b5 - from best practice to certification · b5 - from best practice to certification what is...
TRANSCRIPT
October 29-30, 2012 • Hotel Pennsylvania
B5 - From Best Practice to Certification
What is stopping you?
Tim MathewsDirector, Enterprise Resiliency
Educational Testing Service
October 29, 201211:30 a.m. – 12:30 a.m.
October 29-30, 2012 • Hotel Pennsylvania
Session Overview
The recent announcement from ATT regarding PS-Prep conformity has created a lot of interest in Business Continuity Management System (BCMS) Certification.– What is it?– Why should you care? – What resources and effort are required?
A recent KPMG study shows that many organizations already model their BC Programs on one or more PS-Prep adopted standards – so ……. – What is holding your organization back certification?
October 29-30, 2012 • Hotel Pennsylvania
Educational Testing Service• Our Mission: To advance quality and equity in education by providing
fair and valid assessments, research and related services. Our products and services measure knowledge and skills, promote learning and educational performance, and support education and professional development for all people worldwide.
• Our Vision: To be recognized as the global leader in providing fair and valid assessments, research and related products and services to help individuals, parents, teachers, educational institutions, businesses, governments, countries, states and school districts, as well as measurement specialists and researchers.
• Our Values: Social responsibility, equity, opportunity, and quality.We practice these values by listening to educators, parents and critics. We learn what students and the institutions they attend need.
We lead in the development of products and services to help teachers teach, students learn and parents measure the intellectual progress of their children.
October 29-30, 2012 • Hotel Pennsylvania
What is PS-Prep?• Mandated by the “Implementing Recommendations of the 9/11
Commission Act of 2007” (Public Law 110-53)• Directs DHS to establish a “Voluntary Private Sector Preparedness
Accreditation and Certification Program” to improve Private Sector preparedness.
• DHS adopted standards:– NFPA1600, BS25999-2, ASIS SPC.1-2009
• Key components of PS-Prep:– Voluntary participation– Provide a method to independently certify “preparedness” of
private sector entities– Integrate and leverage existing regulatory requirements
• ANAB accredits certifying bodies based on Rule 37– NQA has been accredited– Orion is in application– BSI, Intertek and SRI have indicated intent
• AT&T is the first and only PS-Prep certified PS entity
October 29-30, 2012 • Hotel Pennsylvania
What is BCMS certification?
• Confirmation of certain characteristics of an object, person, or organization. This confirmation is often, but not always, provided by some form of external review, education, assessment, or audit. (source = Wikipedia)
• In the context of Business Continuity Management Systems (BCMS) measures program conformity to an adopted industry standard. Examples: NFPA1600, BS25999-2, ISO27001:2005, ASIS BCM.01-2010, COBIT 4.1, NIST SP 800-34, ITILv.3, ……
• CI & KPMG 2011-2012 Global BCM Program benchmarking study noted significant use of standards as the basis of BC programs
October 29-30, 2012 • Hotel Pennsylvania
Why should you care?
Support the Corporate Strategy
• Establish and maintain trust – enhance and preserve the Brand
• Supply chain risk management
– Your critical suppliers or customers may experience a disaster
– What do you know about their resiliency?
• Competitive advantage
– Increase or maintain margin vis-à-vis competition
– Certified BCMS is a differentiator (RFI,RFP and Contract)
– Reduces the cost of internal and external audits
• SLA and scope “expectation” management
– Key customer “availability requirements” may be vague
– As PS-Prep voluntary compliance percolates through the business community, there will be a “Wal-Mart” effect
October 29-30, 2012 • Hotel Pennsylvania
October 29-30, 2012 • Hotel Pennsylvania
Why should you care?
Compliance and Governance
• Compliance requirements– Industry specific regulatory requirements– Periodic external financial control audits– Linkage to additional standards– Insurability audits– Independent client audits
• Common framework for communicating capabilities– Business development and due diligence– Supply chain– Inter-company (parent and subs) training and hiring
• Integrated recovery planning and exercises with subs, key suppliers and clients
October 29-30, 2012 • Hotel Pennsylvania
Why should you care?
Effective Risk Management• Debt valuation and risk ratings
– S&P (and Moody’s)• Enterprise Risk Management (ERM) added as an element of
corporate ratings• Requires that a firm address all its risks• Operational risk is a critical element … encompassing security,
resilience, etc– ...the extent to which companies are adopting standards would
bolster the view that management has a proactive culture and attitude towards risk. However it’s too early to know what weight would be place on that evidence.
– Firms must show they are addressing risks in a systematic manner• Tort Negligence: Industry standards inform prudent practice and
“affirmative defense.” – ’93 WTC bombing decision– Port Authority - more liable than terrorists ($100M)
October 29-30, 2012 • Hotel Pennsylvania
Supplier shall deliver services within 48 hours
ETS - 3rd party certification
Reading Services - SDOC
Hotel A
SDOC
Hotel B“trusted partner”
Scoring Services
“trusted partner”
Printer
SDOC
Your Supply “Chain is only as strong as its weakest link”
October 29-30, 2012 • Hotel Pennsylvania
Regulations? Best Practices? Standards?
