hand, previously undiscovered shortcomings will be detected. Typical exercises are:

• alerting exercise;

• conducting fire drills (c.f. S 6.17 Alert plan and fire drills);

• functional testing of generators;

• restart after failure of a selected IT component; and

• restoring of data backups.

The results of an emergency preparedness exercise must be documented.

Emergency preparedness exercises are to be held at regular intervals. Since such exercises can have a disruptive effect on normal operations, their frequency should be geared to the threat scenario; however, the pertinent exercises should, as a minimum, be held once a year. Staff training activities (first-aid, fire-fighting, etc.) must be carried out to a necessary extent.

Before an emergency preparedness exercise is held, prior approval must be obtained from the agency/company management.

Additional controls:

• Are emergency preparedness exercises held at regular intervals?

• Do detected shortcomings give rise to a revision of contingency plans?