Examining the Regulatory LandscapeExamining the Regulatory Landscape

Al BermanAl BermanDRI InternationalDRI International

Continuity InsightsApril 27, 2009

2

Consumer Credit Protection ActConsumer Credit Protection ActOMB Circular AOMB Circular A--130130FEMA Guidance DocumentFEMA Guidance DocumentPaperwork Reduction ActPaperwork Reduction ActISO 27002 (Previously ISO17799)ISO 27002 (Previously ISO17799)FFIEC BCP HandbookFFIEC BCP HandbookComputer Security ActComputer Security Act12 CFR Part 1812 CFR Part 18Presidential Decision Directive 67Presidential Decision Directive 67FDA Guidance on Computerized SystemsFDA Guidance on Computerized Systems

used in Clinical Trialsused in Clinical TrialsANSI/NFPA Standard 1600ANSI/NFPA Standard 1600Turnbull Report (UK)Turnbull Report (UK)ANAO Best Practice Guide (Australia)ANAO Best Practice Guide (Australia)SEC Rule 17 aSEC Rule 17 a--44FEMA FPC 65FEMA FPC 65CARCARJHACOJHACO

SarbanesSarbanes--Oxley Act of 2002Oxley Act of 2002HIPAA, Final Security RuleHIPAA, Final Security RuleFFIEC BCP Handbook FFIEC BCP Handbook --2003/ 20082003/ 2008Fair Credit Reporting ActFair Credit Reporting ActNASD Rule 3510NASD Rule 3510NERC Security GuidelinesNERC Security GuidelinesFERC Security StandardsFERC Security StandardsNAIC Standard on BCPNAIC Standard on BCPNIST Contingency Planning GuideNIST Contingency Planning GuideFRBFRB--OCCOCC--SEC Guidelines for SEC Guidelines for

Strengthening the Resilience of USStrengthening the Resilience of USFinancial SystemFinancial System

NYSE Rule 446NYSE Rule 446California SB 1386California SB 1386Australia Standards BCM HandbookAustralia Standards BCM HandbookGAO Potential Terrorist AttacksGAO Potential Terrorist Attacks

GuidelineGuidelineFederal and Legislative BC Federal and Legislative BC

Requirements for IRSRequirements for IRSBasel Capital AccordBasel Capital AccordMAS Proposed BCP Guidelines MAS Proposed BCP Guidelines

(Singapore)(Singapore)NFA Compliance Rule 2NFA Compliance Rule 2--3838FSA Handbook (UK)FSA Handbook (UK)BCI Standard, PAS 56 (UK)BCI Standard, PAS 56 (UK)Civil Contingencies Bill (UK)Civil Contingencies Bill (UK)

PostPost--9/119/11

PrePre--9/119/11

1991 - 2001 2002 -------------------------------------------------------2008

FPC 65FPC 65NYS Circular Letter 7NYS Circular Letter 7

ASISASISState of NY FIRM White Paper on CPState of NY FIRM White Paper on CPNISCC Good Practices (Telecomm)NISCC Good Practices (Telecomm)

Australian Prudential Standard on BCMAustralian Prudential Standard on BCMHB221HB221HB292HB292

BS25999BS25999SS507 SS507 –– SS540SS540

TR19TR19CA Z1600CA Z1600

ISO/PAS 22399ISO/PAS 22399

DRIIDRII

Title IX Title IX –– 110110--53 53

3

BCP Standards for Financial Institutions

Federal Financial Institutions Examination Council (FFIEC) BCP Handbook

– Business continuity planning is about maintaining, resuming, andrecovering the business, not just the recovery of the technology.

– The planning process should be conducted on an enterprise-wide basis.

– A thorough business impact analysis and risk assessment are the foundation of an effective BCP.

– The effectiveness of a BCP can only be validated through testing or practical application.

– The BCP and test results should be subjected to an independent audit and reviewed by the board of directors.

