examining the regulatory landscape
TRANSCRIPT
Examining the Regulatory LandscapeExamining the Regulatory Landscape
Al BermanAl BermanDRI InternationalDRI International
Disaster Recovery Information ExchangeToronto Chapter
Disaster Recovery Information ExchangeToronto Chapter
15 September 200915 September 2009
DRI International – Who Are We?
� A Non-Profit Organization Committed to:
– Promoting a base of common knowledge for the continuity management industry
– Certifying qualified individuals in the discipline of Business Continuity
– Promoting the credibility and professionalism of certified individuals
� Celebrating out Twentieth Anniversary in 2008.
� The Industry’s Premier Education and Certification Program Body
• DRII has Certified INDIVIDUALS in over 90 Countries.
• DRII conducts training courses in over 40 countries.
• More individuals choose to maintain their certification through us than all other organizations in our industry combined (Over 7,500 active individuals as of 2008)
• DRII Certifies individuals in English, Spanish, French, Japanese, Mandarin (expanding to Portuguese and Russian this year, Italianand Korean early next year)
DRI International – Who Are We?
4
Consumer Credit Protection ActConsumer Credit Protection Act
OMB Circular AOMB Circular A--130130
FEMA Guidance DocumentFEMA Guidance Document
Paperwork Reduction ActPaperwork Reduction Act
ISO 27002 (Previously ISO17799)ISO 27002 (Previously ISO17799)
FFIEC BCP HandbookFFIEC BCP Handbook
Computer Security ActComputer Security Act
12 CFR Part 1812 CFR Part 18
Presidential Decision Directive 67Presidential Decision Directive 67
FDA Guidance on Computerized SystemsFDA Guidance on Computerized Systems
used in Clinical Trialsused in Clinical Trials
ANSI/NFPA Standard 1600ANSI/NFPA Standard 1600
Turnbull Report (UK)Turnbull Report (UK)
ANAO Best Practice Guide (Australia)ANAO Best Practice Guide (Australia)
SEC Rule 17 aSEC Rule 17 a--44
FEMA FPC 65FEMA FPC 65
CARCAR
JHACOJHACO
SarbanesSarbanes--Oxley Act of 2002Oxley Act of 2002
HIPAA, Final Security RuleHIPAA, Final Security Rule
FFIEC BCP Handbook FFIEC BCP Handbook --2003/ 20082003/ 2008
Fair Credit Reporting ActFair Credit Reporting Act
NASD Rule 3510NASD Rule 3510
NERC Security GuidelinesNERC Security Guidelines
FERC Security StandardsFERC Security Standards
NAIC Standard on BCPNAIC Standard on BCP
NIST Contingency Planning GuideNIST Contingency Planning Guide
FRBFRB--OCCOCC--SEC Guidelines for SEC Guidelines for
Strengthening the Resilience of USStrengthening the Resilience of US
Financial SystemFinancial System
NYSE Rule 446NYSE Rule 446
California SB 1386California SB 1386
Australia Standards BCM HandbookAustralia Standards BCM Handbook
GAO Potential Terrorist AttacksGAO Potential Terrorist Attacks
GuidelineGuideline
Federal and Legislative BC Federal and Legislative BC
Requirements for IRSRequirements for IRS
Basel Capital AccordBasel Capital Accord
MAS Proposed BCP Guidelines MAS Proposed BCP Guidelines
(Singapore)(Singapore)
NFA Compliance Rule 2NFA Compliance Rule 2--3838
FSA Handbook (UK)FSA Handbook (UK)
BCI Standard, PAS 56 (UK)BCI Standard, PAS 56 (UK)
Civil Contingencies Bill (UK)Civil Contingencies Bill (UK)
PostPost --9/119/11
PrePre--9/119/11
1991 - 2001 2002 -------------------------------------------------------2009
FPC 65FPC 65NYS Circular Letter 7NYS Circular Letter 7
ASISASISState of NY FIRM White Paper on CPState of NY FIRM White Paper on CPNISCC Good Practices (Telecomm)NISCC Good Practices (Telecomm)
Australian Prudential Standard on BCMAustralian Prudential Standard on BCMHB221HB221HB292HB292HB 293HB 293BS25999BS25999
SS507 SS507 –– SS540SS540TR19TR19
CA Z1600CA Z1600ISO/PAS 22399ISO/PAS 22399
DRIIDRII
Title IX Title IX –– 110110--53 53
Standards and Regulations Grow
5
BCP Standards for Financial Institutions
� Federal Financial Institutions Examination Council (FFIEC) BCP Handbook
– Business continuity planning is about maintaining, resuming, and
recovering the business, not just the recovery of the technology .
