As the COVID-19 virus was beginning to make more headlines two weeks ago, we published an article about pandemic planning to help institutions prepare. We continue to see an increased focus on pandemic planning and testing as the COVID-19 situation escalates, as well as increased pressure from regulatory agencies to take preparation seriously.
This week, we are providing a list of recent developments and common themes that we are seeing as institutions prepare:
- FFIEC Updates Pandemic Planning Guidance: Last week, the FFIEC reminded institutions of their “Interagency Statement on Pandemic Planning” first published in 2007. While the guidance was slightly updated from the original version, not much was changed. The changes noted in the new version are:
- The original guidance was issued in response to the threat of the spread of the avian flu in Asia. The original guidance directly addresses this threat, while the new guidance does not name any single virus.
- The original version stated that institutions should create a documented strategy that is aligned with the 6 disease intervals described by the CDC. The new version adds that this strategy should include a strategy for “re-entering personnel into the workplace”.
- The original version stated that institutions should create procedures that include social distancing to minimize staff contact. The new version adds that “Consideration should be given toward visitor procedures and whether restrictions should be implemented for visitors accessing the facilities.”
- The original guidance was issued in response to the threat of the spread of the avian flu in Asia. The original guidance directly addresses this threat, while the new guidance does not name any single virus.
- Printing Requirements may be a Problem: Many institutions are testing their pandemic plans by having employees work from home. One common theme we are hearing from them is that this often requires employees to print from home, which is against institution policy. Institutions should be sure to consider printing from home in their planning to determine if it is truly required. If printing is a requirement, consider building an exception into the policy for pandemic situations. If you do create this exception, be sure to train employees about the proper handling of printed documents in a home environment.
- Capacity may be a Problem: Some institutions are discovering limitations on their ability to support simultaneous access by a large number of employees. In some cases, there are licensing limitations and in other cases there are infrastructure capacity problems. In either case, institutions should analyze whether all of the employees attempting to access are truly critical in a pandemic situation. If they are, consider purchasing more licenses or increasing capacity to accommodate them. If capacity cannot be increased quickly enough, consider having employees work in shifts to get around the resource constraints. If employees are not all critical during a pandemic, document this and train employees appropriately so that non-critical staff do not use critical resources during a pandemic.
- Access may be a Problem: In some cases, institutions are discovering that those identified as backup staff for critical processes do not have the access that they need to perform these processes. Be sure to test critical processes using backup staff and adjust their access if needed, as during a pandemic you may not have access to the resources to change their access.
Bedel Security helps institutions with all aspects of cybersecurity governance. As part of our BCP Planning module, we help institutions with their BCP and pandemic planning. If your institution is having a hard time keeping up with the current situation, we can help! Give us a call any time at 833-297-7681 or email us at support@bedelsecurity.com.
Resources:
Remote Access Risk Assessment
https://www.bedelsecurity.com/lp-remoteriskassessment