Session03-BCCS

8/8/2019 Session03-BCCS

1/29


2/29

2 5/19/08

Level Setting DefinitionsLevel Setting Definitions

Standards (Source: International Standards Organization - ISO)Documented agreements containing technical specifications or other precise criteriato be used consistently as rules, guidelines or definitions of characteristics, to ensurethat materials, products, processes and services are fit for their purpose.

Regul ations (Source: Georgetown Law School)A type of "delegated legislation" promulgated by a state, federal or local administrativeagency given authority to do so by the appropriate legislature. Regulations generallyare very specific in nature, they are also referred to as "rules" or simply "administrativelaw."

B est Practic es (Source: Business Dictionary. COM)M ethods and techniques that have consistently shown results superior than thoseachieved with other means, and which are used as benchmarks to strive for.

T here is, however, no practice that is best for everyone or in every situation, and no best practice remains best for very long as people keep on finding better waysof doing things.


3/29

3 5/19/08

Regul ationsRegul ations , Best Practices & Standards, Best Practices & Standards

Regulatory (US)FFIEC - F ederal F inancial Institutions Examination Council O CC - Office of the Controller of the Currency

FINR A - T he F inancial Industry Regulatory Authority

SEC - Securities and Exchange CommissionH IPAA - H ealth Insurance Portability and Accountability Act SOX - Sarbanes-Oxley+ Others

Regulatory (International)FSA - F inancial Services Authority (UK)MA S - Monetary Authority of SingaporeBasel II G10 Countries (Basel, Switzerland June 2004 )


4/29

4 5/19/08

Regulations,Regulations, B est Practic esB est Practic es & Standards& Standards

Best PracticesA SIS International - Preparedness & Continuity Management Best

Practice Standard DRII/BCI - Professional Practices for Business Continuity Planners

BCI - T he BCI Good Practice Guidelines 2007 (United Kingdom)DRJ/DRII - Generally Accepted Practices (GAP)Basel Committee on Banking Supervision - H igh Level Principles for

Business Continuity ( 2006 )


5/29

5 5/19/08

Regulations, Best Practices &Regulations, Best Practices & StandardsStandards

Standards NFP A1600 - Standard on Disaster / Emergency Management and BusinessContinuity Programs (A NSI/US)BS 25999 - Business Continuity Management (BSI/UK)

-1 Code of Practice-2 Specification

ISO

/PA

S 22399 - Incident Preparedness & Continuity Management (ISO /International)T itle I X PL 110 -53 - V oluntary Certification against yet to be Announced Standards (US)ISO 247 6 2 Guide for Information and Communications T echnology for Disaster

Recovery (ISO /International)H B 292:2 006 - A Practitioners Guide to Business Continuity Management (A ustralia)CS A Z1600 - Standard on Emergency Management and Business Continuity

Programs (Canada)T R 1 9:2 00 4 - BCM F ramework & T echnical Reference (Singapore)SI 24 001 :200 7 - Security & Continuity Management Systems (Israel)


6/29

6 5/19/08

Recent EventsRecent Events

July 2008 Repligen Corp. (biopharmaceutical) becomes the first US firm to be certified

in BS 25999 BSI Certification Status

22 firms certified worldwide160 active applications

S&P announced they will enhance their ratings process for nonfinancialcompanies through an enterprise risk management review (creating a moresystematic framework for an inherently subjective topic)

A ugust 2 008 BS 25777 introduced Code of Practice for Information and

Communications T echnology ContinuitySimilar to IS O 247 6 2 Guide for IC T and DR

DH S signed agreement with A NSI- A SQ National A ccreditation Board(A NA B ) to establish and oversee the implementation and accreditation of T itle IX


7/29

7 5/19/08

Recent Events (contd)Recent Events (contd)

A ugust 2 008 (contd) A SIS announces plans for a new US Business Continuity

and Risk standardSolicits the support of A NSI organization

A SIS is an A NSI accredited Standards Development O rganization (SD O )

DRII protests and rallies others to do the same

Carnegie M ellon Cert Resiliency F ramework Code of Practice Standards Crosswalk (11 standards) published

O ctober 2 008

A NSI H omeland Security Standards Panel discussionSubject was Public law 110 -53 T itle X I voluntary standards

A SIS hosted stakeholder deliberation meeting and then re-affirms its direction in developing a new A NSI standard


8/29


9/29

B S25999: A Cas e St u dyT uesday, M arch 1 7, 2 00 9

T im M athewsDirector, Enterprise Resiliency

EducationalT

esting Service


10/29


11/29

Todays agenda:

W hy pursue a standard?W hy BS 25999?W hat is the process?W hat have we learned?


12/29

Wh y pursue a standard?

Support t h e Corporate Strategy

Esta b lish and maintain trust enhance and preserve the BrandSuppl y chain risk management

Critical vendors and suppliers ma y experience a disaster W hat do we know a bout their resilienc y?

Competitive advantage ma y increase or maintain margin vis--vis competition

Certified BCMS is a differentiator (RFI,RFP and Contract) May reduce the burdens of internal and external audits from

your ke y customers.SLA and scope expectation management

Key customers are vague As DHS voluntar y compliance percolates through thebusiness communit y, there will be a W al-Mart effect

Training and knowledge transfer


13/29


Effective Risk Management

De b t valuation and risk ratings S&P (and Mood ys)

Enterprise Risk Management ( ERM) will be added as anelement of all corporate ratingsRequires that a firm address all its risksOperational risk is a critical element encompassingsecurit y, resilience , etc

..the extent to which companies are adopting standards, would bolster the view that management has a proactiveculture and attitude towards risk. However it s too earl y .to know what weight we d place on that evidence.

