WIXLIB

D. Develop the ScenarioTest scenarios should reflect actual risks and threats to the daily operations of the agency.Scenarios should be designed to support the goals and objectives of the test and to fitwithin the scope. For example, simple scenarios may involve server problems that affecta single business unit, while more complicated scenarios may involve multiple threats tomultiple facilities.E. Prepare Evaluation Method and MaterialsDetermine ahead of time how the test will be evaluated. There are a multitude ofevaluation methods. This document will discuss two forms: non-participating testevaluators and participant survey evaluation. Test Evaluators -An agency may identify one or more "test evaluators" to observe the test toevaluate the successes and failures without participating themselves. Evaluatorsmust be aware of the exercise goals and objectives, the overall scenario, as well aswhat activities and actions will take place during the exercise. During the test, theevaluators will document the actions taken, monitor the timeline, note anyproblems encountered during the test, and collect data necessary to evaluate thetest. The evaluators will be responsible for analyzing and assessing this data tocreate a test evaluation report. The evaluation report should include strengths andweaknesses of the business continuity plan, an assessment of the goals andobjectives of test, and recommendations for revisions to the plan. The reportshould be used as a guide to improve the business continuity plan and future tests. Participant Surveys -An agency may choose to survey test participants following the completion of atest. The collection of surveys allows a range of perspectives to be analyzed.Participant surveys should review the objectives and goals of the test and askparticipants to evaluate whether those goals were achieved. The test coordinatorwill collect and analyze the survey results to produce the evaluation report. Theevaluation report should include strengths and weaknesses of the businesscontinuity plan, an assessment of the goals and objectives of test, andrecommendations for revisions to the plan. The report should be used as a guideto improve the business continuity plan and future tests.F.Sample "Test Planning Checklist"Note: Depending on the number of people to be included in your test and the complexityof the proposed test, you may decide to use a checklist with different items and timelines.Adapted from the Treasury DepartmentState of Oregon DASBCP Testing Guide - Sept 2008.docPage 59/19/2008

TEST PLANNING CHECKLISTIII.DESK CHECK TESTSA. PurposeA desk check test can be used to introduce participants to the plans and proceduresoutlined in the business continuity plan. It can be as simple as walking through thedocument with the business owner to review specific components for the accuracy.Ideally, this type of test will serve as a validation of the plans and procedures and shouldbe conducted before any other testing occurs.A desk check test can be used to validate multiple components of the BCP, for example: Emergency Call Tree verification for staff. Can all of your staff be reached? Isthe information current?Key procedure validation. Does the plan accurately detail the process procedure?Availability of process specific resources during plan implementation. Forexample, if a manual process requires a date stamp to process incomingdocuments, is this stamp something that you have on hand? Does the user knowwhere to find this resource? Can the process be completed without this resource?Business partner contact information verification. Do you have current contactinformation for all business partners?State of Oregon DASBCP Testing Guide - Sept 2008.docPage 69/19/2008

B. Suggested ScenariosScenarios for this form of testing should be kept very simple. The scenarios will makethe review of the plan more interesting and engaging to the participant(s).Examples: Activate the call tree and ask multiple participants to call appropriate people andrecord the process.IV. Ask the participant to assume a computer system is down and use the plan tocomplete a business process manually. Ask the participant to contact all business partners identified in the plan.TABLETOP TESTSA. PurposeA tabletop test simulates an incident in an informal, stress-free environment. As the testname implies, the participants who are usually the responsible managers and the responseteams gather in a room to discuss general problems and procedures in the context of anincident scenario. The focus is on training and familiarization with roles, procedures, andresponsibilities.The tabletop is largely a structured walk-through guided by a facilitator. Its purpose is tosolve problems as a group. A scenario is developed in advance but there are no attemptsto arrange elaborate facilities or communications. Evaluators may be selected to observeproceedings and progress toward the objectives.Tabletop Testing can be either basic or advanced. A basic tabletop test has a singlescenario. The scenario describes an event or emergency incident and participants discusstheir decisions and actions as if they were actually experiencing the event at that time. Ina basic tabletop exercise only one critical business function is tested. The test may alsobe focused on only testing emergency response procedures or only communication andcoordination procedures.An advanced tabletop test has several scenarios given one at a time to participants tosimulate the problem. The facilitator usually introduces problems one at a time in theform of a written message, simulated telephone call, videotape, or other means.Participants discuss the issues raised and apply appropriate plans and procedures to solvethe problems. Under advanced tabletop testing, multiple parts of the Business ContinuityPlan are tested simultaneously.State of Oregon DAS.BCP Testing Guide - Sept 2008.docPage 79/19/2008