– A BCP should be periodically updated to reflect and respond to changes in the financial institution or its service provider(s).

not just the recovery of the technology

4

BCP Standards for Financial Institutions

NASD Rule 3510Rule 3510 will require a business continuity plan that addressesRule 3510 will require a business continuity plan that addresses, at a minimum:, at a minimum:

– Data back-up and recovery (hard copy and electronic)– Mission critical systems– Financial and operational assessments– Alternate communications between customers and the firm– Alternate communications between the firm and its employees– Business constituent, bank and counter-party impact– Regulatory reporting– Communications with regulators

5

BCP Standards for Financial Institutions 

NYSE Rule 446

National Association of Insurance Commissioners (NAIC)

National Futures Association Compliance Rule 2-38

(a) Each Member must establish and maintain a written business continuity and disaster recoverywritten business continuity and disaster recoveryplanplan that outlines procedures to be followed in the event of an emergency or significant business disruption. The plan shall be reasonably designed to enable the Member to continue operating, to reestablish operations, or to transfer its business to another Member with minimal disruption to its customers, other Members, and the commodity futures markets.

(a) Members and member organizations must develop and maintain a written business continuitywritten business continuity and contingency plan establishing procedures to be followed in the event of an emergency or significant business disruption. Members and member organizations must make such plan available to the Exchange upon request.(b) Members and member organizations must conduct a yearly reviewyearly review of their business continuity and contingency plan to determine whether any modifications are necessary in light of changes to the member's or member organization's operations, structure, business or location.

6

BCP Standards for Financial Institutions

Electronic Funds Transfer Act - held that banks were liable for actual damages caused by failing to transfer funds in a timely fashion. This required the establishment of contingency plans to meet the standard of “reasonable” standard of care (the care that a reasonable man would (the care that a reasonable man would exercise under the circumstances; the standard for determining lexercise under the circumstances; the standard for determining legal egal duty.)duty.)

Basel Committee’s Capital Accords and Sound Practices for the Management and Supervision of Operational Risk - “Banks should have in place contingency and business continuity plans to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption.” – Seventh Principle in Sound Practices for Management and Supervision of Operational Risk

Reserve Bank of India - Operational Risk Management - Business Continuity Planning - Business Continuity planning is a key pre-requisite for minimising the adverse effects of one of the important areas of operational risk – business disruption and system failures.

FINRA (Financial Industry Regulatory Authority)Business Continuity Planning

NASD Rules 3510 and 3520 require firms to create and maintain business continuity plans (BCP) to use in the event of a significant business disruption. 

Rule filings associated with Business Continuity Planning (SR‐NASD‐2002‐108)

FINRA’s Business Continuity Plan

Small Firm Emergency Partner Program: A Voluntary Addition to a Firm's BCP

Securities and Exchange Commission / Board of Governors of the Federal Reserve System / Office of the Comptroller of the Currency Joint White Paper on Business Continuity Planning

The Disaster Recovery Institute

Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security

7

8

BCP Standards for Insurance Companies

NYS Circular Letter 7

– Board of Directors support

– Training and education

– Scenario based and operational plans

– Testing and communications plans

– Annual updates and changes submitted to the Department, starting

on June 1, 2005

9

NOT JUST IT

United StatesFFIEC FFIEC –– March 2008March 2008– “Business continuity planning is about maintaining, resuming, and

recovering the business, not just the recovery of the technology.”

“The planning process should be conducted on an enterprise-wide

basis”.

10

NOT JUST IT

Singapore

Monetary Authority of Singapore – June 2003– “Business Continuity Management (“BCM”) is an over-arching

framework that aims to minimise the impact to businesses due to

operational disruptions. It not only addresses the restoration of information technology (“IT”) infrastructure, but also focuses on

the rapid recovery and resumption of critical business functions for

the fulfilment of business obligations.”

11

NOT JUST IT

Australia

Australian Prudential Standard Australian Prudential Standard –– April 2005April 2005– “Business continuity management (BCM) describes

a whole of business approach to ensure critical business functions

can be maintained, or restored in a timely fashion”

Not Just IT

12

•• FFIEC FFIEC –– March 2008March 2008“Business continuity planning is about maintaining, resuming, and

recovering the business, not just the recovery of the technology.” “The planning process should be conducted on an enterprise-wide basis”.

•• Australian Prudential Standard Australian Prudential Standard –– April 2005April 2005“Business continuity management (BCM) describes a whole of

business approach to ensure critical business functions can be maintained, or restored in a timely fashion”

• Monetary Authority of Singapore – June 2003“Business Continuity Management (“BCM”) is an over-arching

framework that aims to minimise the impact to businesses due to operational disruptions. It not only addresses the restoration of information technology (“IT”) infrastructure, but also focuses on the rapid recovery and resumption of critical business functions for the fulfillment of business obligations.”

