Chapter 73 Β· Glossary

Recovery Testing β€” Term Reference

Key terms for recovery testing fundamentals, rules of engagement, tabletop exercises, failover testing, simulation-based security tests, and parallel processing fault tolerance.

Recovery Testing
The proactive, controlled practice of validating an organization's ability to restore services and maintain operations after a disruption β€” before a real incident occurs. Recovery testing ensures that disaster recovery plans actually work: that personnel know the procedures, that systems behave as documented, and that cross-team coordination functions correctly. Conducted on a regular schedule (annual, semi-annual, or after major infrastructure changes) using defined scenarios, time constraints, and rules of engagement that prevent testing from disrupting production systems.
Rules of Engagement (Recovery Testing)
The constraints that govern how a recovery test is conducted to prevent the test itself from causing harm. The primary rule: do not touch production systems β€” recovery testing validates readiness without creating the incident being simulated. Additional rules: use a specific, pre-agreed scenario; enforce time constraints; document and evaluate results. Rules of engagement ensure that testing improves resilience without introducing operational risk. Without them, a recovery test can become a self-inflicted outage.
Tabletop Exercise
A discussion-based recovery test in which key stakeholders verbally walk through a hypothetical disaster scenario without touching any systems. Participants from IT, security, operations, HR, legal, and communications describe what their teams would do at each stage of the simulated incident. No systems are started, no data is moved, no hardware is reconfigured. The value comes from surfacing procedural gaps, unclear responsibilities, missing contact information, and coordination failures that would only otherwise be discovered during a real disaster. Cost-effective alternative to full-scale drills; does not validate actual system behavior.
Failover
The automatic (or manual) process of switching from a failed primary component to a redundant backup component to maintain service continuity. In an ideal failover, the transition is transparent to users β€” traffic is redirected, sessions are maintained, and service continues without visible interruption. Applies to network devices (routers, firewalls, switches), servers, databases, and links. Failover is built into many enterprise infrastructure devices through protocols like HSRP and VRRP. Because failures are inevitable ("when, not if"), failover is a foundational design principle in resilient infrastructure.
Failover Testing
A recovery test that validates whether redundant systems actually switch over correctly when a primary component fails. Involves deliberately taking down a primary component (firewall, server, network link) and verifying that: the secondary activates within the expected time, data consistency is maintained, and applications reconnect to the new active component. Failover tests expose configuration drift, protocol mismatches, and application hardcoding problems that prevent the redundancy from working when needed. Redundant systems that have never been tested should not be trusted to work during a real failure.
Redundant Infrastructure
An infrastructure design where critical components are duplicated so that the failure of one component does not cause a service outage. Redundancy is applied at every layer where a single failure would disrupt service: dual internet connections from different ISPs, redundant firewalls in a failover pair, redundant switches, multiple servers behind load balancers, and multiple links from servers to switches. The degree of redundancy required depends on the criticality of the service and the cost of downtime. Redundant infrastructure is the prerequisite for failover β€” you cannot fail over to something that does not exist.
Simulation Testing
A recovery testing method that creates controlled scenarios mimicking real security threats or operational failures to evaluate both automated defenses and human responses. Examples include phishing simulations, simulated password credential attacks, and simulated data exfiltration attempts. Unlike tabletop exercises, simulations actually send emails, attempt logins, or probe defenses β€” making them a live test of controls and human behavior simultaneously. Results identify which automated controls failed (let the simulated attack through) and which humans failed (clicked, submitted credentials, or failed to report).
Phishing Simulation
A controlled security test in which the organization (or a third-party vendor) sends a crafted phishing email to its own users to measure two things: (1) whether the email security gateway catches and quarantines the message before it reaches users, and (2) of the users who receive it, how many click the link or take the bait. Users who click are identified and assigned additional security awareness training. Users who report the email as suspicious are a positive outcome. Phishing simulations are the primary mechanism for validating the effectiveness of security awareness training programs β€” training and actual behavior under realistic conditions are different things.
Parallel Processing
A computing approach that distributes work across multiple processors or systems simultaneously rather than processing sequentially through a single CPU. Implemented via: multiple CPU cores within one server; multiple physical servers sharing a workload; or distributed computing clusters. Provides two benefits for resilience: (1) performance β€” complex transactions are split across multiple processors and completed faster; (2) fault tolerance β€” if one processor fails, the system detects it, removes it from the active pool, and continues with the remaining processors, degrading gracefully rather than failing completely. The key recovery property: losing one processor in a pool of eight loses ~12% capacity, not 100%.
Graceful Degradation
A system design property where the failure of one component reduces capacity or performance rather than causing complete service failure. Parallel processing architectures exhibit graceful degradation: when one processor fails, the remaining processors absorb the workload and service continues at reduced throughput. Contrasts with a single-point-of-failure design where any component failure stops the entire service. Graceful degradation is a desired outcome in resilient system design β€” systems should fail incrementally and predictably rather than catastrophically.
Continuous Improvement Cycle (Recovery)
The iterative process of conducting a recovery test, evaluating the results, identifying gaps and weaknesses, updating the disaster recovery plan, and scheduling the next test. Recovery testing is not a one-time activity β€” plans drift as infrastructure changes, staff changes, and threat landscapes evolve. Each test cycle must produce documented findings and plan updates; otherwise the test generates no lasting improvement in organizational resilience. Regular cycles (annual, semi-annual) ensure that the plan remains accurate and executable as the environment evolves.