Pandemic Planning in the Endemic State - WST

I believe we can all agree that nothing prepares us more than having to deal with a Business Continuity Management event than an actual event. We can always derive better plans through results from testing and actual events. President Dwight D. Eisenhower’s take was: “[I] have always found that plans are useless, but planning is indispensable.” At the very least, having a plan gives us a jumping off point. It is expected that plans are modified as they are used, and afterwards during the review and cleanup process.

If your institution has recently had a 10-D Security IT security audit, continuity management has been a topic of conversation, including what your institution has or is actively doing to address the current pandemic, as well as other types of testing performed. And there has surely been some value-added conversation, if not findings, based on those discussions. Also, some institutions have recently had examiners pick at their pandemic plans, asking detailed scenario-based questions about things like resilience: “If none of your staff are available, what are your plans?” These types of questions are certainly coming from the perspective of two years in a pandemic state and resultant shifts in priorities.

Moving forward, has your institution considered that this pandemic is gaining an endemic status? Many state and local governments are declaring the pandemic is ending, and many were doing so in advance of the recent Federal Judiciary and CDC declarations. This will likely mean that examiners and auditors will soon expect that annual internal testing activities—aside from documentation and changes from the recent pandemic—are performed, documented, and revised as necessary. Additionally, many state and local governments are NOT declaring a change in pandemic status, which may further modify or compound your planning and testing practices. Finally, as we have seen throughout the pandemic, plans could go from active, to dormant, to active again at the whim of any number variables, events, or politically driven ideologies.

Even if the pandemic never ends, it is still good practice and expected that we prepare for the next event, whatever that may be. We must test and update current plans, lest we become complacent. And keep those plans fluid so that we may adapt quickly to new variables. Consider preparing for future issues even if the current one hasn’t ended. President Eisenhower would likely approve of that since no battle or war is ever fought on just one front.

If your institution needs a table-top test of any part of your Business Continuity Management plans, and a board-quality report, we are here to help.

Authored by: Mike Smith, AWS CCP, CBISO