of 29
8/8/2019 Session03-BCCS
1/29
8/8/2019 Session03-BCCS
2/29
2 5/19/08
Level Setting DefinitionsLevel Setting Definitions
Standards (Source: International Standards Organization - ISO)Documented agreements containing technical specifications or other precise criteriato be used consistently as rules, guidelines or definitions of characteristics, to ensurethat materials, products, processes and services are fit for their purpose.
Regul ations (Source: Georgetown Law School)A type of "delegated legislation" promulgated by a state, federal or local administrativeagency given authority to do so by the appropriate legislature. Regulations generallyare very specific in nature, they are also referred to as "rules" or simply "administrativelaw."
B est Practic es (Source: Business Dictionary. COM)M ethods and techniques that have consistently shown results superior than thoseachieved with other means, and which are used as benchmarks to strive for.
T here is, however, no practice that is best for everyone or in every situation, and no best practice remains best for very long as people keep on finding better waysof doing things.
8/8/2019 Session03-BCCS
3/29
3 5/19/08
Regul ationsRegul ations , Best Practices & Standards, Best Practices & Standards
Regulatory (US)FFIEC - F ederal F inancial Institutions Examination Council O CC - Office of the Controller of the Currency
FINR A - T he F inancial Industry Regulatory Authority
SEC - Securities and Exchange CommissionH IPAA - H ealth Insurance Portability and Accountability Act SOX - Sarbanes-Oxley+ Others
Regulatory (International)FSA - F inancial Services Authority (UK)MA S - Monetary Authority of SingaporeBasel II G10 Countries (Basel, Switzerland June 2004 )
8/8/2019 Session03-BCCS
4/29
4 5/19/08
Regulations,Regulations, B est Practic esB est Practic es & Standards& Standards
Best PracticesA SIS International - Preparedness & Continuity Management Best
Practice Standard DRII/BCI - Professional Practices for Business Continuity Planners
BCI - T he BCI Good Practice Guidelines 2007 (United Kingdom)DRJ/DRII - Generally Accepted Practices (GAP)Basel Committee on Banking Supervision - H igh Level Principles for
Business Continuity ( 2006 )
8/8/2019 Session03-BCCS
5/29
5 5/19/08
Regulations, Best Practices &Regulations, Best Practices & StandardsStandards
Standards NFP A1600 - Standard on Disaster / Emergency Management and BusinessContinuity Programs (A NSI/US)BS 25999 - Business Continuity Management (BSI/UK)
-1 Code of Practice-2 Specification
ISO
/PA
S 22399 - Incident Preparedness & Continuity Management (ISO /International)T itle I X PL 110 -53 - V oluntary Certification against yet to be Announced Standards (US)ISO 247 6 2 Guide for Information and Communications T echnology for Disaster
Recovery (ISO /International)H B 292:2 006 - A Practitioners Guide to Business Continuity Management (A ustralia)CS A Z1600 - Standard on Emergency Management and Business Continuity
Programs (Canada)T R 1 9:2 00 4 - BCM F ramework & T echnical Reference (Singapore)SI 24 001 :200 7 - Security & Continuity Management Systems (Israel)
8/8/2019 Session03-BCCS
6/29
6 5/19/08
Recent EventsRecent Events
July 2008 Repligen Corp. (biopharmaceutical) becomes the first US firm to be certified
in BS 25999 BSI Certification Status
22 firms certified worldwide160 active applications
S&P announced they will enhance their ratings process for nonfinancialcompanies through an enterprise risk management review (creating a moresystematic framework for an inherently subjective topic)
A ugust 2 008 BS 25777 introduced Code of Practice for Information and
Communications T echnology ContinuitySimilar to IS O 247 6 2 Guide for IC T and DR
DH S signed agreement with A NSI- A SQ National A ccreditation Board(A NA B ) to establish and oversee the implementation and accreditation of T itle IX
8/8/2019 Session03-BCCS
7/29
7 5/19/08
Recent Events (contd)Recent Events (contd)
A ugust 2 008 (contd) A SIS announces plans for a new US Business Continuity
and Risk standardSolicits the support of A NSI organization
A SIS is an A NSI accredited Standards Development O rganization (SD O )
DRII protests and rallies others to do the same
Carnegie M ellon Cert Resiliency F ramework Code of Practice Standards Crosswalk (11 standards) published
O ctober 2 008
A NSI H omeland Security Standards Panel discussionSubject was Public law 110 -53 T itle X I voluntary standards
A SIS hosted stakeholder deliberation meeting and then re-affirms its direction in developing a new A NSI standard
8/8/2019 Session03-BCCS
8/29
8/8/2019 Session03-BCCS
9/29
B S25999: A Cas e St u dyT uesday, M arch 1 7, 2 00 9
T im M athewsDirector, Enterprise Resiliency
EducationalT
esting Service
8/8/2019 Session03-BCCS
10/29
8/8/2019 Session03-BCCS
11/29
Todays agenda:
W hy pursue a standard?W hy BS 25999?W hat is the process?W hat have we learned?
