Building a disaster scenario with staff offers a broad palette of possibilities. Situations where key employees...
are impacted by something -- e.g., an accident, sickness or death in the family -- can provide a realistic start to a scenario, and should be part of your business continuity/disaster recovery (BC/DR) exercise planning.
One of the primary concerns in many organizations is the loss of key staff, especially those with knowledge about mission-critical systems or processes. A good way to reinforce this important issue in your BC/DR program is for the scenario to focus on the sudden loss of more than one key person: A critical system suddenly fails, and managers realize that nobody else is trained in how to use it.
In today's world, active shooters are a real possibility, so introducing an employee who suddenly "goes rogue" may be an interesting parallel challenge to the scenario. Make the scenario more interesting in your BC/DR exercise planning by adding a series of either simultaneous or seemingly unrelated events to the mix. And it's always good to set up a "pause" in the scenario to make the participants think the scenario is over, when in fact much more is coming.
These BC/DR exercise planning scenarios focus on human-based scenarios, such as a disgruntled employee sabotaging an assembly line:
|Disgruntled employee sabotages a critical assembly line.||While such events may occur infrequently, they are always a possibility, especially where security may be lax, e.g., lack of security cameras in critical production areas.||Someone who regularly works in a production area may, over time, identify potential weaknesses in the equipment and technology.|
|Employee enters critical process data incorrectly and fails to double-check the entry, and the resulting mistake causes a massive system outage.||Accuracy and care are two important criteria in any process-controlled environment; a simple keystroke could shut down a major system.||Improper entry of system commands and other coding is a potential problem; it may be necessary to build additional security challenges and checkpoints to minimize potential coding errors.|
|Social engineering helps a rogue employee obtain user access information which is sold to a third party to hack into employee computers.||Social engineering can be very easy to do, given the use of partitioned cubicles and work areas. Laptops and workstations left on, without being locked by the user, are prime targets for theft of information.||Unauthorized access to information is a key security challenge; social engineering must be included as a key part of information security.|
|Union grievance causes key employees to walk off the job, causing slowdowns in order processing and fulfillment, and subsequent loss of business.||Relations with collective bargaining units can become disrupted; the outcomes of such situations, such as strikes and walkouts, could shut down a business.||Organizations that have unions must include this as a potential business-threatening situation.|
|Employee returning from an overseas trip contaminates other employees with an airborne human-to-human virus that sickens half of the staff.||This is difficult to address, in that the infected individual may not express the effects of the disease immediately.||Concerns about epidemics and pandemics (e.g., bird flu and swine flu) should be addressed in BC/DR plans because in each case it's a loss of people that affects the firm.|
|Member of IT security staff uses access privileges to steal intellectual property and sell it to a competing firm.||Despite careful screening of prospective employees, an employee could "go rogue" and use his access to steal information.||Employee-based situations should be factored into BC/DR exercises, not just situations involving a loss of technology or a natural disaster.|