Firms must show the y are addressing risks in a systematic manner Tort Negligence: Industr y standards inform prudent practice andaffirmative defense. 93 W TC bom b ing decision

Port Authorit y held more lia b le than terrorists ($100M)


14/29


Compliance and Governance

DHS voluntar y mandate - Title IXVarious compliance requirements

Regulator y Periodic external financial control audits Insura b ility audits Independent client audits

Common framework for communication of capa b ilities Business development Suppl y chain Inter-compan y (parent and su bs)

Integrated recover y planning and exercises (with su bs, ke y suppliers and clients)Leverage plan development and maintenance activities


15/29

Wh y BS 25999?

Accepted Standard that esta b lishes the process, principles andterminolog y of business continuity m a nag ement (BCM)BS 25999-1 Code of Practice provides guidance andrecommendationsBS 25999-2 Detailed Specification appears to meet or exceedthe pu b lished DHS criteriaProvides a non-prescriptive, generic model to follow in creatingand maintaining preparedness processes and activitiesETS Enterprise Resilienc y program aligned well to the standardGaps were straight forward to implement


16/29


17/29

BS25999-2 Certification Timeline

Standard (Criteria) A ssessment (Evidence) Certification+ =

Research

Self-assessment

Pre-assessment

Stage 1 audit

Stage 2 audit

Remediation

Surveillance

3 months

1 month

4 months

4/08 8 /08

7 months

9/08 4/0 9

2 days

2 days

10 days

2 months

annual recurring

2 days

6 weeks


18/29

L essons L earned

A reall y good and effective BC program does not necessaril y meet the standard.Learn standards speak

shall = will Do what you sa y you do write it down!

BC/DR planning software ma y introduce a documentmanagement gapInternal Audit is not an I ntern al AuditYou cannot dance around the Maximum Tolera b le Period of Disruption (MTOTB)Risk Assessment must be part of your programW ho needs a CAPA?Light on the Technolog y aspects of recover y planningDot the i s and cross the t s the devil is in the details!


19/29

19

Presented byKaren Hughes

Director of Homeland Securit y Standards

March 17, 2009

F lagg Management Conference


20/29

Flagg Management ConferenceMarch 17, 2009 Slide 20

A genda

ANSI-HSSP OverviewTitle IX ProgramTrajector y of ISO/PAS 22399

Business Case for Certification


21/29


AN SI-Homeland Security Standards Panel

Mission:Identif y and facilitate the development and enhancement of homeland securit y standards

Serve as private/pu blic sector partnership for standardsissues that cut cross-sector Provide a forum for information sharing on homelandsecurit y standards issue, as well as the overall standardsdevelopment and conformit y assessment processes

Facilitate dialogue and networking on ke y issues for homeland securit y stakeholders


22/29


V oluntary Private Sector PreparednessA ccreditation & Certification Program

GoalImprove private sector preparedness in disaster management, emergenc y management, and businesscontinuit y to enhance nationwide resilience in an all hazardsenvironment

BackgroundMandated by the I mp l ementin g Recommend a tions of the9/11 Commission Act of 2007 to e sta b lish a common set of criteria for private sector preparedness


23/29



Key Guiding PrinciplesParticipation is voluntar yProvide method to independentl y certif y preparedness of privatesector entities

Administered by non-government entit y (ANAB)DHS designation of one or more standards to be used inassessing private sector preparednessIncorporate existing regulator y requirements and existing effortsCertification of private sector entities will be performed by non-government certif ying bodies


24/29



Possi b le StandardsInternational

ISO 22399

ISO 22301National

NFPA 1600 (USA)BS 25999 (UK)CSA Z1600 (Canada)


25/29


ISO/P A S 22399:2007

ISO/TC 223 Societal Securit yScopeInternational standardization in the area of societal securit y, aimed atincreasing crisis management and business continuit y capa bilities,amongst all interested parties.StructureW G 1 Framework standard on societal securit y managementW G 2 Terminolog yW G 3 Command and control, coordination and cooperationW G 4 Preparedness and continuit yMembershipParticipating countries: 37Observing countries: 17


26/29


ISO/P A S 22399:2007

ISO/TC 223 W ork ProgramISO/PAS 22399:2007Societal securit y - Guideline for incident preparedness andoperational continuit y management

Next Steps:Development of ISO 22301 Management s ystemstandard focused on preparedness and continuit y managementConversion of ISO 22399 from PAS to Draft InternationalStandard as a guide to ISO 22301


27/29


InterCEP

International Center for Enterprise PreparednessCatal yst focused on Private Sector Preparedness &Corporate Resilience

W orking G roupsSuppl y Chain ManagementLegal Lia bility MitigationInsurance Acknowledgement

Rating Agenc y AcknowledgementOnline Clearinghouse of information


28/29


B usiness Case for Certification

According to the Institute for Business & Home Safet y, anestimated 25% of businesses do not reopen following amajor disaster.

Compliance with preparedness standards canMinimize impact of business disruptionsReduce overall costsEnhance corporate reputation

Emplo yee protectionLink between good practice/standards (what to do) andbenefits (wh y to do it)


29/29


F urther Information

F or additional information about:AN SI: www.ansi.org/hsspANA B : www.anab.org

InterCEP: www.nyu.edu/intercep

PS-Prep: www.fema.gov/business/certification/index.htmISO: www.iso.org

HSSD: www.hssd.us/

Questions can be directed to:

Karen Hughes

Program Director, Homeland Security Standards

([email protected] ; 212-642-4992)

Date post:	09-Apr-2018
Category:	Documents
Upload:	danni1
View:	215 times
Download:	0 times

Session03-BCCS

Documents