8/8/2019 Session03-BCCS
12/29
Wh y pursue a standard?
Support t h e Corporate Strategy
Esta b lish and maintain trust enhance and preserve the BrandSuppl y chain risk management
Critical vendors and suppliers ma y experience a disaster W hat do we know a bout their resilienc y?
Competitive advantage ma y increase or maintain margin vis--vis competition
Certified BCMS is a differentiator (RFI,RFP and Contract) May reduce the burdens of internal and external audits from
your ke y customers.SLA and scope expectation management
Key customers are vague As DHS voluntar y compliance percolates through thebusiness communit y, there will be a W al-Mart effect
Training and knowledge transfer
8/8/2019 Session03-BCCS
13/29
Wh y pursue a standard?
Effective Risk Management
De b t valuation and risk ratings S&P (and Mood ys)
Enterprise Risk Management ( ERM) will be added as anelement of all corporate ratingsRequires that a firm address all its risksOperational risk is a critical element encompassingsecurit y, resilience , etc
..the extent to which companies are adopting standards, would bolster the view that management has a proactiveculture and attitude towards risk. However it s too earl y .to know what weight we d place on that evidence.
Firms must show the y are addressing risks in a systematic manner Tort Negligence: Industr y standards inform prudent practice andaffirmative defense. 93 W TC bom b ing decision
Port Authorit y held more lia b le than terrorists ($100M)
8/8/2019 Session03-BCCS
14/29
Wh y pursue a standard?
Compliance and Governance
DHS voluntar y mandate - Title IXVarious compliance requirements
Regulator y Periodic external financial control audits Insura b ility audits Independent client audits
Common framework for communication of capa b ilities Business development Suppl y chain Inter-compan y (parent and su bs)
Integrated recover y planning and exercises (with su bs, ke y suppliers and clients)Leverage plan development and maintenance activities
8/8/2019 Session03-BCCS
15/29
Wh y BS 25999?
Accepted Standard that esta b lishes the process, principles andterminolog y of business continuity m a nag ement (BCM)BS 25999-1 Code of Practice provides guidance andrecommendationsBS 25999-2 Detailed Specification appears to meet or exceedthe pu b lished DHS criteriaProvides a non-prescriptive, generic model to follow in creatingand maintaining preparedness processes and activitiesETS Enterprise Resilienc y program aligned well to the standardGaps were straight forward to implement
8/8/2019 Session03-BCCS
16/29
8/8/2019 Session03-BCCS
17/29
BS25999-2 Certification Timeline
Standard (Criteria) A ssessment (Evidence) Certification+ =
Research
Self-assessment
Pre-assessment
Stage 1 audit
Stage 2 audit
Remediation
Surveillance
3 months
1 month
4 months
4/08 8 /08
7 months
9/08 4/0 9
2 days
2 days
10 days
2 months
annual recurring
2 days
6 weeks
8/8/2019 Session03-BCCS
18/29
L essons L earned
A reall y good and effective BC program does not necessaril y meet the standard.Learn standards speak
shall = will Do what you sa y you do write it down!
BC/DR planning software ma y introduce a documentmanagement gapInternal Audit is not an I ntern al AuditYou cannot dance around the Maximum Tolera b le Period of Disruption (MTOTB)Risk Assessment must be part of your programW ho needs a CAPA?Light on the Technolog y aspects of recover y planningDot the i s and cross the t s the devil is in the details!
