Disaster Recovery: The Board Game
Helping organizations plan and prepare for recovering from system disasters. You can download for free a copy of the game materials described in this article by going here: DRGameContents.
The object of the game is to review potential disaster scenarios, identify the impact of each scenario on information systems, and identify potential preparedness problems with existing recovery plans, such as lack of equipment, staffing, expertise, or recovery options for particular scenarios.
The game works best if ahead of time a network diagram is created that provides the following details for the existing information system:
- Local network geographic locations
- Workstations, network switches, routers, servers, phone systems, and related equipment
- Local and Wide area network connections, speeds, and carriers
- Existing contracts for business continuity services
- Matrix of existing IT staff and areas of expertise
Where possible, the network diagram should identify the high level systems in place in the organization, and degree of criticality of each system to continued business operations in the event of a disaster. The criticality of a system determines its priority in a recovery effort.
In addition, if the organization has a policy on systems availability or the operations of the organization during particular disasters, this policy should be available to staff in the meeting. This policy may identify disasters where the organization will continue to operate, the chain of command to respond to system disasters, and organizational expectations for recovery time objectives.
With the network diagram, the IT/IS department should meet with its leadership and senior staff, and some representatives from the business units served by the information systems for approximately two hours. A member of the meeting should be designated to take notes on the course of the meeting, and a different member should be designated as moderator. Notes taken should be organized by disaster, and should identify which staff resources were available during each scenario, potential issues with recovery that were identified during the discussion, and open questions about configuration or recoverability.
1. The game board provides spaces for up to eight physical locations. If the organization has more than eight physical locations, locations can be grouped into logical parts,perhaps by geographic or by business unit. Equipment available in each location should be placed from the resource
cards deck into each location on the board, with the largest location should be placed in location A. Disaster scenarios may make one or more locations unavailable, including the resources within that location.
2. Gameplay begins by a member of the meeting drawing a disaster scenario card from the disaster scenario deck. Each scenario provides a designation of the likelihood that staff will be unavailable to help in the recovery effort according to the following:
a. 10% chance of unavailability corresponds to rolling the following numbers of the dice: 3 or 11
b. 50% chance of unavailability corresponds to rolling the following numbers of the dice: 5 or 6 or 8 or 9
c. 80% chance of unavailability corresponds to rolling the following numbers of the dice: 3 or 5 or 6 or 7 or 8 or 9 or 11
3. Each IT/IS staff member should roll the dice, and depending on the combination, be identified as available or unavailable to respond to the disaster. Unavailable staff can still participate in the discussion of the game, but their knowledge and skills will not be available if needed for the system’s recovery.
4. Once all staff have rolled to determine availability, the designated moderator of the meeting should solicit discussion from the members of the meeting for the topics drawn from the Discussion Topic cards.
5. The designated note taker from the meeting should endeavor to fill out the forms provided, with particular emphasis on single points of failure, issues that would prevent a recovery of a failed system, and other problems identified during the exercise. These issues can be used to develop a plan to address shortfalls in the present disaster recovery plan, and for budgeting for new staffing, capital items, or other resources required to recover
from a particular scenario.
Interested in discussing or scheduling a table top exercise? Contact us for more information. Want to read more about NIST’s recommendations for table top exercises? Click here to download the NIST publication 800-84.