13

BCP Standards for the Healthcare/Life Science Industries

Health Insurance Portability and Accountability Act of 1996 (HIPAA), Final Security Rule

7. Contingency Plan (§ 164.308(a)(7)(i)) We proposed that a contingency plan must be in effect for responding to system emergencies. The plan would include an applications and data The plan would include an applications and data criticality analysis, a data backup plan, a disaster recovery plcriticality analysis, a data backup plan, a disaster recovery plan, an an, an emergency mode operation plan, and testing and revision proceduremergency mode operation plan, and testing and revision procedures.es.In this final rule, we make the implementation specifications for testing and revision procedures and an applications and data criticality analysis addressable, but otherwise require that the contingency features proposed be met.

14

HIPAA BCP REQUIREMENTSContingency Plan

164.308(a)(7) Data Backup Plan

(R)

Disaster Recovery Plan

(R)

Emergency Mode Operation Plan

(R)

Testing and Revision Procedure

(A)

Applications and Data Criticality Analysis

(A)

Is it enough ????•State privacy laws are NOT preempted by federal privacy rules, unless there is a

direct conflict

•If state law is “more stringent,” or covers an area not covered by federal rules,

state law controls

15

BCP Standards for the Healthcare/Life Science Industries

FDA’s GxP: Good Practices

FDA Guidance on Computerized Systems in Clinical Trials

IX. SYSTEM CONTROLS

B. Contingency Plans

Written procedures should describe contingency plans for continuing the study by alternate by alternate means in the event of failure of the computerized systemmeans in the event of failure of the computerized system..C. Backup and Recovery of Electronic Records

Backup and recovery procedures should be clearly outlined in the SOPs and be sufficient to protect against data loss. Records should be backed up regularly in a way that would prevent a catastrophic loss and ensure the quality and integrity of the data.

Manufacturing

Laboratory

Clinical

16

BCP Standards for the Energy Industry

Federal Electric Reliability Council’s (FERC) Security Standards for Electric Market Participants, July 2002

North American Electric Reliability Council’s (NERC) Security Guidelines for the Electricity Sector, June 2002

Business Continuity:Every participant operating a critical electric resource shall have contingency planscritical electric resource shall have contingency plans that define roles, responsibilities and actions for protecting the rest of the electric grid and market from the failure of its own critical resources. Those plans should further define the roles, responsibilities and actions needed to quickly recover or reestablish electric grid and market functions, processes and systems, in the event that a critical physical or cyber resource fails or suffers harm or attack. Such plans shall be tested or exercised regularly.

Continuity of Business Processes:Reduces the likelihood of prolonged interruptions and enhances prompt resumption of operations when interruptions occur. Consider flexible plans that address key areas such as telecommunicationsflexible plans that address key areas such as telecommunications, , information technology, customer service centers, facilities secinformation technology, customer service centers, facilities security, operations, generation, power urity, operations, generation, power delivery, customer remittance and payroll processesdelivery, customer remittance and payroll processes.. It is useful to revise and test plans on a regular basis. It also is advisable to train personnel so they fully understand their roles with respect to the plans.

17

Cross‐Industry BCP Standards

Sarbanes-Oxley Act of 2002SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.(b) INTERNAL CONTROL EVALUATION AND REPORTINGINTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

IS THERE BCP IN SARBANES-OXLEY????

18

Is There BCP in Sarbanes‐Oxley?

PCAOB (Public Company Accounting Oversight Board)

NO“Furthermore, management's plans that could potentially affect financial reporting in future periods are not controls. For example, a company's business continuity or contingency planning has no effect on the company's current abilities to initiate, authorize, record, process, or report financial data.

Therefore, a company's business continuity or Therefore, a company's business continuity or contingency planning is not part of internal control over contingency planning is not part of internal control over financial reporting."financial reporting."

19

Is There BCP in Sarbanes‐Oxley?

Practitioners

YES

20

Municipal Governments

“Therefore, I have ordered the Department of Homeland Security 

to undertake an immediate review, in cooperation with local 

counterparts, of emergency plans in every major city in 

America.”

President Bush 9/15/05

21

Continuity of Operations (COOP)

Continuity of Government (COG)

FEMA Federal Preparedness Circular (FPC) 65

–Originally Issued – June 1999 – James Lee Witt

–Revised – June 2004 – Michael Brown

Municipal Governments

22

Rating COOP Compliance FEMA 65 Crosswalk

A. Plans and Procedures B. Essential Functions C. Delegations of Authority D. Orders of Succession E. Alternate Operating Facilities F. Interoperable Communications G. Vital Files, Records and Databases H. Human Capital I. Test, Training and Exercise Program J. Devolution of Control and Direction K. Reconstitution Operations L. Agency Head Responsibilities

23

Are They A Client?

