General security

Save Our Souls (SOS) [Updated 2019]

Ryan Mazerik
September 3, 2019 by
Ryan Mazerik

Natural disasters are unexpected events that can cause severe financial and environmental loss as well as the loss of human life. As an enterprise, it is our responsibility to ensure that proper recovery strategies are in place, just in case these natural calamities occur. In order to tackle these types of incidents, a Save Our Souls (SOS) system can be implemented. It provides a set of protocols to be followed in case an unexpected disaster befalls your company.

An SOS system can be implemented to take responsibility of offices, regional headquarters, data centers, and employees. The SOS should be capable of fetching live video feed messages from multiple sources like news channels, podcasts, etc. Employers are found liable if they disobey safety regulations and put their employees under severe risk, which impacts business. Irrespective of companies' diverse sizes, emergency communication is vital for business efficiency.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

An SOS analyst has to monitor the outside physical threat proactively and predict the possibility of occurrence of a similar threat within the organisation. In some companies, SOS analysts work with a business continuity team to ensure continuity of the company's resources. This technology can be advanced by incorporating a real-time feed of news, weather, traffic data, company's facility data, camera feeds, incident reports, and physical security systems.

All well-known organisations have a separate team to monitor security at various company facilities and follow global news and weather reports to spot events that could endanger company assets. This type of system can be used to consolidate internal and external security, decrease the operational cost, and improve the company's ability to protect its assets. For instance, companies which are present globally have a mobility team that is responsible for identifying physical threats when an employee is relocating to a particular region. Companies have to consider these threats when critical resources are sent for work in these regions, so an SOS has to manage the health and safety of all international workers working in a foreign land.


The security analyst monitors real time news feeds, weather reports and global security incidents from available outside feeds. After identifying a potential threat, they can carry out a deep analysis to confirm the status and severity of that incident. These data can be collectively used to generate an alert when a threat activity occurs on a particular geo-location. Say there is a tornado in Asia, then an alarm will be sent to all employees of the Asian region to prepare for precaution mechanisms. All of that company's physical and logical asset owners in that geo-location will also be warned regarding the incident in the case of a natural disaster or other potential threat. The personnel alert can be delivered to the assets by using business or personal email. Moreover, the personal phone number of the individual employees can be used to alert in case of severe incidents.

A displaying portal can be modelled which depicts the sources of risk, weather, natural disaster, breaking news, traffic data, terrorism, disease outbreaks, etc. Analytics can also be applied to these available data for predicting threats to a region. An SOS system can be connected to a company's physical security system and internal data stores. If an alarm is raised, which points out an incident, then the analyst should find out the risk involved in that area. So analysts will be able to correlate such threats with the status of door locks, alarms, and camera feeds and to prepare for an effective communication plan. The communication plan has to be tested regularly to ensure it's working in difficult times. It depends upon the different communication channels (email, website announcement, etc.) that a company uses to determine how long it takes to activate an emergency communication plan. The ideal time of communication is less than an hour, and it is not good for an organisation to not activate a communication plan in the last 12 months.


The most common SOS architecture consists of 3 core components:

  • Alert
  • Assess
  • Act
  • An SOS system will be provided with data including natural disasters, weather, terrorism, disease out breaks, etc., and from this data an alert can be triggered. This SOS system is input with both local and global incidents. The alerts can be configured in a way such that it will be triggered automatically when an incident occurs, and this alert will notify the corresponding team to take action.

    In assessment phase, the threat data is analysed frequently in order to eliminate false positives and thus to find meaningful data. The assessment can be carried out by filtering the incident data which points to our particular area of interest, timestamp of the incident, severity, etc. Other factors like historical occurrences, probability of occurrence, property impact, business impact, and human impact are also considered. In this phase, the data should be assessed and transformed into meaningful information by carrying out ad hoc search, range filtering, and spatial queries, and this enables us to query the data easily from a single interface. Thus, it enables the analyst to drill down the data according to its severity, or can apply any customized filter that makes the data into an understandable one.

