The InfoSec Blog
28Apr/09

Swine Flu Issues – insufficient discrimination

The trouble with some people is that they make some deceptively reasonable comments that don't stand up under critical analysis

 With an ailing economy and a whole lot of cancelled contracts resulting from
that poor economy. Pandemic planning is a major threat to our most important
asset people and it appears as though that vulnerability may have been
activated. Its time to dust off the BCP plan and update it with a Pandemic
Mitigation strategy.

If it takes a pandemic to motivate you to create or review a BCP then
something is seriously wrong, and it has nothing to do with the pandemic.

Pandemic?
As one manager said to me a long time ago, "show me the numbers".
I read:

The number of confirmed cases rose Monday to 50 in the U.S., the result
of further testing at a New York City school. The WHO has confirmed 26
cases in Mexico, six in Canada and one in Spain. All of the Canadian
cases were mild, and the people have recovered.

The Mexican government suspects the virus was behind at least 149 deaths
in Mexico, the epicentre of the outbreak, with hundreds more cases
suspected.

I'm sure just about any ocotr - or the 'Net - can supply us with figures on the cases and deaths from 'regular' flu world-wide, as well as the named versions.

Wikipedia tells me:

The annual flu (also called "seasonal flu" or "human flu") kills an
estimated 36,000 people in the United States each year.

The Hong Kong Flu of 1968-1969 (never mind the current outbreak there
http://www.time.com/time/health/article/0,8599,1722633,00.html which the
authorities say isn't as bad as the SARS outbreak) killed an estimated
one million people worldwide though had a low death rate in Hong Kong.
In the United States, approximately 33,800 people died.

So is the current outbreak with numbers that are a fraction of 1% of those being fanned by the media in an otherwise quite news season?

"Show me the numbers".
Well, if I took those numbers to most of the managers I've worked for they would dismiss this risk as "acceptable".

And rightly so.

Perhaps its not representative, but I recall back in the winter of 2000/2001 - the 'real' turn of the century, I had been conned by large amounts of 'filthy lucre' into working for a department of the Provincial Government. The "Flu Season" brought about its usual absenteeism, and from the departments I dealt with it seems that a rolling absenteeism accorded to "flu" accounted for about 50 people out of around 1,000. I don't know if this is typical for a office-bound workforce.

So when I look at the national and international figures being quoted in the press I get to wonder.   As "disasters" that might trigger a BCP go I've seen many that are more realistic:

* The Great Mississauga Train Disaster of 1979

Over 200,000 people were evacuated and Mississauga became a ghost
town. Businesses there were shut down.
At the time, it was the largest peacetime evacuation in North
American history, and is currently the second largest after the
evacuation of New Orleans, Louisiana following the impact of
Hurricane Katrina.

* Toronto Propane Blast of 2008

This closed the highways and airport and one of Toronto's largest
malls for over 12 hours as well as evacuating the residents and
businesses of the area. Large amounts of asbestos were thrown
about necessitating an environmental clean-up that is still going
on.

* Local Highways closed by overturned vehicles
Too many URLs!
There have been many incidents where the highways are closed for
extensive periods and the backlog of traffic means some people are
stuck on the road for periods that may be as long as 12 hours. In
terms of manning, getting repair crews to your site and many other
scenarios, these are "disasters" enough to impact your business.

When constructing or auditing DRPs I ask my clients how their plans would deal with events like these. There is a definite point to this.
Theoretical models of events and their ALE are all very fine, but good planners look to what has actually happened. I recall an excellent presentation by the security staff at Pearson Airport where they examined their ability to deal with other *real* incidents that had occurred at other airports.

Many of my clients have come upset when I point out that the same kind of "disaster" that would trigger their DRP might also mean that their key staff would be unable to get to the alternate sites, that the alternate sites may themselves be unavailable or that the staff would rather be with their families.

What we need in a DRP is not a Pandemic Response but a response to the more common but often more dramatic indents.

DRPs are about contingencies. Unless you are willing to construct the "Garden of Forking Paths" to deal with those contingencies the DRP exercise is useless. Having just one DRP and assuming everything will go according to that plan is foolhardy.

When I look back to the SARS outbreak and epidemic and how that was handled, I get to wonder if the way the current 'flu outbreak has more to do with a political guilt-trip than with any realistic response.

Because when I look to the numbers and progress of SARS and compare it to what's going on with this current 'flu, there is something very wrong.

Enhanced by Zemanta

Posted by antonaylward

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.