FFIEC – Appendix E ‐ Interdependencies

-THIRD‐PARTY PROVIDERS, KEY SUPPLIERS, AND BUSINESS PARTNERS--outsourcing information, transaction processing, and settlement outsourcing information, transaction processing, and settlement 

activities activities 

-Institutions should review and understand service providers' 

BCPs and ensure critical services can be restored within 

acceptable timeframes based upon the needs of the institution

‐ If possible the institution should  consider participating in their 

provider’s testing process. 

HOW FAR DOES THIS EXTEND?????

24

Are They A Client?

HIPAA – Business Associate (aka Chain of Trust)

–the business associate must--(1) implement safeguards that reasonably and appropriately protect the confidentiality,integrity, and availability of the electronic protected healthinformation that it creates, receives, maintains, or transmits onbehalf of the covered entity; (2) ensure that any agent, includinga subcontractor, to whom it provides this information agrees toimplement reasonable and appropriate safeguards;

25

Singapore – The Model for the Future?

SS 540 – Revision to TR19 (PDCA – Plan Do Check Act) – New BCM Framework 

Standard for Business Continuity / Disaster Recovery Service Providers (SS507) ‐ Singapore is the first country in the world to introduce a Standard Standard and Certification program for BC/DR service providersand Certification program for BC/DR service providers. Developed by the Infocomm Development Authority of Singapore and the IT StandardsCommittee (ITSC), the Standard specifies the stringent requirements for BC/DR service providers. These requirements benchmark against the top practices in the region and stipulate the operating, monitoring and up‐keeping of BC/DR services offered.

TR19 – Technical Reference 19 ‐ aims to help Singapore based enterprises build competence, capacity, resilience and readiness to respond to and recover from events that threaten to disrupt normal business operations. 

PROPOSED BUSINESS CONTINUITY MANAGEMENT REQUIREMENTS FOR SGX MEMBERS – May 2008

26

China & Japan

Chinese Business Continuity Management Committee (CBCM)

– Setting Standards for Chinese

Emergency Response

Business Continuity

– Still IT Centric (Committee exists under technology directorate)

– Will Greatly Influence its “Business Partners”

Japanese Crisis Management & Prepareness Organization.   (CMPO)

Business Continuity Advancement Organization. (BCAO) 

Australia 2008‐9

Introducing 3  New Standard Handbook to Align with ISO 31000 (Risk Management Standard) – Due for Release in February 2009

– Management Standard

– Practice Standard

– Audit Standard

27

28

Standards

Uniform Commercial Code

– Preparing for foreseeable business disruption

National Institute of Standards and Technology (NIST) 

– Contingency Planning Guide for Information Technology Systems

IT Governance Institute Standards COBIT 

– Control objectives for information and related technology

29

ISO Standards and Business Continuity

ISO/TS 16949 ‐ Applicable to any supplier to automotive original equipment manufacturer

ISO 27001 (Previously Designated (ISO17799) ‐ Deals with Information Security

ISO 9001, Quality Management ‐ Record Retention and Data Availability

ISO 14001, Environmental Mgt ‐ Emergency Preparedness and Response

ISO/PAS 22399 – Societal Security ‐‐ Guideline for incident preparedness and operational continuity management

Section 6.3.2. Contingency Plans The organization shall prepare contingency plans to satisfy customer requirements in the event of an emergency such as a utility interruptions, labor shortages, key equipment failure, and field returns.

11 BUSINESS CONTINUITY MANAGEMENT11.1 ASPECTS OF BUSINESS CONTINUITY MANAGEMENT11.1.1 Business continuity management process11.1.2 Business continuity and impact analysis11.1.3 Writing and implementing continuity plans11.1.4 Business continuity planning framework11.1.5 Testing, maintaining and re‐assessing business continuity plans

30

Is It BCP?

Business Continuity vs. Vital Records

Foreign Corrupt Practices Act – “Make and keep records and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets.”

SEC Rule 17a ‐ Record Retention Requirements

IRS Procedure 86‐19 ‐ Requires off‐site protection, as well as documentation of computer records maintaining tax information.

European Union Privacy ‐ Data Privacy

Under the Safe Harbor, organizations that have committed to cooperate and comply with the European Data Protection Authorities (DPAs) 

PATRIOT ACT, ACH RULES, G‐L‐B, AS/NZ 4390, Records Management Standard, et. al.

