Use ISO standards to address a pandemic

Use ISO standards to address a pandemic

Use ISO standards to address a pandemic
 Use ISO standards to address a pandemic 

FORWARD  There is no doubt that each pandemic causes damage to businesses worldwide – not only is there the problem of a decrease (or, in some cases, a sharp increase) in demand for products or services, but there is also the problem of how to organize a company to deliver their products and services in a very different way
It’s difficult to predict all the areas of our business that could or will be impacted by a large-scale pandemic. Stay ahead of the curve by creating a plan for every business function in these uncertain times. 

Why coronavirus is a threat to business

Coronavirus is a family of viruses that has common signs of infection, including respiratory symptoms, fever, cough, shortness of breath, and other breathing difficulties. In more severe cases, according to the World Health Organization, "infection can cause pneumonia, severe acute respiratory syndrome, kidney failure, and even death
Download Also:
No alt text provided for this image
Businesses should be prepared for disruption to worker productivity, supply chains, travel, product availability, corporate travel and more

Challenges with pandemics in a modern business world

A pandemic is “an outbreak of a disease that occurs over a wide geographic area and affects an exceptionally high proportion of the population.”  From the business operations point of view, for most companies this means  
(1) our customers or employees cannot reach to us, or  
(2) our customers or employees can reach to us but are afraid of their own health.

To address the first problem, companies start reacting in the following ways: they overcome the lack of physical contact with customers and employees by using electronic means of communication; they ask their employees to use alternative places to work, mostly from their homes or other remote locations; and they use alternative channels for delivery of their products through outsourced logistics services.

However, by making these changes, companies face several challenges: by drastically changing the way their business operates, the continuity of their operations is endangered. By accessing data from employees’ private devices and their homes, and by processing data through various cloud service providers and logistics partners, the security of information is also endangere
Finally, this new way of doing business requires different types of skills from both employees and partners in the supply chain, so the quality of delivering products and services is endangered.  To address the second problem health & safety companies are starting to require protective equipment for their staff and introduce rules for social distancing.  However, the problem is that they do not know if this is being done adequately, and they do not know if this would satisfy their customers and partners

Pandemic Planning Considerations  Around 12% of organizations claim they are “highly prepared” for a pandemic according to a Gartner Business Continuity Survey. Implementing a Business Continuity Plan (BCP) will prepare our organization from the impacts of natural disasters, supply chain delays, limited access to staff, and more. The goal of a clear business continuity plan is to maintain technical operations and restore our company’s ability to operate during challenging times

Organizations should create and execute on a workplace pandemic preparedness plan along with business continuity plans.  To familiarize employees and emergency teams with the plan, businesses should conduct exercises annually, if not more frequently. Use a pandemic recovery plan template to get started. No alt text provided for this image.
No alt text provided for this image
Because companies are so dependent on providers across all aspects of their business, they should well understand and have tested providers' pandemic plans. For instance, if the provider's own workforce is affected, it's important to know how it will maintain the high availability of its application or respond to service issues.

In many companies, line of business managers are the conduits to service providers; therefore, they must be coached on how to include them in pandemic plans. It's also important for organizations to centralize service-provider relationship information in case the managers themselves are unavailable.
One of the most important elements of pandemic planning, especially when assuming a high absenteeism rate, is to understand how employee skills complement one another. Conducting a skills inventory will illustrate which employees could back up others if they are affected by illness.

Our pandemic plan should include continuity details, including staffing, technology (hardware, software, systems), power options, data backups, relocation sites along with internal and external communication plans.  Take our business impact analysis a step further by defining our Recovery Time Objective (RTO) and Recovery Point Objective (RPO).  Recovery Time Objective is the time between an unexpected disaster and the continuation of business as usual

Recovery Point Objective addresses the organization’s maximum amount of data that can be lost before the impact on the business is unacceptable. Using this framework, we will build an effective strategy for our IT team to respond to any unwelcome disaster that may threaten our data center.

