Are you ready for the zombie apocalypse? You know, the rising of the undead, coming to feed on your living flesh? Animated shuffling corpses in search of your brains? Even the U.S. Center for Disease Control has stepped up their recommendations in the event of the pending zombie apocalypse.
You can prioritize your needs when preparing yourself for zombies. Food and water come first. Plan a gallon of water per day per person. You will need non-perishable food. Think granola bars and peanut butter for high-energy food. You will need shelter that will help protect you – zombies may never sleep, but you will have to. An isolated cabin on stilts on a peninsula on a lake might be nice. Your “go bag” should include medical supplies, along with heat and light sources to help make you more comfortable. All in all, you think first about thinks that you need, what things are truly important? You survive first, and then you move on to things that might make your life easier. Things on top of that become just comfort. I did notice that the CDC zombie blog left “machete” off their list of priorities.
When thinking in the world of information security we have the same way of prioritizing. To make sure you are ready for the zombie apocalypse, or any other disaster, you have to prioritize. Give yourself one point for every question you can unequivocally answer “yes”.
1. Are your staff protected? Don’t leave anyone behind. You don’t want to have the Tahoe loaded and be half way to your cabin before you realize you left Uncle Bob asleep in the spare bedroom. Poor Uncle Bob, aka Zombie chow…
• Do you have an evacuation plan for every single one of your facilities?
• Do you have a way to verify that ALL of your staff have been accounted for (a call tree, or meeting place, or buddy system)? Include both professional and non professional staff, data center staff, any temporary staff, and visitors.
• Do you account for remote staff, especially staff in physical areas other than your facilities (you may be located in San Jose, but do you have a way to verify that your remote staff in Oklahoma City is safe?)
• Have you communicated your evacuation plan with all staff?
• Do you test your evacuation plans at each facility?
• At least annually?
• Do you update your plans as facilities change?
• Do you have visual evacuation instructions or guides to help people during the stress of an actual emergency? When the zombies are coming up the stairs, is no time someone to be browsing the intranet for evacuation instructions.
• Are you ready to accommodate people with physical, visual, mental, or other disabilities?
• Do you keep track of employees on travel? Sue may work in Miami, but what if she is on travel to San Antonio during the zombie outbreak?
2. Do you know where and what your cool data is?
• Have you completed a Business Impact Analysis (BIA), a data asset inventory, or some such process to identify your critical data?
• Have you classified your data by relative importance or value to the organization?
• Have you clearly identified all of the systems which support your cool data? This should consider systems that directly support the data, any databases in which the data is held, the systems that run those databases, any applications that support required access to the data, and systems that support those critical applications.
• Have you considered the impact of outages, including minimum time to restore for your most important systems and data? Make sure you consider regulatory requirements, operational constraints, and any contractually defined SLAs.
• Do you have mitigation/business continuity plans to protect you from outages, such as alternate site operations that allow your data to be fully supported from a physical location other than the primary site?
• Can that secondary/alternate site be fully operational in time to satisfy the “minimum time to restore” for all of your critical data?
• Is the secondary/alternate site fully vetted/authorized to operate with your cool data? Consider any regulatory requirements or contractual agreements designed to protect your cool data. If the original site is fully compliant with PCI, the secondary site should meet the same requirements.
• Is the secondary/alternate site fully capable of sustaining the throughput and capacity requirements of your business for as long as the zombie outbreak is expected to last?
• Is any outsourced alternate operations site contractually required to guarantee you a specified amount of capability and capacity, instead of supporting you first come first serve, general availability, or some reserve capacity? Note that not all sites will guarantee capacity. Check your contract if you need to.
• Does your alternate operational planning accommodate any staff required to support the reasonable operations of your critical systems and data?
i. Does any required staff know where your alternate site is, if they are supposed to report to the site, and can actually get to the site in a reasonable time frame?
ii. Do all required staff actually have access authorization that allows them to enter the alternate facility?
• Does your alternate operational planning accommodate all of the hardware, software, networking, and support functions required to fully operate your critical business? Consider things like office space, desk space (including chairs), phone service, workstations (not just servers), operating systems, db software, and applications.
• Have you internally published the prioritized list of critical systems, applications and data, or otherwise clearly communicated these priorities to all responsible staff?
• Have you clearly communicated emergency responsibilities to all organizational staff?
• Do all operational staff with any alternate site operations responsibility have training in the technology and solutions being used in alternate site operations?
• Do you have a formal Crisis Management Team, who is responsible for declaring an emergency and initiating alternate site operations?
• Are at least some of the CMT members formally trained in crisis management and incident response?
• Do you periodically update your BIA as your business changes and evolved, considering current demands on your data and operations, including any new regulatory requirements?
• Do you periodically update your alternate operations/business continuity plan as your business changes and evolved, considering current demands on your data and operations, and any new or evolving risks, including any new regulatory or contractual requirements?
• Once you update your business continuity plans, do you have a proven method of communicating any changes to all operational staff and any partners/vendors responsible for actually executing the plans?
• When you are running during alternate/contingency operations, can all of your critical staff access their critical data and systems to properly support the business and any required clients/customers within the required response time?
• Do you periodically test alternate site operations? And not just in paper, but a real, genuine test. Remember that part of the test also includes moving back to primary operations.
• Do you fully document the results of any testing, and use those results to update and improve any contingency planning?
• If you are running in alternate site operations, would any customer/client be unable to determine any diminished capacity or level of service?
Obviously not all of these would apply in the event of a zombie apocalypse, but given the state of the world right now, we have to at least appreciate hurricanes, tsunamis, tornados, floods, fires, and other related natural and unnatural disasters. While not all inclusive, the above questions actually make a reasonable pass somewhere between “good” and “best” business practices. The more of these controls you have in place, the more secure you are and the more protected your people and data is.
So, how exactly did you do? Tweet Your Score with the hashtag #ZombieSecTest
And, while we are at it, give yourself five extra points if you include machetes in your emergency preparedness kits…