31

Legal Standards

Liability of CorporationsLiability of Corporations

Liability of Corporate ExecutivesLiability of Corporate Executives

Liability to Outside PartiesLiability to Outside Parties

Standard of NegligenceStandard of Negligence

–– Standard of Care:Standard of Care:

Prudent Man DoctrinePrudent Man Doctrine

Exercise same care in managing company affairs as in managing owExercise same care in managing company affairs as in managing own n affairs.affairs.

Informed Business Judgment v. Gross NegligenceInformed Business Judgment v. Gross Negligence

32

Case Law – Legal Precedence

Blake v. Woodford Bank & Trust Co. (1977) – Foreseeable 

workload – failure to prepare 

Sun Cattle Company, Inc.vs. Miners Bank (1974) – Computer 

System  Failure – Foreseeable Computer Failure

Uniform Commercial Code – Preparing for foreseeable business 

disruption

33

Meeting the Standards

US v. Carroll Towing Co. (1947)

1. Probability of Harm (P): the chance that a damaging event will occur

2. Magnitude of Harm (M): the amount of financial damage that would occur should a disaster happen

3. Cost of Prevention (C): the price of putting in place a means of preventing the disaster’s effects

P * M = CP * M = C

34

Negligent Failure To Plan/Prepare – Liability Pandemics

2003 – Canadian Nurses who contracted SARS file suit stating that the Government was Negligent in not preparing for the second wave of the disease after the first wave was identified.

Munich Re:

American Bar Association 

35

BS25999Part 1 is an extension of PAS56Part 1 is an extension of PAS56–– GuidanceGuidance–– PrescriptivePrescriptive–– Not Performance BasedNot Performance Based

Part 2Part 2–– Certification BodyCertification Body–– SpecificationSpecification–– AuditableAuditable–– Create Ability to Demonstrate ComplianceCreate Ability to Demonstrate Compliance

Stage 1 Stage 1 –– Audit Audit –– Initial Assessment Initial Assessment –– Desktop ReviewDesktop Review‐‐ Successful Completion Required Before Moving To Stage 2Successful Completion Required Before Moving To Stage 2Stage 2 Stage 2 ‐‐Conformance Audit Conformance Audit ‐‐ Certification AuditCertification Audit‐‐ Demonstrate ImplementationDemonstrate Implementation‐‐ Failure Requires Failure Requires Corrective Action Plan  Corrective Action Plan  Which Must be Agreed UponWhich Must be Agreed Upon

Completion of Stage 1 & 2 Allows for Application to BS 25999 CerCompletion of Stage 1 & 2 Allows for Application to BS 25999 Certification Manager for tification Manager for CertificationCertification

Surveillance AuditsSurveillance Audits

(To be fair, British standard BS25999introduced "Maximum Tolerable Period of Disruption" (MTPD), another mind‐bender destined for the verbal scrap heap, as well.) 

BS25999 ‐‐UPDATE

Will be revised and included with ASIS proposed standard.  The new proposed ISO/ANSI standard will also include elements of the Dutch standard.

The ANSI PINS (Project Initiation Notification System) filing  will be reviewed by ANSI by the first week in November 2008 which ends the 30 day PINS comment period

A Technical committee will be formed to help create the standard.  The technical committee will be open to a mixture of experts SDOs, users, managers, producers, etc.

The new proposed standard may face some opposition in that there is an indication that it is in conflict with other ANSI standards

The same group concluded unanimously that there is a “compelling” reason to have this standard.

The effort to create and have the new standard approved may take anywhere from 6 months to 2 years to be approved.

36

37

PUBLIC LAW 110-53

“IMPLEMENTING RECOMMENDATIONS OF THE 9/11 COMMISSION ACT OF 2007”

TITLE IX

38

The Holy Grail or SOX for Business ContinuityThe Program Was Called For In Title IX Of "The Implementing The 9/11 Commission Recommendations Act Of 2007“ (Public Law 110‐53) Which Addresses A Diversity Of Other National Security Issues As Well. It Was Signed Into Law By The President On August 3, 2007. 

Intent – To Implement The Findings Of The 9/11 Commission

– NFPA 1600 Was Recommendation Of Commission For Standard

– DRII’s Professional Practices Are The Basis For BCP In NFPA 1600

Will It Become A “Standard”????

