Pandemic Preparedness: Case Study - CoopSeminar.com · Pandemic Preparedness: Case Study Courtenay...

Pandemic Preparedness: Case StudyCourtenay Enright, CBCP

Carahsoft Technology Corp.COOP/Teleworking SeminarJune 19, 2007

Pandemic Solutions: Practical Application 2Internal Confidential – not for distribution

Agenda

11

22

33

44

55

What Is New and What Still Holds True

What Contributed to the Effectiveness of Our Program

Let’s Look at the Plan

Methodology and ApproachProgram Framework and Guideline MaterialsWorkforce Continuity: Remote OperationsHuman Resources Pandemic Policies for the WorkforceWorkforce Continuity: On-site Operations

Challenges

Q & A


New

• BC/DR planning for a single, localized incident

• The back-up/DR data center

• Central stockpiling or hardening central facilities

• Long ignored and overdue

• Unprecedented

• Multiple instance, multiple wave planning

• Load balancing and failover across multiple sites

• Facility-independent, dispersed, flexible design

• Workforce continuity

• Human resources pandemic policies


True

• The need for private/public sector joint planning• Incident Command System strategic and tactical

functionality• If you can’t measure it, you can’t mitigate it• Iterative behavior modification• Dependence on resilient technology• ATOD budget for COOP • Cleanliness is next to…..risk reduction


• Traditional COOP not adequate for pandemic

• “Siloed” COOP is no longer sufficient

Public and Private Sector Concerns

Vice president and research fellow Ken McGee said standard BC plans apply to only geographically specific disasters, such as floods, earthquakes and localized man-made disasters. However, when a pandemic does happen, experts predict it will spread across the globe quickly and create simultaneous worldwide business disruptions. For instance, relying on a backup data center in India won't help a U.S. company stay in business. The Indians who run that backup data center will be just as sick as the company's U.S.-based employees. Gartner: Existing Business Continuity Plans Will Fail in a Pandemic”, CIO.com, November 29, 2006

After the September 11th attacks, and more recently hurricanes Katrina and Rita, companies such as Deutsche Bank have been able to bounce back because they planned for the unthinkable. Yossi Sheffi, director of MIT’s Center for Transportation and Logistics, calls these organizations "resilient." The more you can tie redundancy to the regular business, the more chance you will get money for it. By building flexibility into any operation, you can respond better to market changes. The best way to do this is to build in redundancy that can help the business even before disaster strikes. MIT Logistics Expert Talks Disaster Recovery CIO.com, March 1, 2006


Pandemic Success Factors

• Seasoned CBCP resources • Using principles and tenants of the Incident Command System (ICS)• Granularity of work on the Business Impact Analysis (BIA)• Leveraging technology (our own software and other products)• Partnerships with International SOS, MIR3 and Aetna• Participation in the NIAC and other private/public sector initiatives on

pandemic planning• Building a solution to be flexible for growth in emerging markets and

acquisition – the next company or market becomes another contingency source in a global model and ensures continuity of workforce

• Lessons learned from SARS response in Asia and Canada• Augmenting existing vehicles/programs in the company to layer

pandemic budgeting horizontally instead of as a vertical initiative


Our incidents don’t impact customers

North AmericaEMEA

Japan

Latin America

6 HurricanesPower Outages

Network & Power Outages Bombings

3 Hurricanes

TerroristAttacks

Floods

Ice Storms

Asia Pacific

Earthquake


Floods in India


Immediate Geographic Region Workload Shift

7/05Pune andMumbai Floods

7/05Pune andMumbai Floods


Symantec products

• Mir3 in ENTERPRISE for automated emergency communications and geo-tracking

• Configuration Manager to determine where apps and data sit

• Provisioning Manager for the provisioning

– Export/import for OS/application images from production to QA for every new image; this reduces the network utilization

• Volume Replicator for the replication of the data

• Cluster Server and Global Cluster Option for the management of the services

• Volume Manager for the mirroring and space optimized snapshots for backup snaps

• CC:Service for workflow automation and reporting and CC:Storage for storage provisioning/management

• Net Backup for back-ups and archiving on SATA– BackUp Exec and Kvault for windows

backup and archiving respectively• Titan and Apropos replicated nine ways at

Tier 1 facilities for uninterrupted work-load shift

• Sygate On-Demand Protection agent for securing unmanaged devices

• Cisco CIPC software for remote telecommunications capability (voice over IP

Technologies for Workforce Continuity

)• Citrix Go To My PC reduces VPN use• FireDrill to test applications without

interrupting production


Least Manual Method = Most Protection Clustered = Best Practice

Why We Did It in the First Place

• Decreasing these costs is the biggest impact to your bottom line

– 60% of 5 year total cost of ownership forIT systems are staff costs

– Soft ‘costs savings’ of re-deploying staff to revenue generating activities

• HA architecture provides savings comprised of a 30% improvement in server administration & 50% improvement in hardware costs

• Large companies realize average cost savings of $30,000 an hour by avoiding planned and unplanned downtime, using HA solutions

• This solution tests your DR capability every time you failover to the next location

• Creates flexible model for growth in emerging markets and acquisitions

• Incorporate previous equipment investments in storage and networks

• Can achieve a 20%–30% reduction in annual total cost of IT operations by consolidating servers, decreasing administration costs

• Ability to rollout repeatable HA environments quickly and effectively, improving service levels, reducing support and implementation costs

• Standard methods for monitoring the health and status of the clusters

• Integrated set of management tools and guidance equal improved network and application up-time.

