SARS-CoV-2 or 2019-ncov coronavirusIn early 2018, outbreaks of a novel parainfluenza virus erupted in Frankfurt, Germany and Caracas, Venezuela.  United States soldiers serving abroad contracted the virus, and an exchange student returning to a small New England college campus triggered the initial cases in our country.  The virus spread by coughing and caused severe symptoms in about half of those infected, killing 20% of severely ill patients.  With no vaccination available, the novel virus spread rapidly across the globe.  Within a year, the virus – Clade X – killed 15 million Americans and 150 million people world-wide.

This actually happened two years ago … in a tabletop exercise hosted by Johns Hopkins Center for Health Security in Washington D.C.  Like its predecessors Dark Winter (2001) and Atlantic Storm (2005), the Clade X tabletop exercise featured subject matter experts in the unscripted roles of senior U.S. government officials reacting to a dense, unfolding fact pattern, based upon extensive scientific data and modelling, that realistically captured the likely variables and decision points in response to a national security crisis.  This time the crisis was a global pandemic, and Clade X revealed significant gaps in our pandemic response preparedness.

Clade X was not our most recent pandemic test event.  From January to August, 2019, the U.S. Department of Health and Human Services ran the Crimson Contagion planning exercise, with officials from a dozen states, various federal agencies, and non-governmental organizations working through response to a simulated viral pandemic originating in China.  Crimson Contagion’s findings were specific, blunt, and bleak, revealing widespread confusion between federal agencies and also between federal and state actors in coordinating response actions, such as in defining which workers were “essential,” handling school closures, and procuring sufficient personal protective equipment, ventilators, and medications.

Beyond “pre-mortem” exercises, post-mortem reviews identified our strengths and weaknesses in handling actual outbreaks, such as the July 11, 2016 NSC report capturing extensive lessons learned from our response to the 2015 Ebola outbreak.

The Lesson for Information Governance?

Clade X, Crimson Contagion, and the NSC’s post-Ebola review were each tests of our pandemic preparedness, examining whether we had identified the key pandemic risks and had put in place the appropriate structures, direction, and resources to adequately control those risks.  The results of these tests confirmed that, while much of our pandemic response planning was sound, significant gaps existed and needed to be addressed.

Information Governance is no different.  Understanding information risks and opportunities is crucial, and planning the structure, direction, and resources to address them is important.  But without testing, one never knows whether we are on track or off-the-mark.

Such testing can take many forms:

  • Program Review – Using internal personnel or an outside provider, some or all of an organization’s IG program can be reviewed for alignment with its objectives and for performance against its goals and measures.
  • Internal Audit – The organization’s internal audit function can audit the performance of the IG program generally, or can include IG expectations and measures in broader audits of specific departments or functions.
  • Third Party Testing specific aspects of an organization’s IG program can be tested by a third party, such as penetration testing regarding technical security of the organization’s data systems.
  • Independent Audit the organization can engage an independent auditor to evaluate and report on its information practices and controls, such as a SOC 2 audit, type 1 or 2.
  • Third Party Certifications The organization can pursue independent certification of facets of its IG program, such as ISO 27001 certification of the security of its information systems and practices.
  • Post-mortem Review – The organization can conduct a ‘lessons-learned” exercise, preferably attorney/client privileged, to explore the causes and effects of a recent information episode, learning what about what worked well, what did not, and how the IG program can be improved.
  • Pre-mortem Exercises   The organization can run an attorney/client privileged simulation, either a pure tabletop exercise or a “whistle-stop” scenario discussion, with a fact pattern selected to hone in on key risks and vulnerabilities.  These are particularly valuable when a range of key players need to coordinate across departments or functions, such as in business continuity or breach response scenarios.

Our third pandemic response lesson for Information Governance is that testing compares planning with reality.  Organizations that test their IG capabilities will see how to improve their systems for retaining, preserving, securing, and compliantly disposing of information.  Data is not static, and dynamic risks require a dynamic governance response, so reviewing, exercising, and improving the program is essential.