8/8/2019 Session03-BCCS
19/29
19
Presented byKaren Hughes
Director of Homeland Securit y Standards
March 17, 2009
F lagg Management Conference
8/8/2019 Session03-BCCS
20/29
Flagg Management ConferenceMarch 17, 2009 Slide 20
A genda
ANSI-HSSP OverviewTitle IX ProgramTrajector y of ISO/PAS 22399
Business Case for Certification
8/8/2019 Session03-BCCS
21/29
Flagg Management ConferenceMarch 17, 2009 Slide 21
AN SI-Homeland Security Standards Panel
Mission:Identif y and facilitate the development and enhancement of homeland securit y standards
Serve as private/pu blic sector partnership for standardsissues that cut cross-sector Provide a forum for information sharing on homelandsecurit y standards issue, as well as the overall standardsdevelopment and conformit y assessment processes
Facilitate dialogue and networking on ke y issues for homeland securit y stakeholders
8/8/2019 Session03-BCCS
22/29
Flagg Management ConferenceMarch 17, 2009 Slide 22
V oluntary Private Sector PreparednessA ccreditation & Certification Program
GoalImprove private sector preparedness in disaster management, emergenc y management, and businesscontinuit y to enhance nationwide resilience in an all hazardsenvironment
BackgroundMandated by the I mp l ementin g Recommend a tions of the9/11 Commission Act of 2007 to e sta b lish a common set of criteria for private sector preparedness
8/8/2019 Session03-BCCS
23/29
Flagg Management ConferenceMarch 17, 2009 Slide 23
V oluntary Private Sector PreparednessA ccreditation & Certification Program
Key Guiding PrinciplesParticipation is voluntar yProvide method to independentl y certif y preparedness of privatesector entities
Administered by non-government entit y (ANAB)DHS designation of one or more standards to be used inassessing private sector preparednessIncorporate existing regulator y requirements and existing effortsCertification of private sector entities will be performed by non-government certif ying bodies
8/8/2019 Session03-BCCS
24/29
Flagg Management ConferenceMarch 17, 2009 Slide 24
V oluntary Private Sector PreparednessA ccreditation & Certification Program
Possi b le StandardsInternational
ISO 22399
ISO 22301National
NFPA 1600 (USA)BS 25999 (UK)CSA Z1600 (Canada)
8/8/2019 Session03-BCCS
25/29
Flagg Management ConferenceMarch 17, 2009 Slide 25
ISO/P A S 22399:2007
ISO/TC 223 Societal Securit yScopeInternational standardization in the area of societal securit y, aimed atincreasing crisis management and business continuit y capa bilities,amongst all interested parties.StructureW G 1 Framework standard on societal securit y managementW G 2 Terminolog yW G 3 Command and control, coordination and cooperationW G 4 Preparedness and continuit yMembershipParticipating countries: 37Observing countries: 17
8/8/2019 Session03-BCCS
26/29
Flagg Management ConferenceMarch 17, 2009 Slide 26
ISO/P A S 22399:2007
ISO/TC 223 W ork ProgramISO/PAS 22399:2007Societal securit y - Guideline for incident preparedness andoperational continuit y management
Next Steps:Development of ISO 22301 Management s ystemstandard focused on preparedness and continuit y managementConversion of ISO 22399 from PAS to Draft InternationalStandard as a guide to ISO 22301
8/8/2019 Session03-BCCS
27/29
Flagg Management ConferenceMarch 17, 2009 Slide 27
InterCEP
International Center for Enterprise PreparednessCatal yst focused on Private Sector Preparedness &Corporate Resilience
W orking G roupsSuppl y Chain ManagementLegal Lia bility MitigationInsurance Acknowledgement
Rating Agenc y AcknowledgementOnline Clearinghouse of information
8/8/2019 Session03-BCCS
28/29
Flagg Management ConferenceMarch 17, 2009 Slide 28
B usiness Case for Certification
According to the Institute for Business & Home Safet y, anestimated 25% of businesses do not reopen following amajor disaster.
Compliance with preparedness standards canMinimize impact of business disruptionsReduce overall costsEnhance corporate reputation
Emplo yee protectionLink between good practice/standards (what to do) andbenefits (wh y to do it)
8/8/2019 Session03-BCCS
29/29
Flagg Management ConferenceMarch 17, 2009 Slide 29
F urther Information
F or additional information about:AN SI: www.ansi.org/hsspANA B : www.anab.org
InterCEP: www.nyu.edu/intercep
PS-Prep: www.fema.gov/business/certification/index.htmISO: www.iso.org
HSSD: www.hssd.us/
Questions can be directed to:
Karen Hughes
Program Director, Homeland Security Standards
([email protected] ; 212-642-4992)