K-12 Business Continuity: A Pandemic Focus

Guest post by April Mardock, Information Security Manager, Seattle Public Schools


UPDATED:

  • March 12: Added downloadable sample skills map and vendor contact list and made factual corrections.
  • March 2: Added new resources.

There’s a lot of concern about the approach of COVID-19 (also known as coronavirus) here in the Seattle area. We are a port city with a lot of international trade and visitors. This has led to discussions of preparations for a pandemic at the city, state and federal levels.

What is a pandemic? The World Health Organization (WHO) defines a pandemic as a worldwide spread of a new disease. We haven’t yet have reached official pandemic status, but and virus outbreaks have been reported across six continents. It moves easily between human hosts, spreads via the air, it can persist on hard surfaces for 7 3 days, and it kills over 2% of the humans it infects. That’s 20x more lethal than the regular flu.

Dr. Nancy Messonnier, director of the US Centers for Disease Control and Prevention’s National Center for Immunization and Respiratory Diseases, said as recently as two days ago that businesses, schools, communities and families in the United States should be preparing for the virus to disrupt their lives. It’s not a question of if, but when and “and how many people in this country will have severe illness,” she said.

Global case numbers are reported by the World Health Organization.


So what practical steps can school districts and other K-12 agencies take?

First, it is important to step back and realize that a pandemic could and should be treated just as an extension of your existing business continuity plan (BCP) or continuity of operations plan (often known in K-12 as a COOP). It’s a bit like an off-site disaster relocation exercise.

But what if you don’t have a BCP or COOP?

Let’s assume for this exercise that you’ve now lost 30-40 percent of your staff either directly to sickness or to caring for others. Here are the questions you probably want to answer – once you’ve warned everyone who is sick to stay home and educated your remaining staff about safety precautions. – so you can make the most of your remaining staff.

In my support role, I’m asking myself questions like: how would we do payroll remotely if the central office and schools were closed? Do I have enough VPN capacity to support all the remote workers that need it? Do playbooks or other how-to documents exist if critical key players are absent? What about my vendors – do I need to find backups if they become short-staffed or are unable to deliver necessary equipment or supplies because of COVID-19 related issues? Do I have enough licenses for online learning platforms?

Below is some slightly modified guidance I borrowed from a State of Washington pandemic response plan from several years ago.

Questions to Address:

  • What are the agency critical functions, services, and processes that must continue during any emergency event?
  • How will the agency identify and prioritize critical functions?
  • How will the agency maintain staffing levels for critical functions under duress?
  • Have you explored human relations/collective bargaining rules related to leave policies, alternative work schedules, telecommuting, etc?
  • Have you explored with your IT staff the possibilities of additional staff working remotely or with alternative technologies?

Planning Checklist:

  • Identify critical functions and processes within your agency that must continue (e.g., payroll)
    • Prioritize life/health/safety
    • Functions and processes essential to accomplishing the mission of the agency during an emergency
    • Functions that need to be provided during any emergency event
  • Identify and assign key team leads and alternates
    • Identify positions needed to carry out critical functions
    • Identify and assign team members by location
    • Document process & task checklists
  • Work with leadership to craft communication plan templates
  • Identify staff that can be cross trained to backfill critical functions
  • Verify playbook and how-to guides exist for critical functions
  • Identify functions that can be suspended while staff are reassigned to critical functions
  • Determine whether critical functions could be performed through flex shifting
    • Establish shifts, longer hours of operations, alternate work days, etc.
    • Review human resource and labor policies regarding the implementation of flex schedules
  • Identify critical functions that can be performed via telecommuting
  • Identify technology needs related to large-scale telecommuting and conference calling
    • Pre-establish conference bridge lines and status call schedules by division
    • Consider leveraging Teams or Skype via mobile devices (or similar technologies) for group collaboration
    • Identify the number of laptop computers needed, availability, and verify access to agency content remotely
  • Conduct staff “plan walkthroughs” to identify inconsistencies and/or areas of confusion
  • Consider other impacts a pandemic may have on the agency’s provision of services
    • Supplies of materials needed for work may be disrupted
    • Availability of services from contractors may be impacted
    • Demand for infrastructure services may be impacted
    • Demand for some services may increase (e.g., telephone and internet access)

The key here is not to panic, but use that energy to plan and protect your students and your staff. You want to be as ready as you can be when an emergency strikes.


Sample Skills Map and Vendor Contract List to assist with continuity planning. Click map to link to downloadable Google Sheet.


References and Other Useful Links:


April Mardock has supported cybersecurity and InfoTech in 132 different companies. She is well versed in complex, multilayered environments, and is currently the functional CISO for more than 60,000 users at Seattle Public Schools. She holds a masters in IT and a CISSP security certification, as well as several other industry specific certs. April’s currently responsibilities include site-based technology audits, infosec policy management, disaster recovery and business continuity consulting, firewall management, penetration testing, email spam and web filtering, and on-site network forensics.