B. Example DocumentsAttachment ASee Attachment A for an example from the Oregon Youth Authority. "OYABusiness Continuity Table Top Exercise" from July 17, 2008.Attachment BSee Attachment B for a sample tabletop test scenario.V.SIMULATION EXERCISESA. PurposeThis type of exercise involves a predefined scenario which is developed prior to theevent. It is unannounced and once started it is timed from beginning to end. The exerciseaddresses the scenario using only the plan. It is used to determine the state of readinessand awareness of the plan's response teams. The purpose is also to incorporateassociated plans and tests accuracy of call trees and supplier or recovery vendor lists.More details: Simulation exercises widen participation to all those who are to be involved inbusiness recovery. Such tests are conducted without prior notice to all employeesconcerned. In this type of test, an interruption, such as a simulated building fire, provides ascenario in which employees do not have access to normal facilities and mustrecreate the working environment in an alternative location. In addition, role-plays are used to ensure that business continuity activities such ascustomer services, public relations and legal affairs can operate under simulatedconditions of a disaster. In advance of the test, specific staff may need to beassigned to roles to ensure that you are testing their specific functions.Throughout the exercise, a team of observers is responsible for recording howrecovery activities were undertaken, whether they conformed to procedures laiddown in plans, and whether problems or omissions in the plan became apparent.Since a simulation exercise is designed to test the integration of plans from the zerohour to 72 hours or more, often a system of "accelerated time" is used, whereby thesimulation requires all steps to be completed in a quarter of the time normallyrequired.B. AssistanceSimulation testing is the most difficult form of testing to plan and execute. TheEnterprise Business Continuity Office recognizes the difficulty in planning and executingsuch an exercise. We are willing to help develop scenarios for those agencies planningsimulation exercises.State of Oregon DASBCP Testing Guide - Sept 2008.docPage 8Q/19/7008 W8

C. ExamplesThe following examples are only meant to showcase recent, local simulation exercises.These exercises were conducted on a very large scale. The Enterprise BusinessContinuity Office does not expect agencies to conduct simulation exercises on this level.TOPOFF4Background:Conducted in October 15-19, 2007, the TOPOFF 4 Full-Scale Exercise featuredthousands of federal, state, territorial, and local officials. These officials engaged invarious activities as part of a robust, full-scale simulated response to a multi-facetedthreat. The exercise addressed policy and strategic issues that mobilized preventionand response systems, required participants to make difficult decisions, carry outessential functions, and challenge their ability to maintain a common operatingpicture during an incident of national significance.Scenario:The TOPOFF 4 Full-Scale Exercise was based on National Planning Scenario 11(NPS-11). The scenario began as terrorists, who have been planning attacks inOregon, Arizona, and the U.S. Territory of Guam, successfully bring radioactivematerial into the United States. The first of three coordinated attacks occured inGuam, with the simulated detonation of a Radiological Dispersal Device (RDD), or"dirty bomb," causing casualties and wide-spread contamination in a populous areanear a power plant. Similar attacks occured in the hours that followed in Portland andPhoenix.Highlights: Conducted in October 2007, TOPOFF 4 took place in Portland, Ore.; Phoenix,Ariz.; and for the first time, the U.S. territory of Guam as well as in Washington,D.C. for federal partners. The exercise built on past lessons learned while adding new goals, including: anincreased level of coordination with U.S. Department of Defense exercises tocombat global terrorism, closer cooperation with the private sector, an expandedemphasis on prevention, a deeper focus on mass decontamination and long-termrecovery and remediation issues, and strengthened coordination andcommunications with international allies. More than 15,000 participants representing federal, state, territorial, and localentities, as well as the governments of Australia, Canada, and the UnitedKingdom, participated in the exercise. All venues responded to a radiological RDD attack. For more information:http://www.dhs. go v/xprepresp/training/gc l 179350946764.shtmState of Oregon DASBCP Testing Guide - Sept 2008.docPage 99/19/2008