Supply Chain Risks 

Pandemics wreak havoc on supply chains because they can force factory shutdowns, delay shipments, and create workforce shortages.  Interruptions to supply chains can drastically delay the implementation, purchase, and installation of new server, storage, and networking systems. If we need hardware immediately, consider purchasing recertified or last generation equipment.  We can avoid the long lead times that may occur with original equipment manufacturers (OEM) and access a timelier solution. Find more information on the benefits of purchasing refurbished IT equipment

Remote Workforce

It was recently reported that VPN usage has increased significantly in Canada by 124% in the last few weeks. Due to the upsurge of remote workers, IT departments are busy supporting the bandwidth. To ensure employees can access critical on-prem applications such as enterprise resource planning (ERP) and customer relationship management (CRM), IT departments should consider these key measures during a pandemic

-Providing the proper equipment for employees (laptops, monitors, etc.) 
-Increased internet utilization and performance  
-Security updates and performance improvements 
-Router upgrades to support the increased speeds and users 
-Additional server capacity to support ERP/CRM system access 
-VPN setup and licensing for users
As organizations begin to shift to a remote workforce, IT departments are heavily monitoring inbound and outbound internet connections. It’s recommended here to upgrading the bandwidth once achieving 80% average utilization. 

Cybersecurity & targeted cyberattack threats

During a national pandemic, it doesn’t take long for hackers to start developing ways to target users. Pandemics, like other headline-making events, are enticing to cybercriminals, who take advantage of crises to infect systems, steal data, and disrupt operations. Their best way in, oftentimes, is through users.  The security expert must dedicate their time and efforts to help protect businesses from security threats while supporting work-from-home strategies, including how to enforce remote employee security and privacy best practices

During a pandemic, organizations need their cybersecurity teams to be on their A-game to protect the organization from threats and to alert users about phishing, ransomware, and other malicious attacks targeting them and the business.  Companies need a plan for how to handle cybersecurity if members of the cybersecurity team are absent due to illness.
A leading cybersecurity firm stated that around 3% of COVID-19-related domains are considered malicious and 5% are classified as “suspicious.”  According to the latest newsletters and researches, “National emergencies and/or disasters add a fear factor that acts as one more hook for hackers to get what they need. When fear is added to any targeted campaign be it a legitimate or scam campaign the effectiveness of that campaign is increased

To decrease the risk of a cyberattack, encourage employees to closely examine emails, avoid clicking attachments, refrain from entering sensitive information, and report all attempts of phishing. 

But there is some good news: ISO standards can help us address these challenges
Addressing continuity of operations 
 ISO 22301 is the standard that describes how to develop the Business Continuity Management System  BCMS – it defines that we have to assess the risks that might disrupt our operations and our supply chain, analyze how quickly we need to recover to avoid high damage, and which resources we need for recovery.
Based on this information, we need to look for solutions that will enable us to recover and to develop a business continuity plan for a pandemic.  So, to successfully continue our operations, we would need to analyze which people, equipment, data, materials, third parties, etc. we need and how quickly we need them, define how to obtain them, and describe the steps to start using them.  For that purpose, we need to perform a risk assessment and business impact analysis, develop the business continuity strategy, and write the pandemic plan for our business

Addressing the security of communications and data

ISO 27001 is the standard that describes how to develop the Information Security Management System – it defines that, first, we have to find out which potential incidents might happen, and then define which kinds of safeguards we need to implement in order to prevent data breaches. 
So, for employees who are working from home, we need to analyze which kinds of incidents can happen to the data stored on their computers and communicated over the Internet.  Once we know this, only then can we decide whether our employees will be required to use VPN, complex passwords, encrypt data, use only pre-approved cloud services, regularly back up the data, etc.  Finally, those rules should be documented through policies and procedures.

Addressing the quality of services

ISO 9001 is the standard that describes how to develop the Quality Management System – QMS among other things, it defines that, we have to train our staff adequately for the job they are performing, and the way we need to select our suppliers, vendors, solution providers, contractors, consultants, and partners very carefully

So, we should analyze which kinds of skills are necessary for operating our business in this new situation, and systematically start training our staff – this could be related to new communication channels we’re using with our customers or internally with our colleagues, how to work remotely in an effective and secure way, how to work on-site while complying with the social distancing rules, etc.

For suppliers and partners, we have to develop clear criteria in order to be able to select only those that will not jeopardize our supply chain – for example, select only those that have strict rules for health & safety, that have trained people in social distancing, that have developed online communication channels, etc. –

Addressing health & safety. 

