Zen Garden of InfoSec

Information security and governance explained in plain language for IT personnel, business executives, and boards of directors.

Emergency Preparedness

My own personal devotion to emergency preparedness cannot be overstated.

The attention I pay to this critical function borders on one of the true definitions of “fetish”. Maybe that’s because I come from the “Land of Katrina”. Or maybe it’s because this subset of the business continuity field is a perfect match for me. It requires adaptation. It invites constant re-evaluation, constant testing, and a constant push toward greater effectiveness & efficiency.

What Is Emergency Preparedness?

Business continuity is an umbrella term for ensuring that an organization’s critical business functions will continue to operate or recover to an operational state within a short time. Not all business continuity problems start out as disasters. Twitter’s once-frequent Fail Whale indicated the runaway success of the service. A low-resolution screenshot of the Fail Whale on Twitter But this success obviously caused problems for their critical business function, receiving and distributing 140-character messages.

Disaster recovery is a subset of business continuity, which outlines how you recover from an incident.

Emergency preparedness are the things you do in preparation for an emergency. Beefing up resiliency, staging materials, and creating a plan are key components of this.

Questions to ask

What are your critical business processes?

What can you let slide and what has to get done to keep the business going?

Do you know what you need in the event of an emergency?

What items, personnel, & skills are necessary for those processes that keep things going?

Have you set those items aside?

Recognizing that you’ll need form FB-227/R-14 is useless if you don’t allocate some to the emergency preparedness bin. Also, your employee Susie needs to know that you consider her essential.

Have you tested your plan using only those items?

This is a key point… You’ll never be able to fill out FB-227/R-14 without a pencil. Even more important, once you use up your only copy of FB-227/R-14, are there more? Use only the items in your emergency preparedness bin for the test, then replace what was used.

Are the items placed where you will need them?

Designate a continuity site, somewhere that won’t be disabled when your main site goes down. Stash your stuff there and let everyone know that’s where to meet after a problem.

Is all of this checked? On what schedule? By whom?

The checking process could be a training event in itself–if it’s your turn to check the items this month, you should also go over immediate aftermath responsibilities & be quizzed on them.