City of Salem Airport Exercise September 2007Salem's McNary Airport is required by the federal government to exercise at a fullscale level every three years, with less intense drills on intervening years. All partnersto an aircraft accident, from Willamette Valley 911 to Salem Hospital, were broughttogether to exercise their respective skills in this mass casualty event. The Salem FireDepartment's Emergency Operations and Medical Services divisions exercised theircommand and control and mass casualty plan in coordination with the city'sambulance service contractor. Unified Command was established and outside serviceswere also involved in the treatment and transport of the sick and wounded.Over 300 persons were involved in Salem's Airport 2007 Disaster Exercise.Victim volunteers from Salem Fire's CERT teams, McKay and North Salem highschools' drama students, along with individuals from the general public providedrealism, acting as 60 aircraft victims and another 40 contamination victims for theparallel hospital scenario. CERT team members provided organization and the RedCross provided food and comfort for the participants. Fire, police, public worksand airport staff from the city provided their normal roles in this form of disastertesting. Emergency Operations Center personnel played into the scenario throughoutthe exercise. Additional participation came from the Oregon National Guard in theform of mock victims, participants and aircraft equipment as props for the event.Local businesses donated space and materials to support the exercise effort.VI.EVALUATING A TESTA. PurposeThe success of a test can only be determined if the test is evaluated. Business continuityplans are tested to assess how applicable the plan would be during an event and tovalidate documented information. Evaluating a test allows business continuity plannersto assess the data collected during observation. Evaluations can improve businesscontinuity plans and help planners to create better testing scenarios for future tests. Testevaluations may higlilight training needs, discover gaps in the business continuity plan,and identify necessary resources needed for recovery.Tests must be evaluated, through observation by test evaluators, by participant surveys,or both. Test evaluators and participants will generate the data that will be collected an'cidetailed in a test report.B. Example "Test Evaluator" FormDepartment of RevenueCritique, Comments, and Scoring Sheet for BCP TestingObjective: Evaluate the effectiveness, clarity, executability and completeness of Revenue'sBC/DR plan relative to continuing critical business functions in the event of a disaster. Establishcriteria to measure these characteristics during a test or exercise.State of Oregon DASBCP Testing Guide - Sept 2008.docPage 109/19/2008

State of Oregon DASBCP Testing Guide - Sept 2008.docPage 119/19/2008

C. Participant SurveyParticipant surveys should review the objectives and goals of the test and ask participantsto evaluate whether those goals were achieved. The test coordinator will collect andanalyze the survey results to produce the evaluation report.Potential survey questions: Did you review the BCP before the test? Are you familiar with your role on the BCP Response team? Was the test scenario understandable and realistic? Did this scenario and exercise meet the objectives of the test?How can the structure or content of the BCP be improved? How can future tests be improved? Did this test increase your understanding of your role in an emergency?Does the BCP accurately reflect the recovery needs of your business unit?D. Example "Test Evaluation Report"Attachment CSee Attachment C for an example from the Oregon Youth Authority. "OYA BCPExercise Report for Central Office BCP Test #2" from April 27, 2007.State of Oregon DASBCP Testing Guide - Sept 2008.docPage 12

