Our enterprise's disaster recovery/business continuity plans are outdated: In the event that there was some sort of natural disaster or epidemic, we wouldn't even have enough VPN licenses to allow all our employees to work remotely. What would you say are the most important things to take into account when revising these plans, and then how can we convince management to fund the technology updates that the changes will require?
Being prepared for the next disaster is a worthy goal for any security professional. I commend you for your concern. So, let me start with some ways to get executives' attention, then we will discuss disaster recovery contingency planning and finally work down to the issue of VPN licenses.
When was the last time the organization ran a corporate-level disaster exercise? This does not necessarily mean a full-blown exercise; even a tabletop exercise would be an excellent start. My suspicion is that you've probably not run an exercise recently, so now is an opportunity to do just that: Begin a campaign to update the current documents and preparedness level –- starting with an exercise.
Perhaps you can coordinate a half-day tabletop exercise wherein you bring together the key IT, operations and financial management personnel to focus on a simple but highly catastrophic event. For one tabletop, I used (as an example scenario) a fire that completely destroyed our headquarters building. For another tabletop, the scenario involved a pandemic that caused every third person to be sick or away from work. In both of these exercises we started out with a series of questions to key managers concerning their actions, contingencies, and how they would get their work done.
In the fire exercise, we discovered that unless we had another printer fob located at the check printer in our backup facility, we could not print checks in the event of a fire at our headquarters. In the pandemic exercise, we realized that we did have enough VPN licenses, but we did not have enough laptops with full disk encryption for remote access, especially when sensitive data was involved.
So as far as the most important things to take into account, I'd offer the following approach:
- Begin by inventorying and collecting any and all disaster recovery/business continuity plans you have.
- Ascertain the status of these plans and documents. Are they up to date? Are phone numbers, email addresses, etc., of key people up to date and inclusive of the organization as it stands today?
- If you had an emergency today, would these documents be usable and could they be distributed for immediate implementation?
If your company has already taken the above four steps, you are in fairly good shape compared to most organizations I've worked with. However, there is still a lot more to do. This is where the exercise can help.
In the exercise, be sure to take and build a scenario -– such as a fire or pandemic -– and force the members in the exercise to use the current procedures and checklists in place. Take detailed notes and determine those areas where there are weaknesses in the documentation or where the steps cause confusion and crossed actions.
When the exercise ends, immediately perform a critique with the players in the room. Ask them what they thought went well and what went poorly. Ask them for their ideas for areas to improve and for representatives from their respective organizations to be part of the DR/BC committee. Then, don't just make the updates and corrections, but continue to meet monthly to ensure you and your company are ready for disaster.
Finally, take advantage of lessons learned from other disasters in other parts of the country and in your industry. Hurricane Katrina, for example, offered many, many scenarios to be considered for your corporate plans.
Dig Deeper on Information Security Incident Response-Information
Related Q&A from Ernie Hayden
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Which will be more likely to further your infosec career: A certification, or an advanced degree? Expert Ernie Hayden weighs in. Continue Reading
While employee termination may be necessary in cases of insecure conduct, most employees are more encouraged by the carrot than the stick when it ... Continue Reading