Measuring Security Risk and Response to COVID-19
Contributor: George Campbell, SEC Subject Matter Expert, former CSO, Fidelity Investments
Where this issue may fit in the pandemic phases: Hot spots, next waves, phased recovery, intense monitoring
COVID-19 has focused the world on metrics. We are bombarded every day with grim counts of victims, percentages of testing and other business and home front statistics. Your organization should be intimately involved with the overall corporate crisis management activities and, as such, you will need to be crafting a responsive set of measures for reporting on key areas of risk exposure and Security's planful response.
Until a suite of effective COVID-19 treatments or vaccine are widely available you need to focus on measuring Security's contribution to virus risk mitigation and remediation efforts as well as anything that promotes or threatens business resumption and continuity. We are seeing many of our colleagues leveraging the information from reliable public health resources to aid in decisions related to business re-entry/resumption, travel and plans for hot spot contingency plans. As you develop a tactic, program, or process in response to COVID-19, assign the appropriate performance measures for reporting.
Because this pandemic has driven significant work away from the traditional workplace into employee homes, businesses will be challenged to assess our legal and programmatic definitions of corporate duty of care. Within that new context, Security should be addressing how their company's approach to safety and a "secure workplace" should be measured and what metrics should be reported. Some of the ideas you will see in the Security measures below go to our simply trying to measure what issues are being raised to level of measurement and reporting. If they previously have seen something suspicious in the office or factory floor, there was a protocol for reporting ("see something, say something"). We now need to know if there are threats and issues that impact our people and business operations in this new venue called home.
Since this crisis demands teamwork, a collaborative approach is essential for building a responsive set of actionable metrics with your HR and governance colleagues as well as business stakeholders. Many of the following fall into that enterprise-level profile. Finally, this is a financial crisis presaging a recession. The pressure is on every business element to demonstrate how it is directly contributing to the bottom line. Security's value metrics have never been more critical to our people and programs. When you demonstrate that a safeguard Security employs is directly preventing or measurably contributing to the protection of critical assets, tell the story.
ENTERPRISE MEASURES FOR COVID-19 RISK DRIVERS
- % of total workforce tested positive
- % of daily or weekly increase/decrease in workforce reported cases and fatalities
- % of essential workforce tested positive and unavailable
- % confirmed capability for local testing (local on-demand testing)
- # of key executives and key personnel tested positive by location
- % of sites with established local protocols to assure timely availability of reliable public health information
- % of required PPE available per site for approved duration of operations
- in-house operations (e.g., Security guards, cleaning, IT) audited for compliance with communicated guidelines
- % trend increase in EAP calls and by category –depression, attempts of self-harm, suicide, victim of domestic violence, substance abuse, anxiety.
- # of staff, visitors, contractors denied access due to COVID-19 symptoms screened at workplace entry locations
- Days facilities remain operational without COVID-19 incidents or outbreaks
- # of domestic and international business trips deemed essential
- # of essential on-site vendors (e.g., data center, housekeeping, facilities) tested positive
- # of special disinfecting cleaning incidents from suspicious COVID-19 incidents
- # of social media comments posted by associates regarding COVID-19 work topics. Number of negative and positive comments.
SECURITY MEASURES FOR COVID-19 SECURITY RESPONSE
- % of Security staff hours directly linked to COVID-19 response
- # of sources monitored by the GSOC or Security teams to maintain authoritative and actionable COVID-19 risk reporting for management
- Month over month % increase in advisories, alerts and warnings issued by the GSOC directed to COVID-19 risk management operations
- # approved home-based business applications compromised and investigated and % with successful closure per reporting period
- # Business applications loaded by those working at home that contributed to a breach or caused a risk event
- # security-related issues reported by remote workers per reporting period
- # of at-home work infosec and physical threats identified and % of confirmed for mitigation per reporting period
- % of remote workforce PCs, laptops and mobile devices with endpoint protection including VPN tools and encryption
- # domestic violence or restraining orders reported to law enforcement and/or Security by at-home employees per reporting period
- # employee residential physical and logical security enhancements requested and performed per reporting period
- # of workforce notifications or alerts to address critical health and safety information
- # warnings or disciplinary actions taken per location to enforce communicated COVID-19 policy and guidelines
- % of threats from furloughed, laid off, or dismissed employees (including vendor employees) investigated and closed with positive results per reporting period
- % throughput capacity at facility/building entry points with tested safeguard countermeasures in place
- Month over month % increase/decrease in cyber-attacks- all sources
- % of incoming mail and packages being screened and treated per site
- % of owned spaces (by site) prepared consistent with guidelines for re-entry and approved operations
- % of leased space confirmed as meeting guidelines for re-entry and approved operations
- % of primary and back-up COVID-19 on-site protection team staff trained and available
- % of required plans in place and tested for crisis team response to a confirmed contamination in the workplace.
- % of key GSOC/other critical response Security personnel with trained and available back-up
- # COVID-19 phishing emails reported by remote workforce
- Call trends to GSOC for COVID-19 related issues
- % of shift coverage gaps for contract security due to COVID-19
- Call trends for employee confidential hotline regarding COVID-19
- Increase of contractor overtime due to COVID-19 illness
- % change in number and types of reported security and safety incidents assignable to COVID-19
- % of data loss prevention alerts and origin (home or office)
- Total time it takes to respond to health official contact tracing requests
- Number of systems and applications used to complete contact tracing
- Number of security spot checks of housekeeping cleaning protocols. Number of infractions found, or behaviors corrected.
- % of at-home workforce who have acknowledged security policy and procedures for remote work
- Identify where Security operations have been modified, scaled back, and reduced in response to COVID-19 with direct impact on "must" do mission operations
For more resources see SEC's COVID-19 Security Related Resources
Contact us if you need assistance in COVID-19 strategic planning, response or recovery at firstname.lastname@example.org
You can download a PDF of this page below: