Gonzalo Romero is the Chief Information Security Officer for .CO Internet −the Colombian ccTLD manager (.CO). In this interview, he discusses the effects of the coronavirus pandemic (COVID-19) on the business continuity and operations of ccTLDs. He also explains the importance of keeping business continuity plans up to date to deal with changing circumstances.
What is a business continuity plan?
A business continuity plan is an organization’s strategy to preserve the operations, mission statement, policies and procedures in the event of a disruption that could affect the stability, security and performance of its resources, particularly human resources and the safety of those who work for it.
The aim is to develop a scheme that will enable the organization to continue operating in the face of emergencies such as environmental hazards, terrorism, cyber-security, failure to provide services or, as is currently the case, a pandemic. The plan should include the measures to be taken in order to ensure that the mission and/or core business is not disrupted, i.e. to make them resilient. Thus, regardless of what is happening in its internal operations, the user or the service as such will not be affected.
What elements should be included in a business continuity plan?
The plan is set out in an action document. This document covers the scope of the plan and the assumptions regarding feasible scenarios; evaluates the assets and features of the organization; performs a risk management and threat assessment, such as: pandemic, loss of human resources, expert personnel, natural disasters, deliberate or organized disruption, loss of services, system failures or information security incidents. The document also includes a section on operations, which details readiness, response and mitigation actions. Finally, there is a section containing a list of notifications or reviews for any situation affecting continuity. This section specifies who can be contacted to follow up on the plan and clear up any doubts about its content and guidelines.
How is this plan adapted in a pandemic scenario?
In a pandemic like the one we are facing, it is very important to maintain social distancing. Human resources are required to maintain conditions of health care and well-being for staff, their families and their community. In this regard, what we have seen is that organizations, based on recommendations and even government regulations, have taken the decision to have almost all of their staff working from home.
An important caveat is that when such drastic measures are taken, we need to take a good look at what is called installed capacity. When an organization evaluates whether it should implement remote working, it has not necessarily considered the capacity required for having all its staff working from home. Often, it assumes that employees have all the technology, space and facilities to work from home. Therefore, one must think about challenging questions such as: Do I have enough virtual private network capacity? Do remote workers (and their families) have enough bandwidth in their Internet connection? Are there suitable working conditions: chair, desk, space, lighting, etc.?
We have to measure whether our workers have sufficient installed capacities to ensure optimal operation, as well as whether the organization itself has the capacities to provide all the technological requirements at each level.
In organizations responsible of managing a ccTLD, what are, in a remote working setting, the measures that have to be carried out under this plan to ensure digital security and the proper operation of the DNS?
The measures should involve continuous and comprehensive monitoring. I think all of us, particularly in domain name registration and DNS management organizations, need to be alert and have very good monitoring, tracking and traceability tools. In our dashboards, we have to be very sharp in identifying yellow and red alerts regarding capabilities in certain core or mission-critical services. This monitoring −which must always be carried out, even if there is no critical situation ahead− helps us to establish where we need to improve capacity, where we need to optimize it. When the time comes, we are not going to be able to solve the problem immediately, we are going to have to solve it during the crisis itself. For example, in a scenario like the present one, many organizations notice after two days that some remote workers do not have a computer screen suitable enough for their work. Since they have very good ergonomic conditions in the office, they had never foreseen what would happen if workers had to work from home. In such cases, the problems must be solved as they arise, with the joint support of the worker, to ensure no further difficulties are added to the crisis.
Has .CO established an operational continuity plan for the pandemic? What measures have you taken and what do you plan to do next if the spread continues to increase?
The first step was to make the organization aware of the situation and then act accordingly. Before making such a decision, we had to assess how prepared we were for remote working. This involved reviewing −both from a corporate and an individual perspective− whether we had the resources to work remotely, whether each person in their home had the resources to continue with their tasks. If this was not the case, we took care of providing additional support. And now we are at the stage of adjusting to this new model of remote working and seeing, based on the progress of this scenario, how to move forward. It is important to move one step further to identify what are the next measures to be taken.
We are a small group of people, but what we have seen is that there are issues that we definitely can't stop doing. We have found in this process that there are things to work on. Currently, I have to go to the office once a week to check the status of the equipment, the temperature of the local data center, do routine physical monitoring. Some of us have to go to the office for paperwork. These are things that are adjusting over time and will surely increase or decrease in frequency as other stakeholders (users, suppliers) also become aware of the situation and start using digital channels to send information.
As the plan is implemented, it is important to have the flexibility to change the things that are proving to be unsatisfactory. The plan is dynamic and has to be flexible. It has to be able to shift, to open up, to give opportunities to new scenarios, especially in such uncertain circumstances as those we are facing. We do not know when this crisis will end, but it is clear to us that we must continue with our operation, we must continue with our mission, under a very clear concept of awareness, accountability, self-regulation and compliance with the authorities' directives.
What actions should a ccTLD take for the Registrants, who are also likely to be in a crisis situation? Should the Registry evaluate any measures in the business continuity plan, whether for a pandemic or some other type of emergency?
We need to identify that, as a ccTLD, the number of calls, concerns or requests will increase. The demand on your customer service is going to increase, since the employees of the Registrants are not going to work in an office but under different conditions. You have to adjust. This reality impacts all of us in the same way, so we must show understanding to the users, but also make them see how we are guaranteeing the service. Because we are also being affected.
Do you have any final remarks?
I believe that at this time, more than ever, the commitment, cooperation and collaboration between the ccTLDs around the world is very important. We must join efforts, share best practices and ensure the continuity of our services −whether they are mission-critical or not− in order to guarantee the right conditions of stability, security, performance, reliability and resilience of the DNS and the Internet.