[ISN] Disaster Planning Is Critical, but Pick a Reasonable Disaster

From: InfoSec News (alerts@private)
Date: Thu Jul 26 2007 - 00:11:36 PDT


http://www.wired.com/politics/security/commentary/securitymatters/2007/07/securitymatters_0726

Commentary by Bruce Schneier
07.26.07 

If an avian flu pandemic broke out tomorrow, would your company be ready 
for it?

Computerworld published a series of articles on that question last year, 
prompted by a presentation analyst firm Gartner gave at a conference 
last November. Among Gartner's recommendations: "Store 42 gallons of 
water per data center employee -- enough for a six-week quarantine -- 
and don't forget about food, medical care, cooking facilities, 
sanitation and electricity."

And Gartner's conclusion, over half a year later: Pretty much no 
organizations are ready.

This doesn't surprise me at all. It's not that organizations don't spend 
enough effort on disaster planning, although that's true; it's that this 
really isn't the sort of disaster worth planning for.

Disaster planning is critically important for individuals, families, 
organizations large and small, and governments. For the individual, it 
can be as simple as spending a few minutes thinking about how he or she 
would respond to a disaster. For example, I've spent a lot of time 
thinking about what I would do if I lost the use of my computer, whether 
by equipment failure, theft or government seizure. As I a result, I have 
a pretty complex backup and encryption system, ensuring that 1) I'd 
still have access to my data, and 2) no one else would. On the other 
hand, I haven't given any serious thought to family disaster planning, 
although others have.

For an organization, disaster planning can be much more complex. What 
would it do in the case of fire, flood, earthquake and so on? How would 
its business survive? The resultant disaster plan might include backup 
data centers, temporary staffing contracts, planned degradation of 
services and a host of other products and service -- and consultants to 
tell you how to use it all.

And anyone who does this kind of thing knows that planning isn't enough: 
Testing your disaster plan is critical. Far too often the backup 
software fails when it has to do an actual restore, or the 
diesel-powered emergency generator fails to kick in. That's also the 
flaw with the emergency kit suggestions I linked to above; if you don't 
know how to use a compass or first-aid kit, having one in your car won't 
do you much good.

But testing isn't just valuable because it reveals practical problems 
with a plan. It also has enormous ancillary benefits for your 
organization in terms of communication and team building. There's 
nothing like a good crisis to get people to rely on each other. 
Sometimes I think companies should forget about those team building 
exercises that involve climbing trees and building fires, and instead 
pretend that a flood has taken out the primary data center.

It really doesn't matter what disaster scenario you're testing. The real 
disaster won't be like the test, regardless of what you do, so just pick 
one and go. Whether you're an individual trying to recover from a 
simulated virus attack, or an organization testing its response to a 
hypothetical shooter in the building, you'll learn a lot about 
yourselves and your organization, as well as your plan.

There is a sweet spot, though, in disaster preparedness. Some disasters 
are too small or too common to worry about. ("We're out of paper clips!? 
Call the Crisis Response Team together. I'll get the Paper Clip Shortage 
Readiness Program Directive Manual Plan.") And others are too large or 
too rare.

It makes no sense to plan for total annihilation of the continent, 
whether by nuclear or meteor strike: That's obvious. But depending on 
the size of the planner, many other disasters are also too large to plan 
for. People can stockpile food and water to prepare for a hurricane that 
knocks out services for a few days, but not for a Katrina-like flood 
that knocks out services for months. Organizations can prepare for 
losing a data center due to a flood, fire or hurricane, but not for a 
Black-Death-scale epidemic that would wipe out a third of the 
population. No one can fault bond trading firm Cantor Fitzgerald, which 
lost two thirds of its employees in the 9/11 attack on the World Trade 
Center, for not having a plan in place to deal with that possibility.

Another consideration is scope. If your corporate headquarters burns 
down, it's actually a bigger problem for you than a citywide disaster 
that does much more damage. If the whole San Francisco Bay Area were 
taken out by an earthquake, customers of affected companies would be far 
more likely to forgive lapses in service, or would go the extra mile to 
help out. Think of the nationwide response to 9/11; the human "just deal 
with it" social structures kicked in, and we all muddled through.

In general, you can only reasonably prepare for disasters that leave 
your world largely intact. If a third of the country's population dies, 
it's a different world. The economy is different, the laws are different 
-- the world is different. You simply can't plan for it; there's no way 
you can know enough about what the new world will look like. Disaster 
planning only makes sense within the context of existing society.

What all of this means is that any bird flu pandemic will very likely 
fall outside the corporate disaster-planning sweet spot. We're just 
guessing on its infectiousness, of course, but (despite the alarmism 
from two and three years ago), likely scenarios are either moderate to 
severe absenteeism because people are staying home for a few weeks -- 
any organization ought to be able to deal with that -- or a major 
disaster of proportions that dwarf the concerns of any organization. 
There's not much in between.

Honestly, if you think you're heading toward a world where you need to 
stash six weeks' worth of food and water in your company's closets, do 
you really believe that it will be enough to see you through to the 
other side?

  A blogger commented on what I said in one article: Schneier is using 
  what I would call the nuclear war argument for doing nothing. If 
  there's a nuclear war nothing will be left anyway, so why waste your 
  time stockpiling food or building fallout shelters? It's entirely out 
  of your control. It's someone else's responsibility. Don't worry about 
  it.

Almost. Bird flu, pandemics and disasters in general -- whether man-made 
like 9/11, natural like bird flu or a combination like Katrina -- are 
definitely things we should worry about. The proper place for bird flu 
planning is at the government level. (These are also the people who 
should worry about nuclear and meteor strikes.) But real disasters don't 
exactly match our plans, and we are best served by a bunch of generic 
disaster plans and a smart, flexible organization that can deal with 
anything.

The key is preparedness. Much more important than planning, preparedness 
is about setting up social structures so that people fall into doing 
something sensible when things go wrong. Think of all the wasted effort 
-- and even more wasted desire -- to do something after Katrina because 
there was no way for most people to help. Preparedness is about getting 
people to react when there's a crisis. It's something the military 
trains its soldiers for.

This advice holds true for organizations, families and individuals as 
well. And remember, despite what you read about nuclear accidents, 
suicide terrorism, genetically engineered viruses and mutant man-eating 
badgers, you live in the safest society in the history of mankind.

-=-

Bruce Schneier is the CTO of BT Counterpane and the author of Beyond 
Fear: Thinking Sensibly About Security in an Uncertain World.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Thu Jul 26 2007 - 00:22:01 PDT