This article can also be found in the Premium Editorial Download "Information Security magazine: How to implement a change management that works and reduces security risks."
Download it now to read this article plus other related content.
I have my children's pediatrician on speed dial as I wait for the H1N1 vaccine to come into her office. And with every news report I grow more anxious.
While I may be overreacting, I am nonetheless concerned and you should be too. Only 55.6 percent of companies have plans to address the H1N1 threat, according to a recent survey by the
So where do you begin?
You need to have a strategy and think it through. You may have a business continuity plan and it's a good start, but a pandemic plan should be approached differently. As Ruth Razook, CEO of RLR Management Consulting explained in a recent SearchFinancialSecurity.com article: With business continuity, the building is gone but the people remain. With a pandemic plan, the building is there but the people are gone.
So do you have a pandemic committee made up of HR, executive management, physical security, IT, among others? Have you reached out to your local public health officials or other information security professionals in your area to gather best practices? What are your sick-leave policies should an employee, or an employee's family member, is out sick. What are your contagious illness policies? If someone doesn't have sick time and you force them to go home, do you pay them or not?
Have you created a succession plan or a skills matrix? How dependent are you on others to make your plan work? Has upper management thought about contingency plans if key players are out of the office?
Have you conducted a tabletop exercise where one-third to one-half of your company is out sick? What happens when key personnel are missing and how does an organization perform critical functions? What about your partners or outsourcers whom you rely upon to keep your organization running? Do they have a pandemic plan in place and have you communicated with them about a worse-case scenario?
My organization is all about telecommuting, so on any given day 50 percent of the company of working from home. Our IT infrastructure is probably in a good place when it comes to capacity planning. Where are you? Do your employees have laptops? Are they trained on gaining access to the VPN or webmail? Can they get their jobs done at home and is your IT and communication ready for such a shift. And can your security policies remain intact? Do you have the proper controls?
Your best approach is to throw these questions and more to the key decision-makers within your organization so you can begin to prepare for the worst. And hopefully this will be just an exercise.
Kelley Damore is Editorial Director of the Security Media Group at TechTarget. Send comments on this column to firstname.lastname@example.org.
This was first published in November 2009