– The planning process should be conducted on an ente rprise-wide basis.
– A thorough business impact analysis and risk assess ment are the
foundation of an effective BCP.
– The effectiveness of a BCP can only be validated th rough testing or
practical application.
– The BCP and test results should be subjected to an independent audit
and reviewed by the board of directors.
– A BCP should be periodically updated to reflect and respond to changes
in the financial institution or its service provide r(s).
not just the recovery of the technology
6
BCP Standards for Financial Institutions
� NASD Rule 3510Rule 3510 will require a business continuity plan t hat addressesRule 3510 will require a business continuity plan t hat addresses , at a , at a
minimum:minimum:
– Data back-up and recovery (hard copy and electronic)
– Mission critical systems
– Financial and operational assessments
– Alternate communications between customers and the firm
– Alternate communications between the firm and its employees
– Business constituent, bank and counter-party impact
– Regulatory reporting
– Communications with regulators
7
BCP Standards for Financial Institutions
� NYSE Rule 446
� National Association of Insurance Commissioners (NAIC)
� National Futures Association Compliance Rule 2-38
(a) Each Member must establish and maintain a written business continuity and disaster written business continuity and disaster
recoveryrecovery planplan that outlines procedures to be followed in the event of an emergency or
significant business disruption. The plan shall be reasonably designed to enable the Member to
continue operating, to reestablish operations, or to transfer its business to another Member
with minimal disruption to its customers, other Members, and the commodity futures markets.
(a) Members and member organizations must develop and maintain a written business continuitywritten business continuity
and contingency plan establishing procedures to be followed in the event of an emergency or
significant business disruption. Members and member organizations must make such plan available
to the Exchange upon request.
(b) Members and member organizations must conduct a yearly reviewyearly review of their business continuity
and contingency plan to determine whether any modifications are necessary in light of changes to
the member's or member organization's operations, structure, business or location.
8
BCP Standards for Financial Institutions
� Electronic Funds Transfer Act - held that banks were liable for actual
damages caused by failing to transfer funds in a timely fashion. This required
the establishment of contingency plans to meet the standard of “reasonable”
standard of care (the care that a reasonable man would exercise under the (the care that a reasonable man would exercise under the
circumstances; the standard for determining legal duty.)circumstances; the standard for determining legal duty.)
� Basel Committee’s Capital Accords and Sound Practices for the Management
and Supervision of Operational Risk - “Banks should have in place
contingency and business continuity plans to ensure their ability to operate
on an ongoing basis and limit losses in the event of severe business
disruption.” – Seventh Principle in Sound Practices for Management and
Supervision of Operational Risk
� Reserve Bank of India - Operational Risk Management - Business Continuity
Planning - Business Continuity planning is a key pre-requisite for minimising
the adverse effects of one of the important areas of operational risk –
business disruption and system failures.
FINRA (Financial Industry Regulatory Authority)Business Continuity Planning
� NASD Rules 3510 and 3520 require firms to create and maintain
business continuity plans (BCP) to use in the event of a
significant business disruption.
� Rule filings associated with Business Continuity Planning (SR-
NASD-2002-108)
� FINRA’s Business Continuity Plan
� Small Firm Emergency Partner Program: A Voluntary Addition to a Firm's
BCP
� Securities and Exchange Commission / Board of Governors of
the Federal Reserve System / Office of the Comptroller of the
Currency Joint White Paper on Business Continuity Planning
� The Disaster Recovery Institute
Business Continuity Planning
� NASD Rules 3510 and 3520 require firms to create and maintain
business continuity plans (BCP) to use in the event of a
significant business disruption.
� Rule filings associated with Business Continuity Planning (SR-
NASD-2002-108)
� FINRA’s Business Continuity Plan
� Small Firm Emergency Partner Program: A Voluntary Addition to a Firm's
BCP
� Securities and Exchange Commission / Board of Governors of
the Federal Reserve System / Office of the Comptroller of the
Currency Joint White Paper on Business Continuity Planning
� The Disaster Recovery Institute9
Canadian Financial Services
� Investment Dealers Association of Canada By-Law No. 17.19 -
Business Continuity Plan Requirement – June 2004
– Presents comparison to US and UK
10
11
BCP Standards for Insurance Companies
� NYS Circular Letter 7
– Board of Directors support
– Training and education
– Scenario based and operational plans
– Testing and communications plans
– Annual updates and changes submitted to the Department,
starting on June 1, 2005
12
NOT JUST IT
� United States
FFIEC FFIEC –– March 2008March 2008
– “Business continuity planning is about maintaining, resuming,
and recovering the business, not just the recovery of the
technology .” “The planning process should be conducted on
an enterprise-wide basis”.