• Clustered failover and load balancing eliminates the majority percentage of short-term production outages

Source: IDC 2003


Network and Telecommunications Recommendations• VPN server augmentation at company sites to handle additional traffic.• Target telecommunications providers that are flexible with rerouting lines.• Corporate SLA with DSL/Cable providers, include “bump-up” clause.• Voice over IP leverages CISCO soft phones at any location.• Maintain systems for reliability, integrity and patch control. Complete existing

automation projects that can lessen manual effort. • Ensure robust and up-to-date information security policies and tools. • Citrix Go-to-My PC as front-end planning to reduce overall VPN usage or Sygate

On-Demand Agent for activating and securing PCs at any location ATOD. • On-going participation in public/private sector cooperatives

– Example: the “broadband pandemic study”. The National Communications Service (NCS), the Telecommunications Sector, and FSSCC (Financial Services Sector Coordinating Council) formed a private/public sector working group to explore potential “bandwidth” issues associated with the likely increase in telecommuting during a pandemic.


Criteria for prioritization of processes:

Criteria for resource solutions:

Criteria for ranking/weighting impacts:

Timeframe thresholds for planning:

Methodology Approach

• Customer facing • Revenue generating• Revenue enabling

• Life essential• Public health• Public safety• Contributes to employee

absenteeism• Economic Survival

• Essential — Specialized technical support skill-sets requiring on-site presence; additionally no depth/alternate resourcing

• Critical — Specialized technical support skill-sets critical to support Tier 1 staff (such as IT)

Calculations based on BIA data and Gartner statistical benchmark data

• First wave could be up to twelve weeks (3 months)

• Estimates of 6 months for vaccine production• So our planning threshold is for two waves of

pandemic instance• Phase 5 -6: increase frequency of strategy

briefings with exec management on necessary adjustments to plan based on impacts


Incident Command System (ICS) Methodology

29 CFR 1910.120 and GISO 5192• Manages day-to-day operations as well as unplanned incidents• More effective private response creates a more effective public

response– Leverage public sector relationships and resources

• Meets compliance/regulatory requirements– Helps ensure we meet customer SLAs and their recovery requirements– National Homeland Security Strategy Compliance

• Improves ability to respond successfully– 82% of companies surveyed who have used ICS during an actual

emergency reported their experience as more positive and successful

• Minimizes confusion and conflict by using a “Chain of Command”system


ICS Management Principles

• Common terminology• Manageable span-of-control• Objectives-driven response• Incident action plans• Comprehensive resource management• Pre-designated incident facilities• Integrated communications


Risk Advisories

Type of advisoryMedical Alerts

Medical Alerts are issued when there is an unusual health risk that in the opinion of the International SOS Medical staff may negatively impact travelers or expatriates visiting a country.

Evacuation NoticesEvacuation Notices are the highest level of alert and issued only when International SOS Security professionals have determined that it was unsafe to remain in a specific country.

Security AlertsNext to an Evacuation Notice, a Security Alert indicates the highest level of concern and is issued only in response to events that International SOS Security believes may lead to an evacuation.

Situation WarningsSituation Warnings are driven by a specific event that has made the threat level in a particular country increase. A Situation Warning indicates that non-essential travel should be postponed or cancelled.

Special AdvisoriesSpecial Advisories are driven by significant events that have or have the potential to temporarily affect the overall general security level. Events such as terrorist attacks, nationwide protests, and natural disasters are reported as information becomes available. Each advisory is updated as the situation evolves in the country of concern.


WebWeb--BasedBased

SecureSecureEmail BasedEmail Based

Phone BasedPhone Based

Cascading Response OptionCascading Response Option

Construct unlimited notification plansAssign Recipients for notifications

Import new contact recordsAccess historical reports

Edit and re-launch messages

Telephony (Voice Mail Optional)Pagers (SNPP, WTCP)Email (two way)Fax (phone in reply)Text Messenger (SMS)

Append and launch a notificationAutomatically launch notifications

Receive email reports

Email responses can end the notification (no phone calls needed)

Dial in and launch a plan

Response authorizesa plan

Automatically join a conference call

Text to speechreads notifications

Authorizes a plan from a list of options

Emergency Communications CapabilitySending and Receiving

Mechanism can be used to track employee absenteeism in a pandemic


First Response Escalation – Horizontal Matrix

Recipient 1 and their devices






Start

Finish


Phase Details

1 An influenza subtype that has caused human infection may be present in animals.

2 Animal-to-animal spread of new influenza subtype.

5 Larger cluster(s) but human-to-human spread still localized, suggesting virus is becoming increasingly better adapted to humans, but may not yet be fully transmissible (substantial pandemic risk). 6 Increased and sustained transmission in general population.