    During the action phase, the finalized incident data is shared with victims. After the act and assess phase, the conclusion is drawn about whether the incident is critical and whether it affects our assets or not. This can be shared to victims by communication through emails, IM, or personal or office phone number. In this phase, the situation is actively monitored by focusing on it and informing higher management about that incident. Executing the communication phase is a challenging task. If an employee is out of the home base and is in a high risk country without any communication channels, emergency communication plans and procedures need to be optimised to reach such people. Usually emails, social media, website announcements, crisis telephone numbers, and manual call trees are relied on. (A call tree is where an initiator calls two or three people and they in turn call another three people, and this goes on like a loop till we cover the entire region. However, there could be circumstances in which an employee is on vacation or the cell phone is out of range, then the channels for propagating the messages are broken down).

    SOS Monitoring

    These are some of the events that an SOS system is really beneficial for.

    • Natural Disasters
      An SOS system can be used to identify and monitor current location and the impact zone of natural disasters including earthquakes, floods, hurricanes, volcano explosions, etc.
    • Weather ConditionsBad weather conditions can result in the closing of the business unit for a time period. It can also cause a negative business impact by not reporting in a timely manner. The SOS system can be used to alert in a proactive manner against this type of incident.
    • Terrorism
      The news feeds can be leveraged and conclusions can be drawn regarding global terrorist events and other activities related to that.
    • Current Events
      International and local news feeds can be leveraged to draw a conclusion on the current events that are occurring across the globe.
    • Disease Outbreaks
      An SOS can be used to monitor the risk faced by travellers by collecting information about disease outbreaks in a specific location which may affect employees.
    • Traffic conditions
      Traffic conditions across the office premises and locations to the assets can be monitored. A real time map can created by analysing the traffic data that can be used to choose a better route for employees.


    Effective response to security incidents

    By building an SOS system in an organization, security teams can act effectively in security incidents. This system empowers the incident handling team to perform in a proactive manner and quickly respond to hazards and other incidents.

    Increase in operational performance

    An SOS system can increase the efficiency of Security Operation Center by building a centralized sight of incidents and security means. It can also leverage the operation for multiple systems, security operators, and local conditions.

    Safeguarding the assets and business

    Implementing an SOS system enables the protection of all the assets and business against the protection of losses and liabilities. This system facilitates the organization's internal controls and external regulation.

    Disadvantages of SOS

    However, after considering the high number of advantages of the SOS system, these are the disadvantages that can affect the system.

    Real time location awareness

    In order to alert the assets of an incident, it is important to know the real-time location of employees. This will be a crucial task if the asset is in an isolated location or situation where the location details can't be transmitted to an SOS central management system.

    Data sharing between different organizations

    The SOS system will be successful only in the case of meaningful data being shared between organizations. If there is any delay in the data, then an effective response plan can't be formulated within a short period of time.

    Legal problems

    There will be legal problems in the usage of meteorological and traffic data, and there are many complications in sharing of this data from such government organizations. When these data fall into the hands of the wrong person, it can endanger the rest of the public.

    Large Data Traffic

    The meteorological and traffic data pose a large quantity of data, and this data should be filtered and stored. In the case of an incident, the historical data should be analysed, which becomes complicated with high traffic.


    Poor implementation, lack of understanding from recipients, device failure, unavailability of mobile network, problems communicating internationally, language barrier, lack of good process manual, etc.


    Having a good SOS policy in place can help save you should disaster fall on your company. It's important to take the necessary precautions to prevent massive losses. For more on the topic of business continuity and disaster recovery, click here.

    What should you learn next?

    What should you learn next?

    From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


    Ryan Mazerik
    Ryan Mazerik

    Ryan has over 10yrs of experience in information security specifically in penetration testing and vulnerability assessment. He used to train and mentor consultants of these offerings to expand security delivery capabilities.He has strong passion in researching security vulnerabilities and taking sessions on information security concepts.