13
NOT JUST IT
� Singapore
Monetary Authority of Singapore – June 2003
– “Business Continuity Management (“BCM”) is an over-arching
framework that aims to minimise the impact to businesses due to
operational disruptions. It not only addresses the restoration of
information technology (“IT”) infrastructure , but also focuses on
the rapid recovery and resumption of critical business functions for
the fulfilment of business obligations.”
14
NOT JUST IT
� Australia
Australian Prudential Standard Australian Prudential Standard –– April 2005April 2005
– “Business continuity management (BCM) describes
a whole of business approach to ensure critical business functions
can be maintained, or restored in a timely fashion”
15
BCP Standards for the Healthcare/Life Science Industries
� Health Insurance Portability and Accountability Act of 1996 (HIPAA), Final Security Rule
7. Contingency Plan (§ 164.308(a)(7)(i))
We proposed that a contingency plan must be in effect for responding to
system emergencies. The plan would include an applications and data The plan would include an applications and data
criticality analysis, a data backup plan, a disaster recovery plcriticality analysis, a data backup plan, a disaster recovery plan, an an, an
emergency mode operation plan, and testing and revision proceduremergency mode operation plan, and testing and revision procedures.es.
In this final rule, we make the implementation specifications for testing and
revision procedures and an applications and data criticality analysis
addressable, but otherwise require that the contingency features proposed be
met.
16
HIPAA BCP REQUIREMENTS
Contingency Plan
164.308(a)(7) Data Backup Plan
(R)
Disaster Recovery Plan
(R)
Emergency Mode Operation Plan
(R)
Testing and Revision Procedure
(A)
Applications and Data Criticality Analysis
(A)
Is it enough ????Is it enough ????Is it enough ????Is it enough ????
•State privacy laws are NOT preempted by federal privacy rules, unless there is a
direct conflict
•If state law is “more stringent,” or covers an area not covered by federal rules,
state law controls
BCP Standards for the Healthcare
� HITITECH Act of 2009 – Health Information Technology for
Economic and Clinical Health – 2/17/2009 - Guidance
� A nationwide interoperable, privacy-protected health
information technology infrastructure as called for in the
American Recovery and Reinvestment Act
– Use a “certified” Electronic Health Record (HER) – Definition may be
supplied by Certification Commission for Healthcare Information
Technology (CCHIT)
– Demonstrate “meaningful use” of an EHR:
� Defined By HHS
� Use e-Prescribing
� Electronically exchange information
� Submit clinical quality measures
18
BCP Standards for the Healthcare/Life Science Industries
� FDA’s GxP: Good Practices
� FDA Guidance on Computerized Systems in Clinical Trials
IX. SYSTEM CONTROLS
B. Contingency Plans
Written procedures should describe contingency plans for continuing the study by alternate by alternate
means in the event of failure of the computerized systemmeans in the event of failure of the computerized system..
C. Backup and Recovery of Electronic Records
Backup and recovery procedures should be clearly outlined in the SOPs and be sufficient to
protect against data loss. Records should be backed up regularly in a way that would prevent a
catastrophic loss and ensure the quality and integrity of the data.
Manufacturing
Laboratory
Clinical
19
BCP Standards for the Energy Industry
� Federal Electric Reliability Council’s (FERC) Secur ity Standards for Electric Market Participants, July 20 02
� North American Electric Reliability Council’s (NERC ) Security Guidelines for the Electricity Sector, Jun e 2002
Business Continuity:
Every participant operating a critical electric resource shall have contingency planscritical electric resource shall have contingency plans that define roles,
responsibilities and actions for protecting the rest of the electric grid and market from the failure of its
own critical resources. Those plans should further define the roles, responsibilities and actions needed
to quickly recover or reestablish electric grid and market functions, processes and systems, in the event
that a critical physical or cyber resource fails or suffers harm or attack. Such plans shall be tested or
exercised regularly.
Continuity of Business Processes:Reduces the likelihood of prolonged interruptions and enhances prompt resumption of operations
when interruptions occur. Consider flexible plans that address key areas such as telecommunicationsflexible plans that address key areas such as telecommunications, ,
information technology, customer service centers, facilities secinformation technology, customer service centers, facilities security, operations, generation, power urity, operations, generation, power
delivery, customer remittance and payroll processesdelivery, customer remittance and payroll processes.. It is useful to revise and test plans on a regular
basis. It also is advisable to train personnel so they fully understand their roles with respect to the
plans.