– Voluntary

– Non‐punitive

– Unsuccessful Attempts By Federal Government To Address Private Sector BCM 

Overcome Investments By Private Sector 

Strain On Small And Medium Sized Businesses In Supply Chain

39

a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs. The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification.b. The program will be voluntary.c. Key stakeholders are invited to participate in the development of the program. Consultation with a variety of organizations and various sectors is required by the legislation. Program development will likely include involvement by a diversity of private sector advisory groups and others.d. The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs.e. One or more preparedness standards can be designated. NFPA 1600 is reference by example.f. Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated.g. Special consideration will be made for small business.h. Proprietary and confidential information is to be protected.

Title IX – 110‐53

Defining “The Standard”Process Used By Sloan Interdisciplinary Team 

– Representatives of:

ASIS, DRI International, NFPA, RIMS

Review Existing Regulations– FFIEC, NYSE, SEC, NASD

– NERC

– HIPAA

Provide “Credit” for Work Already Done

Reduce Start From Scratch Opposition

Create Core Elements for Standard 

40

Core elements are those basic components that, when implemented within an organization’s unique governance and culture, provide the underlying framework to enable the organization to sustain itself in spite of a disruptive event (i.e., the “common set of criteria for preparedness, disaster management, emergency management, and business continuity programs...." called for under the law.)

Core Elements 13 Become 81. Policy statement and management commitment  ‐ Scope, program roles, 

responsibilities, and resources

2. Risk identification, assessments and criticality impact analyses, including legal and other requirements

3. Prevention and Mitigation Evaluation and Planning

4. Incident management (procedures and controls before, during and after a disruption, including emergency management of people, business operations and technology) includes communications

5. Recovery Planning ‐May be considered to include rebuilding, repairing, and / or restoring

6. Awareness and training 

7. Exercises and testing

8. Program revision and improvement

41

42

Process Mapping

Standards Crosswalk 

NFPA 1600:2007 Standard on Disaster/ Emergency  Management and Business Continuity Programs

CSA Z1600 Standard on Emergency Management and Business Continuity Programs

DRI International Professional Practices for Business Continuity Planners

BS 25999‐2: 2007 Business Continuity Management – Part 2: Specification

ASIS International ‐ Organizational Resilience: Preparedness and Continuity Management ‐ Best Practices Standard Probably Become Part of ISO/PAS 22399

TR19:2005 Technical Reference for Business Continuity Management (BCM) includes TS507

ISO/PAS 22399:2007 Societal Security: Guidelines for Incident Preparedness and Operational Continuity Management

43

TO BE REPLACED WITH A NEW PROPOSED ANSI/ISO STANDARD UNDER DEVELOPMENT

Flexibility Within A Framework

Existing Industry Efforts– Regulations

FFIEC – NYSE – SEC – HIPAA – NERC 

– Standards 

ISO, ANSI, BSI

44

NOT Sarbanes-Oxley

45

Results

Critical Core Elements Process Standards / Best Practices

• Policy statement and management commitment• Scope, program roles, responsibilities, and resources

Program Policies and Procedures • Project scope, policy, principles and management commitment

• Risk identification, assessments and criticality impact analyses, including legal and other requirements

Analysis • Legal, statutory, regulatory and other requirements

• Risk assessment and impact analysis

• Prevention and Mitigation Evaluation and Planning• Strategic: prioritization, objectives, targets supply chain and third party dependencies• Tactical: plans for avoidance, prevention, deterrence, readiness, mitigation, response,

continuity, and recovery

Planning • Setting objectives and priorities to develop risk and incident preparedness management strategies

• Incident management (procedures and controls before, during and after a disruption, including emergency management of people, business operations and technology)

• Operational procedures and contingency plans• Communications and warning• Application and business function resiliency• Document, information and data control and backup• Execution resources, responsibilities and finances

Implementation and Operation Controls

• Developing and implementing operational and control plans, procedures and programs for preparedness, including prevention, avoidance, deterrence, readiness, preparedness, mitigation, response, continuity and recovery

• Communication and warning• Document, information and data control and

backup• Allocation of human, physical and financial

resources

• Recovery May be considered by the reader to include rebuilding, repairing, and / or restoring

Implementation and Operation Controls

• Included above under planning and implementation and operations control

• Awareness and training Implementation and Operation Controls

• Awareness, competence and training

• Exercises and testing• Post-mortem learning

Checking and Evaluation • Performance assessment and evaluation

• Program revision and improvement• Corrective actions

Review, Maintenance, Improvement • Review, maintenance, and improvement

1. DHS will designate one or more organizations to act as the accrediting body, and oversee the certification process, and to accredit qualified third parties to carry out the certification program.