Summary of Resiliency Elements
0.00
0.25
0.50
0.75
1.00
1.25
1.50
1.75
2.00
2.25
2.50
2.75
3.00
Enterprise Resiliency Goals
BC/DR Governance & Compliance
Continuity & Resumption
IT Redundancy & Recovery
Facilities Safety, Security & Dependability
Information Management & Protection
Reliability Requirements & Strategies
Organizational Command & Control
Resiliency Quotient = 1.75
Baseline
Baseline 2004
Summary of Resiliency Elements
0.00
0.25
0.50
0.75
1.00
1.25
1.50
1.75
2.00
2.25
2.50
2.75
3.00
Enterprise Resiliency Goals
BC/DR Governance & Compliance
Continuity & Resumption
IT Redundancy & Recovery
Facilities Safety, Security & Dependability
Information Management & Protection
Reliability Requirements & Strategies
Organizational Command & Control
Resiliency Quotient = 2.07
2005-2006
Updated2005/6
Summary of Resiliency Elements
0.00
0.25
0.50
0.75
1.00
1.25
1.50
1.75
2.00
2.25
2.50
2.75
3.00
Enterprise Resiliency Goals
BC/DR Governance & Compliance
Continuity & Resumption
IT Redundancy & Recovery
Facilities Safety, Security & Dependability
Information Management & Protection
Reliability Requirements & Strategies
Organizational Command & Control
Resiliency Quotient = 2.41
2007
Updated2007
Summary of Resiliency Elements
0.00
0.25
0.50
0.75
1.00
1.25
1.50
1.75
2.00
2.25
2.50
2.75
3.00
Enterprise Resiliency Goals
BC/DR Governance & Compliance
Continuity & Resumption
IT Redundancy & Recovery
Facilities Safety, Security & Dependability
Information Management & Protection
Reliability Requirements & Strategies
Organizational Command & Control
Resiliency Quotient = 2.64
2008
Updated2008
Resiliency Quotient
1.75
2.07
2.41
2.64
1.00 1.25 1.50 1.75 2.00 2.25 2.50 2.75 3.00
Baseline
2005/6
2007
2008
More ResilientLess Resilient
BS 25999-1 View
--Code Of Practice--
0.00
0.25
0.50
0.75
1.00
1.25
1.50
1.75
2.00
2.25
2.50
2.75
3.00
BCM Program Management
Understanding the Organization
Determining BCM Strategy
Developing & Implementing the Response
Exercising Maintaining & Reviewing
Embedding BCM in the Culture
Composite Score
2.54
BS 25999-2 View
--Measurement Against Specifications--
0.00
0.25
0.50
0.75
1.00
1.25
1.50
1.75
2.00
2.25
2.50
2.75
3.00
Establish & Manage
Embed in the Culture
Documentation & Records
Understand the Organization
Determine the Strategy
Develop & ImplementExercise & Maintain
Internal Audit
Management Review
Preventive & Corrective Actions
Continual Improvement
Composite Score
2.58
NFPA 1600 View
0.00
0.25
0.50
0.75
1.00
1.25
1.50
1.75
2.00
2.25
2.50
2.75
3.00
Program Management
Laws & Authorities
Risk Assessment
Incident Prevention
Mitigation
Resource Management & Logistics
Mutual Aid & Assistance
Planning
Incident Management
Communications & Warning
Operational Procedures
Facilities
Training
Exercises, Evaluations & Corrective Actions
Crisis Communication & Public Information
Finance & Administration
Composite Score
2.50
October 29-30, 2012 • Hotel Pennsylvania
Why BS25999-2?• Accepted Standard that establishes the process, principles
and terminology of business continuity management• BS 25999-1 Code of Practice – provides guidance and
recommendations• BS 25999-2 Detailed Specification – meets the published
DHS criteria• Provides a scalable, non-prescriptive, generic model to
follow in creating and maintaining preparedness processes and activities
• Enterprise Resiliency program aligned well to the standard• Gaps were straight forward to implement • 3rd party certification is available
October 29-30, 2012 • Hotel Pennsylvania
BS25999-2 Certification ProcessStandard (Criteria) Assessment (Evidence) Certification + =
Research
Self-assessment
Pre-assessment
Stage 1 audit
Stage 2 audit
Remediation
Surveillance
Industry practices
Peer discussion
Online self assessment
Part 1: Code of practice
Part 2: Specification
Review Policy and SOP
Risk Assessments and Internal Audit
Review BIA, BCP, TDRPs and ERP
Address any non-conformities
Refresh program
Demonstrate on-going compliance with specification
Demonstrate compliance with specification
October 29-30, 2012 • Hotel Pennsylvania
BS25999-2 Certification TimelineStandard (Criteria) Assessment (Evidence) Certification + =
Research
Self-assessment
Pre-assessment
Stage 1 audit
Stage 2 audit
Remediation
Surveillance
3 months
1 month
4 months
4/08 – 8/08
7 months
9/08 – 4/09
2 days
2 days
10 days
2 months
annual recurring
5 days
8 weeks
Re-tooling = ½ FTE additional labor
23
- Resources and Effort -Incremental Cost of Certification
$
BCMS Maturity
Registration fees + Audit days (based on scope)
Re-tool or augment current BC program to conform
October 29-30, 2012 • Hotel Pennsylvania
What is stopping you from certifying your
BCMS?