20
Cross-Industry BCP Standards
� Sarbanes-Oxley Act of 2002SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report
required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or
78o(d)) to contain an internal control report, which shall—
(1) state the responsibility of management for establishing and maintaining an adequate internal
control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the
effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTINGINTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control
assessment required by subsection (a), each registered public accounting firm that prepares or
issues the audit report for the issuer shall attest to, and report on, the assessment made by the
management of the issuer. An attestation made under this subsection shall be made in
accordance with standards for attestation engagements issued or adopted by the Board. Any
such attestation shall not be the subject of a separate engagement.
IS THERE BCP IN SARBANES-OXLEY????
21
Is There BCP in Sarbanes-Oxley?
� PCAOB (Public Company Accounting Oversight Board)
NO“Furthermore, management's plans that could potenti ally affect financial reporting in future periods are no t controls. For example, a company's business continuity or contingency planning has no effect on the company's current abilities to initiate, authorize, record, process, or report financial data.
Therefore, a company's business continuity or Therefore, a company's business continuity or contingency planning is not part of internal contro l over contingency planning is not part of internal contro l over financial reporting."financial reporting."
23
Municipal Governments
“Therefore, I have ordered the Department of Homeland Security
to undertake an immediate review, in cooperation with local
counterparts, of emergency plans in every major city in
America.”
President Bush 9/15/05
24
� Continuity of Operations (COOP)
� Continuity of Government (COG)
� FEMA Federal Preparedness Circular (FPC) 65
–Originally Issued – June 1999 – James Lee Witt
–Revised – June 2004 – Michael Brown
Municipal Governments
25
Rating COOP Compliance FEMA 65 Crosswalk
A. Plans and Procedures B. Essential Functions C. Delegations of Authority D. Orders of Succession E. Alternate Operating Facilities F. Interoperable Communications G. Vital Files, Records and Databases H. Human Capital I. Test, Training and Exercise Program J. Devolution of Control and Direction K. Reconstitution Operations L. Agency Head Responsibilities
26
Are They A Client?
� FFIEC – Appendix E - Interdependencies
-THIRD-PARTY PROVIDERS, KEY SUPPLIERS, AND BUSINESS PARTNERS
--outsourcing information, transaction processing, and settlement outsourcing information, transaction processing, and settlement
activities activities
-Institutions should review and understand service providers'
BCPs and ensure critical services can be restored within
acceptable timeframes based upon the needs of the institution
- If possible the institution should consider participating in their
provider’s testing process.
HOW FAR DOES THIS EXTEND?????
27
Are They A Client?
� HIPAA – Business Associate (aka Chain of Trust)
–the business associate must--(1) implement safeguards that reasonably and appropriately protect the confidentiality,integrity, and availability of the electronic protected healthinformation that it creates, receives, maintains, or transmits onbehalf of the covered entity; (2) ensure that any agent, includinga subcontractor, to whom it provides this information agrees toimplement reasonable and appropriate safeguards;
28
Singapore – The Model for the Future?
� SS 540 – Revision to TR19 (PDCA – Plan Do Check Act) – New BCM Framework
� Standard for Business Continuity / Disaster Recovery Service Providers (SS507) - Singapore is the first country in the world to introduce a Standard Standard and Certification program for BC/DR service providersand Certification program for BC/DR service providers. Developed by the Infocomm Development Authority of Singapore and the IT StandardsCommittee (ITSC), the Standard specifies the stringent requirements for BC/DR service providers. These requirements benchmark against the top practices in the region and stipulate the operating, monitoring and up-keeping of BC/DR services offered.
� TR19 – Technical Reference 19 - aims to help Singapore based enterprises build competence, capacity, resilience and readiness to respond to and recover from events that threaten to disrupt normal business operations.
� PROPOSED BUSINESS CONTINUITY MANAGEMENT REQUIREMENTS FOR SGX
MEMBERS – May 2008
29
China & Japan
� Chinese Business Continuity Management Committee (CBCM)
– Setting Standards for Chinese
� Emergency Response
� Business Continuity
– Still IT Centric (Committee exists under technology directorate)
– Will Greatly Influence its “Business Partners”
� Japanese Crisis Management & Prepareness Organization.
