Connect with us

Hi, what are you looking for?


Management & Strategy

Are you Ready for the Zombie Apocalypse?

Are you ready for the zombie apocalypse? You know, the rising of the undead, coming to feed on your living flesh? Animated shuffling corpses in search of your brains? Even the U.S. Center for Disease Control has stepped up their recommendations in the event of the pending zombie apocalypse.

Are you ready for the zombie apocalypse? You know, the rising of the undead, coming to feed on your living flesh? Animated shuffling corpses in search of your brains? Even the U.S. Center for Disease Control has stepped up their recommendations in the event of the pending zombie apocalypse.

IT Security Best Practices ListYou can prioritize your needs when preparing yourself for zombies. Food and water come first. Plan a gallon of water per day per person. You will need non-perishable food. Think granola bars and peanut butter for high-energy food. You will need shelter that will help protect you – zombies may never sleep, but you will have to. An isolated cabin on stilts on a peninsula on a lake might be nice. Your “go bag” should include medical supplies, along with heat and light sources to help make you more comfortable. All in all, you think first about thinks that you need, what things are truly important? You survive first, and then you move on to things that might make your life easier. Things on top of that become just comfort. I did notice that the CDC zombie blog left “machete” off their list of priorities.

When thinking in the world of information security we have the same way of prioritizing. To make sure you are ready for the zombie apocalypse, or any other disaster, you have to prioritize. Give yourself one point for every question you can unequivocally answer “yes”.

1. Are your staff protected? Don’t leave anyone behind. You don’t want to have the Tahoe loaded and be half way to your cabin before you realize you left Uncle Bob asleep in the spare bedroom. Poor Uncle Bob, aka Zombie chow…

• Do you have an evacuation plan for every single one of your facilities?

• Do you have a way to verify that ALL of your staff have been accounted for (a call tree, or meeting place, or buddy system)? Include both professional and non professional staff, data center staff, any temporary staff, and visitors.

• Do you account for remote staff, especially staff in physical areas other than your facilities (you may be located in San Jose, but do you have a way to verify that your remote staff in Oklahoma City is safe?)

• Have you communicated your evacuation plan with all staff?

Advertisement. Scroll to continue reading.

• Do you test your evacuation plans at each facility?

• At least annually?

• Do you update your plans as facilities change?

• Do you have visual evacuation instructions or guides to help people during the stress of an actual emergency? When the zombies are coming up the stairs, is no time someone to be browsing the intranet for evacuation instructions.

• Are you ready to accommodate people with physical, visual, mental, or other disabilities?

• Do you keep track of employees on travel? Sue may work in Miami, but what if she is on travel to San Antonio during the zombie outbreak?

2. Do you know where and what your cool data is?

• Have you completed a Business Impact Analysis (BIA), a data asset inventory, or some such process to identify your critical data?

• Have you classified your data by relative importance or value to the organization?

• Have you clearly identified all of the systems which support your cool data? This should consider systems that directly support the data, any databases in which the data is held, the systems that run those databases, any applications that support required access to the data, and systems that support those critical applications.

• Have you considered the impact of outages, including minimum time to restore for your most important systems and data? Make sure you consider regulatory requirements, operational constraints, and any contractually defined SLAs.

• Do you have mitigation/business continuity plans to protect you from outages, such as alternate site operations that allow your data to be fully supported from a physical location other than the primary site?

• Can that secondary/alternate site be fully operational in time to satisfy the “minimum time to restore” for all of your critical data?

• Is the secondary/alternate site fully vetted/authorized to operate with your cool data? Consider any regulatory requirements or contractual agreements designed to protect your cool data. If the original site is fully compliant with PCI, the secondary site should meet the same requirements.

• Is the secondary/alternate site fully capable of sustaining the throughput and capacity requirements of your business for as long as the zombie outbreak is expected to last?

• Is any outsourced alternate operations site contractually required to guarantee you a specified amount of capability and capacity, instead of supporting you first come first serve, general availability, or some reserve capacity? Note that not all sites will guarantee capacity. Check your contract if you need to.

• Does your alternate operational planning accommodate any staff required to support the reasonable operations of your critical systems and data?

i. Does any required staff know where your alternate site is, if they are supposed to report to the site, and can actually get to the site in a reasonable time frame?

ii. Do all required staff actually have access authorization that allows them to enter the alternate facility?

• Does your alternate operational planning accommodate all of the hardware, software, networking, and support functions required to fully operate your critical business? Consider things like office space, desk space (including chairs), phone service, workstations (not just servers), operating systems, db software, and applications.

• Have you internally published the prioritized list of critical systems, applications and data, or otherwise clearly communicated these priorities to all responsible staff?

• Have you clearly communicated emergency responsibilities to all organizational staff?

• Do all operational staff with any alternate site operations responsibility have training in the technology and solutions being used in alternate site operations?

• Do you have a formal Crisis Management Team, who is responsible for declaring an emergency and initiating alternate site operations?

• Are at least some of the CMT members formally trained in crisis management and incident response?

• Do you periodically update your BIA as your business changes and evolved, considering current demands on your data and operations, including any new regulatory requirements?

• Do you periodically update your alternate operations/business continuity plan as your business changes and evolved, considering current demands on your data and operations, and any new or evolving risks, including any new regulatory or contractual requirements?

• Once you update your business continuity plans, do you have a proven method of communicating any changes to all operational staff and any partners/vendors responsible for actually executing the plans?

• When you are running during alternate/contingency operations, can all of your critical staff access their critical data and systems to properly support the business and any required clients/customers within the required response time?

• Do you periodically test alternate site operations? And not just in paper, but a real, genuine test. Remember that part of the test also includes moving back to primary operations.

• Do you fully document the results of any testing, and use those results to update and improve any contingency planning?

• If you are running in alternate site operations, would any customer/client be unable to determine any diminished capacity or level of service?

Obviously not all of these would apply in the event of a zombie apocalypse, but given the state of the world right now, we have to at least appreciate hurricanes, tsunamis, tornados, floods, fires, and other related natural and unnatural disasters. While not all inclusive, the above questions actually make a reasonable pass somewhere between “good” and “best” business practices. The more of these controls you have in place, the more secure you are and the more protected your people and data is.

So, how exactly did you do? Tweet Your Score with the hashtag #ZombieSecTest

Click Here To Tweet Your Score

Information Security Preparation Test

And, while we are at it, give yourself five extra points if you include machetes in your emergency preparedness kits…

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.