No alt text provided for this image
ISO 45001 is a standard that describes how to create an Occupational Health & Safety Management System (OHSMS) that helps us go beyond simply meeting the health & safety laws and regulations and work towards the improvement of the health & safety in our workplace.  Probably the most important aspect of ISO 45001 requirements that can help in a pandemic is identifying hazards and their associated risks so that they can be controlled to improve health & safety
This hazard identification is best conducted using the knowledge of our workforce to find the best solutions. Utilizing our people will make them confident so that they won’t be afraid of working on the company’s premises, but this trust will also be reflected by our customers, who won’t be afraid of getting in touch with our employees.  
We can start with a brainstorming session, such as “what are the hazards that we face in each process, and where can we reduce these hazards in this crisis?” During a pandemic, this can help with the rapid identification and implementation of the changes we need to make to stay safe on the job, such as social distancing in the workplace, cleaning tools, removing papers or tablets to avoid multiple people coming in contact, and preparing replacements to be able to perform new roles or new jobs in case someone has to stay at home 

When people feel safe, they will work better in some cases, productivity will be even better than before the pandemic; this positive approach will consequently, be appreciated by the customers, and they will start to prefer such company over its competitors.

ISO standards provide us with the know-how
No alt text provided for this image
A pandemic does not happen very often, and one would expect that in such unpredictable circumstances the rules have to be invented on the go, however, ISO 22301, ISO 27001, ISO 9001, and ISO 45001 are ready-made frameworks that can be applied effectively even in adverse situations.ISO standards are the most widely adopted frameworks that help companies organize better – and they can also help in the face of a pandemic.
ISO 22301 Business Continuity Management
No alt text provided for this image
Which documents and records are required, ISO 22301:2019?
The list below shows the minimum set of documents and records required by ISO 22301:2019 (the standard refers to documents and records as “documented information”):

Documents and records ISO 22301
-List of legal, regulatory and other requirements 
-Scope of the BCMS (Business Continuity Management System) and explanation  exclusions  
-Business continuity policy 
-Business continuity objectives 
-Competences of personnel
-Business continuity plans and procedures  
-Documented communication with interested parties 
-Records of important information about the incident, actions are taken, and decisions  made  
-Data and results of monitoring and measurement
-Internal audit program 
-Results of internal audit
-Results of management review  
-Nature of nonconformities and actions are taken 
-Results of corrective actions
This is by no means a definitive list of documents and records that can be used during the ISO 22301 implementation. The standard allows any other documents to be added to improve the level of resilience
Commonly used non-mandatory documents, Other documents that are very often used are as follows:  
- Documents ISO 22301 mandates 
-Procedure for identification of applicable legal and regulatory requirements     -Implementation plan for achieving the business continuity objectives 
-Training and awareness plan 
-Procedure for control of documented information 
-Contracts and service level agreements SLAs with suppliers and outsourcing partners 
-Process for business impact analysis and risk assessment 
-Results of business impact analysis 
-Results of risk assessment 
-Strategies and solutions for business continuity 
-Incident scenarios  
-Exercise and testing plans 
-Post-exercise reports  
-Results of the post-incident review 
-Methods for monitoring, measurement, analysis, and evaluation
-Procedure for internal audit
-Procedure for corrective action
 On the other hand, 

Updating the pandemic response plan to include cybersecurity management activities.  
Here are some of the approaches to take to minimize these risks