2. DHS will separately designate one or more standards for assessingprivate sector preparedness.

3. DHS will provide information and promote the business case forvoluntary compliance with preparedness standards.

4. DHS will monitor the effectiveness program on an on‐going basis.

46

Process For Implementation of Title IX

47

Process For Implementation of Title IX

Appointment by DHS of Designated Officer October 1, 2007

– Ashley Moore– FEMA

Enter into Agreement for standard February 28, 2008

Marcus Pollack- FEMA

48

DHS Selects ANSI-ASQ National Accreditation Board To Support Voluntary Private Sector Preparedness Certification ProgramRelease Date: July 30, 2008 Release Number: HQ-08-148

WASHINGTON, D.C. -- The Department of Homeland Security announced today that it has signed an agreement with the ANSI-ASQ National Accreditation Board (ANAB) to establish and oversee the development and implementation of the accreditation and certification requirements for the Voluntary Private Sector Preparedness Accreditation and Certification Program. This program is directed by Public Law 110-53, Implementing the Recommendations of the 9/11 Commission Act of 2007, requiring the department to establish a common set of criteria for private sector preparedness in disaster management, emergency management and business continuity. Under Title IX of the Act, the department is charged with a number of core tasks to establish the voluntary program, to include the designation of an organization to act as an accrediting body. In this role, ANAB will be responsible for overseeing the certification process, managing the accreditation, and accrediting qualified third parties to carry out certifications of private sector entities. ANAB was selected based on its experience and expertise in managing and implementing accreditation programs. As required by the Act, Homeland Security Secretary Michael Chertoff previously designated an officer within the department to be responsible for the accreditation and certification program. R. David Paulison, Administrator of the Federal Emergency Management Agency, serves as the designated officer and will chair an internal Private Sector Preparedness Council comprised of department leadership from the Science & Technology Directorate, Private Sector Office and the Office of Infrastructure Protection. The Private Sector Preparedness Council will focus on the remaining requirements of the Act. This includes selecting program standards, defining and promoting the business case for private sector entities to work toward voluntary certification, overseeing the program's progress, and providing regular updates to Congress.Learn more at www.fema.gov/privatesectorpreparedness

Gaining Accreditation

49

ANSI‐ANAB

Gaining Accreditation

50

ANSI‐ANAB

DHS

51

NFPA gets new DHS support - PRECURSOR TO A STANDARDS CHOICE?

The US Department of Homeland Security (DHS) has designated the National Fire Protection Association (NFPA) codes and standards development process as a ‘Qualified Anti-Terrorism Technology’ (QATT) under the Support Anti-terrorism by Fostering Effective Technologies Act of 2002 (SAFETY Act). NFPA is the first standards development organization to receive this designation. Under provisions of the SAFETY Act, NFPA’s codes and standards development process was also certified as an ‘Approved Product for Homeland Security.’According to DHS, the SAFETY Act encourages the development and deployment of new and innovative anti-terrorism products and services by providing liability protections. Designation as a QATT and certification as an approved product for homeland security under the SAFETY Act provides legal protections for the NFPA codes and standards development process as applied to anti-terrorism.“NFPA is pleased to have its codes and standards development process recognized as an effective anti-terrorism technology which reflects the openness, balance and fairness NFPA strives to achieve in its voluntary codes and standards development process,” said NFPA President James M. Shannon.Federal protections under the DHS Designation and Certification are retroactive and recognize NFPA’s technology’s ‘first date of sale’ as September 11, 2001.Shannon added, “The commitment and involvement of NFPA in anti-terrorism standards predates the events of 9/11. NFPA has long been committed to making its codes and standards development process available for the creation and continual improvement of standards used to protect first responders and the public in terrorist events. We believe we have a world-class system which attracts numerous experts from diverse fields to develop codes and standards that mitigate the effects of terrorism on people and property.”All NFPA safety codes and standards are developed through a process accredited by the American National Standards Institute (ANSI). The more than 250 technical committees responsible for developing and updating all 300 codes and standards include approximately 4,000 volunteers, representing enforcing authorities, installers and maintainers, labor, research and testing laboratories, insurers, special experts, consumers and other users.NFPA was the developer of the NFPA 1600 ‘Standard on Disaster/Emergency Management and Business Continuity Programs’.