(CMPO)
� Business Continuity Advancement Organization. (BCAO)
Australia 2008-9
� Introducing 3 New Standard Handbook to Align with ISO 31000
(Risk Management Standard) – Due for Release in May 2009
– Management Standard
– Practice Standard
– Audit Standard
30
Canada
� Public Safety – A Guide To Business Continuity Planning –
January 2009
– Continuous Service Delivery Assurance (CSDA) – Points To Continuity
as Opposed to Recovery
� NFPA 1600 –
– New version in review due out 4th quarter of 2009
– Contains DRI International Professional Practices
31
32
Standards
� Uniform Commercial Code
– Preparing for foreseeable business disruption
� National Institute of Standards and Technology (NIST)
– Contingency Planning Guide for Information Technology Systems
� IT Governance Institute Standards COBIT
– Control objectives for information and related technology
33
ISO Standards and Business Continuity
� ISO/TS 16949 - Applicable to any supplier to automotive original equipment manufacturer
� ISO 27001 (Previously Designated (ISO17799) - Deals with Information
Security
� ISO 9001, Quality Management - Record Retention and Data Availability
� ISO 14001, Environmental Mgt - Emergency Preparedness and Response
� ISO/PAS 22399 – Societal Security -- Guideline for incident preparedness and operational continuity
Section 6.3.2. Contingency Plans
The organization shall prepare contingency plans to satisfy customer requirements in the event of an
emergency such as a utility interruptions, labor shortages, key equipment failure, and field returns.
11 BUSINESS CONTINUITY MANAGEMENT
11.1 ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
11.1.1 Business continuity management process
11.1.2 Business continuity and impact analysis
11.1.3 Writing and implementing continuity plans
11.1.4 Business continuity planning framework
11.1.5 Testing, maintaining and re-assessing business continuity plans
34
Is It BCP?
Business Continuity vs. Vital RecordsBusiness Continuity vs. Vital RecordsBusiness Continuity vs. Vital RecordsBusiness Continuity vs. Vital Records
� Foreign Corrupt Practices Act – “Make and keep records and accounts,
which, in reasonable detail, accurately and fairly reflect the transactions and
dispositions of the assets.”
� SEC Rule 17a - Record Retention Requirements
� IRS Procedure 86-19 - Requires off-site protection, as well as documentation
of computer records maintaining tax information.
� European Union Privacy - Data Privacy
� Under the Safe Harbor, organizations that have committed to cooperate and
comply with the European Data Protection Authorities (DPAs)
� PATRIOT ACT, ACH RULES, G-L-B, AS/NZ 4390, Records Management Standard, et.
al.
35
Legal Standards
�� Liability of CorporationsLiability of Corporations
�� Liability of Corporate ExecutivesLiability of Corporate Executives
�� Liability to Outside PartiesLiability to Outside Parties
�� Standard of NegligenceStandard of Negligence
–– Standard of Care:Standard of Care:
�� Prudent Man DoctrinePrudent Man Doctrine
�� Exercise same care in managing company affairs as in managing owExercise same care in managing company affairs as in managing own n
affairs.affairs.
�� Informed Business Judgment v. Gross NegligenceInformed Business Judgment v. Gross Negligence
36
Case Law – Legal Precedence
� Blake v. Woodford Bank & Trust Co. (1977) –
Foreseeable workload – failure to prepare
� Sun Cattle Company, Inc.vs. Miners Bank (1974) –
Computer System Failure – Foreseeable Computer
Failure
� Uniform Commercial Code – Preparing for foreseeable
business disruption
37
Meeting the Standards
US v. Carroll Towing Co. (1947)
1. Probability of Harm (P): the chance that a damaging
event will occur
2. Magnitude of Harm (M): the amount of financial damage
that would occur should a disaster happen
3. Cost of Prevention (C): the price of putting in place a
means of preventing the disaster’s effects
P * M = CP * M = C
38
Negligent Failure To Plan/Prepare – Liability Pandemics
� 2003 – Canadian Nurses who contracted SARS file suit stating
that the Government was Negligent in not preparing for the
second wave of the disease after the first wave was identified.
