You learned from the news that the World Health Organization (WHO) is closely monitoring a novel deadly coronavirus under spreading. As a CISO, which of the following will you do first?
A. Implement emergent update for latest antivirus signatures
B. Conduct the exercise of the Occupant Emergency Plan (OEP)
C. Enable the incident response plan and security incident response team
D. Review and test the business continuity plan (BCP)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Review and test the business continuity plan (BCP).
IMO, BCP is better than OEP.
OEP indeed is the plan to deal with events such as a fire, bomb threat, chemical release, domestic violence in the workplace, or a medical emergency. Those events are typically emergent and unplanned, so first-response procedures such as evacuation or shelter-in-place are developed.
However, I suggest to review and test the business continuity plan (BCP) first. BCP first doesn’t mean it ignores the threats to the health and safety of personnel. Instead, it can take care of both the personnel and business, because plans are rarely developed or executed on their own and BCP typically includes other plans, such as the Occupant Emergency Plan (OEP), crisis communication plan, and other plans.
COOP applies to the US government departments/agents only; it is the relocation version of BCP. Most of the enterprises develop the BCP that incorporates the requirements of COOP.
Emergency is the “unintended circumstance, bearing clear and present danger to personnel or property, which requires an immediate response.” (ISO/TR 15916:2015)
The OEP outlines first-response procedures for occupants of a facility in the event of a threat or incident to the health and safety of personnel, the environment, or property. Such events include a fire, bomb threat, chemical release, domestic violence in the workplace, or a medical emergency. Shelter-in-place procedures for events requiring personnel to stay inside the building rather than evacuate are also addressed in an OEP. OEPs are developed at the facility level, specific to the geographic location and structural design of the building. General Services Administration (GSA)-owned facilities maintain plans based on the GSA OEP template. The facility OEP may be appended to the COOP or BCP, but is executed separately and as a first response to the incident.
Source: NIST SP 800-34 R1