TITLE IX UPDATE – December 2008

At  ANSI – HSSP (Homeland Security Standards Panel ) ‐ DHS “unveiled” its “Voluntary Private Sector Preparedness Accreditation and Certification Program – Proposed Target Criteria for Preparedness Standard”

Internally developed and will be open for comment when DHS publishes a notice in the Federal Registry

December 24, 2008 DHS files notice for comments in the Federal Register.  “We note that the designated officer will consider adoption of the American National Standards Institute (ANSI) National Fire Protection Association (NFPA) 1600 Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/NFPA 1600)—the standard specifically mentioned in both the statute and the 9/11 Commission’s recommendation—as well as any other private sector preparedness standards submitted for adoption.”

52

53

Implications

Certification– Benefit To Passing Certification– If You Can’t Pass Don’t Start

Legal– Litigation Standard– “Voluntary Negligence”

No Teeth

Non‐Punitive

Will it meet customer requirements

What We Know Right Now

Title IX of PL 110‐53 is an unfunded effort, there are no tangible rewards; e.g., tax reductions in the form of deductions or tax credits to use as an incentive. While there are ongoing efforts to provide some insurance relief for business continuity planning, at this time no such incentives are available – Sloan Foundation Report

FEMA has been designated to lead the effort

ANSI – will oversee the certification process

‐ Manage Accreditation

‐ Accredit third parties to carry out certification 

‐ Collaborate to develop procedures and requirements for certification and accreditation 

54

Now For The Misinformation

55

Although voluntary right now, these standards could soon be federal mandates for all private industry. ‐ Not To Be Named Consulting Firm in advertising for their webinar 

Will share their best practices to meet the new "national preparedness standard" known as NFPA 1600 – Not To Be Named Consulting Firm

This voluntary program offers a number of potential benefits to the certified organization, including:

•Possible insurance premium advantages•Enhanced credit ratings•Competitive differentiation ‐ Not To Be Named Consulting Firm 

56

DHS Selects ANSI-ASQ National Accreditation Board To Support Voluntary Private Sector Preparedness Certification ProgramRelease Date: July 30, 2008 Release Number: HQ-08-148

WASHINGTON, D.C. -- The Department of Homeland Security announced today that it has signed an agreement with the ANSI-ASQ National Accreditation Board (ANAB) to establish and oversee the development and implementation of the accreditation and certification requirements for the Voluntary Private Sector Preparedness Accreditation and Certification Program. This program is directed by Public Law 110-53, Implementing the Recommendations of the 9/11 Commission Act of 2007, requiring the department to establish a common set of criteria for private sector preparedness in disaster management, emergency management and business continuity. Under Title IX of the Act, the department is charged with a number of core tasks to establish the voluntary program, to include the designation of an organization to act as an accrediting body. In this role, ANAB will be responsible for overseeing the certification process, managing the accreditation, and accrediting qualified third parties to carry out certifications of private sector entities. ANAB was selected based on its experience and expertise in managing and implementing accreditation programs. As required by the Act, Homeland Security Secretary Michael Chertoff previously designated an officer within the department to be responsible for the accreditation and certification program. R. David Paulison, Administrator of the Federal Emergency Management Agency, serves as the designated officer and will chair an internal Private Sector Preparedness Council comprised of department leadership from the Science & Technology Directorate, Private Sector Office and the Office of Infrastructure Protection. The Private Sector Preparedness Council will focus on the remaining requirements of the Act. This includes selecting program standards, defining and promoting the business case for private sector entities to work toward voluntary certification, overseeing the program's progress, and providing regular updates to Congress.Learn more at www.fema.gov/privatesectorpreparedness

57

Assessing The Business Continuity Process

DRII Evaluates Planning Process, Implementation and Testing Across The 10 Professional Practices – MAPS TO CORE ELEMENTS

– Includes Subcategories

– Ability To Weight Each Category

Utilizes The Same Scoring As It Does For Certifying Professionals

Questions Require a Yes Or No

Recommendations Are Provided When a “No” Answer Is Provided

May Be Customized For Industry, Country Or Regulatory Considerations

Will Contribute To a Worldwide Database

Q & A

Thank You

58

Statements concerning legal matters should be understood to be general observations based solely on our experience as risk consultants and should not be relied upon as legal advice, which we are not authorized to provide. All such matters should be reviewed with your own qualified legal advisors in these areas