Incorporating a Remote Workforce into Your Business Continuity and Pandemic Planning

By: Christopher Hartley, Director at Sikich‘s Cybersecurity practice

Historically, organizations have looked at an existing business continuity (BC) and disaster recovery (DR) plan through the lens of natural disasters and terrorism that would affect the physical location of an organization’s headquarters or data centers. Their main focus was on being able to relocate those services to another location to restore business capabilities within a pre-defined amount of time. With a pandemic, the focus is shifted to supporting employee health and safety while still providing goods and services to maintain the business. Pandemic planning should incorporate many of the steps that would go into traditional BC/DR planning, except you will want to address moving from a physical to a virtual work environment. The following guidance focuses on what you should consider in a pandemic plan.

Perform a Business Impact Analysis
Just as an organization would want to understand what systems are critical to the business, the cost-per-hour if a system was down due to an event and the time it would take to recover, a business impact analysis (BIA) is essential for understanding how a line of business would be impacted if the workforce was forced to work remotely due to quarantine orders from the state or federal level. A BIA will also help define which employees are essential to the line of business to prioritize for capacity planning for remote work. The organization can use the BIA to identify costs associated with failures to systems, processes, or the like, such as a loss of revenue, lost salaries, and so on. A BIA helps quantify the importance of business components and can suggest the appropriate level of funding for protective measures.

Review Capacity and Licenses critical
A piece within a pandemic plan is the health and safety of an organization’s workforce. As we see with COVID-19, the best course of action is for social distancing, which includes working remotely. For organizations that do not have a teleworking plan in place, this can be a daunting issue. Reviewing license counts for things such as remote access, multi-factor authentication, and teleconferencing software is vital. As mentioned previously, identifying essential staff from the BIA is a needed first step. Once this is done, an organization can prioritize capacity and licensing so those essential employees can perform their jobs with limited impact on the service line. This will also allow the organization to allocate the necessary funding to acquire these licenses and technologies for future use.

Test the Plan
Just as an organization would test a BC/DR plan to determine how the organization would recover from a disaster or event, the pandemic plan must be tested as well. A good practice is to create a remote worker pilot group made up of essential employees from different lines of business and run a two-week test during the year in order to test the effectiveness of the plan and to make changes to it based on the testing output. Organizations should also look to the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-46 Rev. 2Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, for guidance on securing your virtual workforce.

Document the Plan
Finally, as with any plan, a pandemic plan needs to be fully documented to paper and should be included as a section within an organization’s BC/DR plan. A pandemic plan should be a living document that is updated accordingly, just as you would update other policies and procedures.

Christopher Hartley is a Director with Sikich’s Cybersecurity practice and oversees the firm’s security risk and compliance service line. He has extensive experience in designing and implementing information security strategies, programs and frameworks in small, medium and large enterprise spaces. Christopher has extensive executive management experience in multiple verticals, including health care, retail, financial services and manufacturing. Christopher is a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) and Certified Information Security Auditor (CISA). He is also a member of the Northeast Ohio chapters of ISC2 and ISACA.