1. Provide employees with basic security knowledge  People working from home must be provided with basic security advice: to beware of phishing emails, to avoid the use of public Wi-Fi, to ensure home Wi-Fi routers are sufficiently secured, and to verify the security of the devices that they use to get work done.It is likely that attempts to subvert security using phishing attacks will increase at this time.  Employees should be particularly reminded to avoid clicking links in emails from people they do not know, and the installation of third-party apps should be confined to bona fide app stores, even on personal devices.  Your people need to be in possession of basic security advice, and it is also important that your company has an emergency response team in place. People need to know whom to contact in the event they detect a security anomaly.  
2. Provide your people with VPN access  One way to secure data as it moves between your core systems and externally based employees is to deploy a VPN. These services provide an additional layer of security, which (in simplified terms) provides the following:  
-Hiding the user's IP address 
-Encrypting data transfers in transit
-Masking the user's location  You should ensure that all remote employees are provided with access to the service and that they use it for all business-related activities.  
3. Provision security protection  Make sure up-to-date security protection is installed and active on any devices that will be used for work. That means virus checkers, firewalls, device encryption should all be in place.  
4. Run a password audit  Your company needs to audit employee passcodes, That doesn’t mean requesting people’s personal details but does mean passcodes used to access any enterprise services are reset and redefined in line with stringent security policy.  Alphanumeric codes, use of two-factor authentication should become mandatory, and you should ask your people to apply for the toughest possible protection across all their devices. You should also ensure all your business-critical passwords are securely stored in the event anything happens to key personnel.  
5. Ensure that software is updated  Encourage your teams to upgrade their software to the latest version supported under the company's security policy. (Some enterprises lag the release schedule for Apple software, though most don’t.) Activate automatic updating on all your devices.  
6. Encourage the use of (secure, approved) cloud services  One way to protect your employee endpoints is to ensure your confidential information is not stored locally.  Content storage should be cloud-based where possible, and employees should be encouraged to use cloud-based apps (such as Office 365). It’s also important that any third-party cloud storage services used are verified for use by your security teams.  NB: This is particularly important if your business requires the use of critical personal data.  
7. Reset default Wi-Fi router passwords  Not every employee will have reset the default password for their Wi-Fi router.  If you have an IT support team, then providing telephone guidance to secure home routers should become a priority. You do not want your information being subjected to Man in the middle, data sniffing, or any other form of attack.  You may also need to make arrangements to pay for any excess bandwidth used, as not every broadband connection is equal. Some providers are making positive sounds around extending available data packages in the current crisis. Employees should be told to avoid public Wi-Fi, though doing so is made a little more secure if used with a VPN.  
8. Mandatory backups  It will be useful to ensure that online backup services are used, if available.  Otherwise, employees should be encouraged to use external drives to back up computers. If you use mobile device management (MDM) or enterprise mobility management (EMM) service, then it is possible you’ll be able to initiate automated backups via your system’s management console.  
9. Avoid the use of USB sticks  Don’t use USB sticks at all if you can avoid it. There have been too many examples of such devices being infected with malware.  
10. Use an MDM/EMM solution  It may make sense to deploy an MDM or EMM system at this time.  This will make it much easier to provision and manage your fleet of devices while also separating corporate from personal data. It also ensures device and Mac security can be better controlled.  
11. Develop contingency plans now  Triage your teams. Ensure that management responsibilities are shared between teams and ensure you put contingency plans in place now in case key personnel get sick. Tech support, password and security management, essential codes, and failsafe roles should all be assigned and duplicated.  
12. Foster community and care for employees  The reason many people are working from home is that there is a health pandemic. The grim truth is that your employees may get sick, or worse, during this crisis.  With this in mind, community chat, including group video chat using tools such as FaceTime or Zoom, will become increasingly important to preserving mental health, particularly for anyone enduring quarantine.  Encourage your people to talk with each other, run group competitions to nurture online interaction, and identify local mental health and grief counselors who may help if the crisis becomes more extreme.

Related Topics:
The Author: Ala'a Elbeheri
                                         Ala'a Elbeheri
A versatile and highly accomplished senior certified IT risk management Advisor and Senior IT Lead Auditor with over 20 years of progressive experience in all domains of ICT.  
• Program and portfolio management, complex project management, and service delivery, and client relationship management.  
• Capable of providing invaluable information while making key strategic decisions and spearheading customer-centric projects in IT/ICT in diverse sectors.  
• Displays strong business and commercial acumen and delivers cost-effective solutions contributing to financial and operational business growth in international working environments.  
• Fluent in oral and written English, German, and Arabic with an Professional knowledge of French.  
• Energetic and dynamic relishes challenges and demonstrates in-depth analytical and strategic ability to facilitate operational and procedural planning.  
• Fully conversant with industry standards, with a consistent track record in delivering cost-effective strategic solutions.  
• Strong people skills, with proven ability to build successful, cohesive teams and interact well with individuals across all levels of the business. Committed to promoting the ongoing development of IT skills throughout an organization.

Post a Comment

Previous Post Next Post