It's too early to say whether or not the swine flu will rise to pandemic proportions; so far, as is their wont, news media seem to be blowing the disease all out of proportion and public health agencies have reacted defensively so as to avoid any accusations of under-reaction. Still, it's a healthy reminder for CIOs that electronic viruses are not the only sort which can lay operations low... for all the automation in today's IT environment, it's still extraordinarily reliant on people. How much consideration have you put into disaster plans for human disasters... major disease outbreaks, for instance, which may restrict your staff from on-site presence or may reduce your headcount dramatically for a variety of reasons?

The SANS ISC handler last weekend posted a brief thought on the subject, which lead to this 2007 article by Randy Nash on the subject. Only the last two pages of the article have direct bearing on IT operations, and are a brief overview at best, but they might provide a good place for you to start when you consider the impacts on your own department. IT may in fact be the best prepared unit in the average company to deal with this sort of disaster; IT staff are typically comfortable and well-versed in operating remotely, and most IT applications are configured to allow such access. This might prove to be a curse disguised as a blessing; many responsibilities might devolve to IT which aren't currently in its purview when the CEO realizes it is the most functional department left in the organization.

To avoid this state of affairs, and to better prepare the business as a whole, additional emphasis might be made on remote access options and dispersed operations through networked communications as a matter of course. At least one former client had such a plan in place for any sort of disaster recovery scenario; cheaper than a hot-site, easily viable with modern telecommunications technologies and hosting services, I am surprised this approach isn't already receiving more attention. Preparations have the added dividend of moving the company in a direction that most are already heading, toward greater flexibility and resiliency.

NOC operations are another matter. The proclivity of people to hunker down and focus on friends and family, neglecting jobs at such times, is only natural. Some consideration should also be made to motivating factors and assurances that the company will still be around tomorrow and has some concern for staff and their families in a time of crisis. Johannes Ullrich, the SANS handler mentioned above, says, "Don't count on locking up your NOC staff in the NOC. They want to be home with family. Be ready to operate in "lights out" mode remotely with minimal or no staff." I wonder, however, if it might not be better to offer to let staff bring their families into the NOC; it's a safer and more environmentally isolated place than most people's homes. You will have unauthorized people in the building, sure, but you'll also have your critical staff on hand and available where otherwise they might be inclined to avoid work altogether. Bonuses or other guarantees might also show staff that the company recognizes their risks and values their time if they will continue to work through a crisis.

Dealing with traffic in swamped cell nodes and ISP trunks might be the linchpin which all this truly hangs on, however. It does little good if your datacenter is up and running, and if all your staff have laptops and remote access, if their local telecom providers are swamped in other panic traffic. This is where the subject of diversifying your communications capabilities, as discussed briefly last week in the wake of the Morgan Hill incident, comes in to its own. I mentioned at the time that there were other benefits to increasing your communications options beyond simply providing solid e-mail access, and this may be among them. Providing a reduced functionality or lightweight version of corporate applications might also allow operation even on flooded lines. Many organizations are already working on options of this sort for mobile devices; it would be no bad thing to fold them into disaster planning as well.

In short, you have more options than ever for being ready for societal as well as technological disasters... all that remains is to consider and plan for them.