3 Human infection(s) with a new subtype, but no human-to-human spread, or at most rare instances of spread to a close contact.

4 Small cluster(s) with limited human-to-human transmission but spread is highly localized, suggesting virus is not well adapted to humans.

When will Symantec activate our pandemic policies?

Alert phase which will trigger Symantec action plans and pandemic HR policies


Corporate Pandemic Preparedness Team

Pandemic Preparedness Team

Chair: Director, BC/DR

Senior Executive SponsorCHRO/EVP

RegionalIncident Management Team

APJ

ISOS Senior Consultant

CorporateIncident Management Team

Pandemic Preparedness Team• VP, RE & Facilities• Mgr, Internal Communications• VP, HR Services - Americas• Sr. Dir, Corporate Legal• Sr. Dir, Security & Safety• VP, HR Services – EMEA & APJ• Dir, Global Benefits• Dir, Global BC/DR Program • Dir, Travel• Sr. Mgr, Facilities - APJ


EMEA


Americas

Site 1Site Executive



Site 1HR Manager

Site 2HR Manager

Site 3HR Manager

Site 1ERT

Site 2ERT

Site 3ERT


Symantec Pandemic Preparedness Program

• The Symantec Pandemic Policy can be viewed at:http://syminfo.ges.symantec.com/bcdr/ppr.asp

• The Symantec Pandemic Plan addresses the following areas:

Section 1 Pandemic Planning StructureSection 2 CommunicationsSection 3 Employee and Response Team Education and TrainingSection 4 Business ContinuitySection 5 Employee HealthSection 6 Reduction of Infection RiskSection 7 Management of Infected/Potentially Infected StaffSection 8 Management of ExpatriatesSection 9 Management of Traveling StaffSection 10 Antiviral Medications

http://syminfo.ges.symantec.com/bcdr/ppr.asp


Program Framework

• Put together a cross-functional, cross-global team to form policy and procedures• Crafted a multi-level policy statement to structure the program and planning:

• Delineated specific action plans by WHO phase designation for:– Types of education, awareness and training– FAQ guides for employees– Information sheets for response teams– Types and frequencies of communications at all levels– Tactical guidelines for response– Strategic guidelines for recovery

• Pandemic policies activated at WHO Phase 4 declaration or first instance of employee impacted by avian influenza

Section 1 Pandemic Planning Structure Section 6 Reduction of Infection Risk

Section 2 Communications Section 7 Management of Infected/Potentially Infected Staff

Section 3 Employee and Response Team Education and Training Section 8 Management of Expatriates

Section 4 Business Continuity Section 9 Management of Traveling StaffSection 5 Employee Health Section 10 Antiviral Medications


On-site: Hygiene Behavior

• Prevention and precaution education on contagion

• Train employees on personal risk reduction:

– Masks– Gloves– Gowns– Social distancing– Facilities screening– Hand washing

– Respiratory hygiene– Cough etiquette– Area cleaning– Food handling– Close contacts of an Avian Influenza case– Quarantine

Reduce risk of employee becoming infected outside facilityReduce risk in home environmentsReduce risk of introduction of virus into facilityReduce risk of virus transmission within facilityManagement of infected/potentially infected staff


Human Resources Pandemic Policies

• Salary continuation/Income replacement – Employees may be eligible under their country disability policy – Salary continuation is applicable to local law and contract agreements

• Employee Assistance Program– Symantec EAP providers will be activated to address pandemic concerns

• Leave of absence– Care for ill family members may be available under country LOA policies– Employees may have job protection under their country LOA policies

• Company sponsored flu vaccinations will be available – Go to: http://hronline.ges.symantec.com– Select your home country/benefits/wellness/flu vaccinations

• HR Global Benefits is in the final phase of benefits integration– HR Online will be updated to reflect benefit policies

http://hronline.ges.symantec.com/


Stockpiling pandemic supplies:

Enterprise-wide implementation:

Recommendations:

Recommendations

Challenges

• All PPE requires certified training• N-95 masks require custom fit-testing • Administration of anti-virals requires

medical expertise• Requires initiatives budget• Management of materials distribution

• Leverage other public sector resources• Prevention and precaution awareness (3)• Hygiene behavior training (4)• PPE and training for ERT functions (4)• Temperature screening (4)• Referral to medical resources local to the

facility for employees and visitors (4)

• New paradigm for HR • Level of tactical/emergency response

training for on-site employees• Difficulty getting budget approval and

time commitment from organization• Activity adjustments by WHO Phase• Remote solutions for workforce continuity

• Benefits and mobility policies Phase thresholds

• Position solutions as slight augmentations of existing programs, use existing

• Get commitment for increased participation and budget when Phases 4 and 5 trigger

• Focus on mobility, dispersion and external options


© 2006 Symantec Corporation. All rights reserved. THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE.

Thank You!

Courtenay Enright, CBCP —Director, Internal BC/DR Programcourtenay [email protected]

Pandemic Preparedness: Case Study - CoopSeminar.com · Pandemic Preparedness: Case Study Courtenay...

Documents

Transcript of Pandemic Preparedness: Case Study - CoopSeminar.com · Pandemic Preparedness: Case Study Courtenay...