VII.TESTING COMMON HAZARD SCENARIOSThere are several common hazards that can be used as test scenarios. Consider designing a testscenario around one of the following hazards. FireFire is the most common of all the hazards. Every year fires cause thousands of deaths andinjuries and billions of dollars in property damage. Hazardous Materials IncidentsHazardous materials are substances that are combustible, explosive, toxic, noxious, corrosive,an irritant or radioactive. A hazardous material spill or release can pose a risk to life, health orproperty. An incident can result in the evacuation of a few people, a section of a facility, or anentire neighborhood. Floods and Flash FloodsFloods are one of the most common hazards and widespread of all natural disasters. Mostcommunities in the United States can experience some degree of flooding after spring rains,heavy thunderstorms or winter snow thaws. Most floods develop slowly over a period of days.Flash floods, however, are like walls of water that develop in a matter of minutes. Flash floodscan be caused by intense storms or dam failure. Severe Winter StormsSevere winter storms bring heavy hazards snow, ice, strong winds and freezing rain. Winterstorms can prevent employees and customers from reaching the facility, leading to a temporaryshutdown until roads are cleared. Heavy snow and ice can also cause structural damage andpower outages. EarthquakesEarthquakes occur suddenly and without warning. Earthquakes can seriously damagebuildings and their contents; disrupt gas, electric and telephone services; and trigger landslides,avalanches, flash floods, fires and huge ocean waves called tsunamis. Aftershocks can occurfor weeks following an earthquake. In many buildings, the greatest danger to people in anearthquake occurs when equipment and non-structural elements such as ceilings, partitions,windows and lighting fixtures shake loose. Technological EmergenciesTechnological emergencies include any interruption or loss of a utility service, power source,life support system, information system or equipment needed to keep the business in operation.State of Oregon DASBCP Testing Guide - Sept 2008.docPage 139/ \ 9/2OO8

ATTACHMENT A:Oregon Youth Authority Business Continuity Table Top Exercise Table Top Exercise / NCYCF // July 17, 2008 *EXERCISE TYPE:Table Top ExerciseEXERCISE PURPOSE AND OBJECTIVES: Test the agencies Business Continuity Plan, policies and procedures Test individuals understanding of their role and responsibility, during a disasterD Test the agencies BCP Executive Teams ability to make critical business decisions Test the agencies ability to conduct a rapid situational assessment Test the agencies ability to coordinate response activities Test the agencies ability to communicate during a disaster Meet the DAS Statewide BCP Goals Test the agencies ability to restore Critical Business Functions within two daysD Test the agencies ability to restore Critical Business Functions within one weekSCENARIO NARRATIVE:July 16, 2008 at approximately 12:55pm, the Emergency Alert System provided an Alert and Warning to theGeneral Public by TV and Radio in Clatsop, Columbia, and Tillamook Counties. In addition, local publicsafety personnel were made aware by telephone, radio, pager, and a computer communication system whichnotifies County, City and State Emergency Management Officials through-out the state.Primary Objective:To restore Critical Business Functions within two days and one weekSIMULATED 24HR ALERT and WARNING:A severe storm is expected to hit the northern Oregon Coast within 24hrs. Winds of up to 100mph and heavyrain could pose a threat to life and property. The forecast indicates that Clatsop, Columbia and TillamookCounties are most likely to be at risk when the storm hits land.SCOPE:Wednesday July 16,20071:05pm the OYA Directors Office receives notice from the NCYCF Superintendent that they have just receivedinformation that a 24hr. Alert and Warning has gone out through the Emergency Alert System of a severe storm and isforecasted to hit the northern coast by noon tomorrow.1:08pm the OYA Directors Office Receives notice from the Oregon Emergency Management of the 24hr Alert andWarning that is likely to effect Clatsop, Columbia and Tillamook Counties.1:14pm the OYA Directors Office Receives notice from the Governors Office of the EAS Alert and Warning.1:25pm the OYA Directors Office Activates the BCP Executive Team and they are directed to meet in the WillametteConference Room.BCP Executive Lead Teams Response Actions to 24hr

the evaluator works with the test facilitator to analyze the results of the test and complete a test evaluation report. There may be a single evaluator or a group of . crisis management/disaster recovery teams. State of Oregon DAS Page 3 9/19/2008 BCP Testing Guide - Sept 2008.doc . II. PLANNING A TEST A. Identify the Objectives