� Munich Re:
� American Bar Association
39
BS25999�� Part 1 is an extension of PAS56Part 1 is an extension of PAS56
–– GuidanceGuidance
–– PrescriptivePrescriptive
–– Not Performance BasedNot Performance Based
�� Part 2Part 2
–– Certification BodyCertification Body
–– SpecificationSpecification
–– AuditableAuditable
–– Create Ability to Demonstrate ComplianceCreate Ability to Demonstrate Compliance
�� Stage 1 Stage 1 –– Audit Audit –– Initial Assessment Initial Assessment –– Desktop ReviewDesktop Review
-- Successful Completion Required Before Moving To Stage 2Successful Completion Required Before Moving To Stage 2
�� Stage 2 Stage 2 --Conformance Audit Conformance Audit -- Certification AuditCertification Audit
-- Demonstrate ImplementationDemonstrate Implementation
-- Failure Requires Failure Requires Corrective Action Plan Corrective Action Plan Which Must be Agreed UponWhich Must be Agreed Upon
�� Completion of Stage 1 & 2 Allows for Application to BS 25999 CerCompletion of Stage 1 & 2 Allows for Application to BS 25999 Certification Manager for tification Manager for CertificationCertification
�� Surveillance AuditsSurveillance Audits
� (To be fair, British standard BS25999introduced "Maximum Tolerable Period of Disruption" (MTPD), another mind-bender destined for the verbal scrap heap, as well.)
BS25999 --UPDATE
� Will be revised and included with ASIS proposed standard. The new
proposed ISO/ANSI standard will also include elements of the Dutch
standard.
� The ANSI PINS (Project Initiation Notification System) filing will be reviewed
by ANSI by the first week in November 2008 which ends the 30 day PINS
comment period
� A Technical committee will be formed to help create the standard. The
technical committee will be open to a mixture of experts SDOs, users,
managers, producers, etc.
� The new proposed standard may face some opposition in that there is an
indication that it is in conflict with other ANSI standards
� The same group concluded unanimously that there is a “compelling” reason
to have this standard.
� The effort to create and have the new standard approved may take
anywhere from 6 months to 2 years to be approved. 40
42
The Holy Grail or SOX for Business Continuity� The Program Was Called For In Title IX Of "The Implementing The 9/11 Commission
Recommendations Act Of 2007“ (Public Law 110-53) Which Addresses A Diversity Of
Other National Security Issues As Well. It Was Signed Into Law By The President On
August 3, 2007.
� Intent – To Implement The Findings Of The 9/11 Commission
– NFPA 1600 Was Recommendation Of Commission For Standard
– DRII’s Professional Practices Are The Basis For BCP In NFPA 1600
� Will It Become A “Standard”????
– Voluntary
– Non-punitive
– Unsuccessful Attempts By Federal Government To Address Private Sector BCM
� Overcome Investments By Private Sector
� Strain On Small And Medium Sized Businesses In Supply Chain
43
a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs . The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification.b. The program will be voluntary.c. Key stakeholders are invited to participate in the development of the program. Consultation with a variety of organizations and various sectors is required by the legislation. Program development will likely include involvement by a diversity of private sector advisory groups and others.d. The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs.e. One or more preparedness standards can be designated. NFPA 1600 is reference by example.f. Existing industry efforts , certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated.g. Special consideration will be made for small busine ss.h. Proprietary and confidential information is to be protected.
Title IX – 110-53
Defining “The Standard”
� Process Used By Sloan Interdisciplinary Team
– Representatives of:
� ASIS, DRI International, NFPA, RIMS
� Review Existing Regulations– FFIEC, NYSE, SEC, NASD
– NERC
– HIPAA
� Provide “Credit” for Work Already Done
� Reduce Start From Scratch Opposition
� Create Core Elements for Standard
44
Core elements are those basic components that, when implemented within an organization’s unique governance and culture, provide the underlying framework to enable the organization to sustain itself in spite of a disruptive event (i.e., the “common set of criteria for preparedness, disaster management, emergency management, and business continuity programs...." called for under the law.)
Standards Crosswalk
� NFPA 1600:2007 Standard on Disaster/ Emergency Management and
Business Continuity Programs
� CSA Z1600 Standard on Emergency Management and Business Continuity
Programs
� DRI International Professional Practices for Business Continuity Planners
� BS 25999-2: 2007 Business Continuity Management – Part 2: Specification
� ASIS International - Organizational Resilience: Preparedness and Continuity
Management - Best Practices Standard Probably Become Part of BS25999
� TR19:2005 Technical Reference for Business Continuity Management (BCM)
includes TS507
� ISO/PAS 22399:2007 Societal Security: Guidelines for Incident Preparedness
and Operational Continuity Management
45
TO BE REPLACED WITH A NEW PROPOSED ANSI/ISO STANDARD UNDER DEVELOPMENT
Constructive Knowledge
If one by the exercise of
reasonable care would have
known a fact, he is deemed to
have constructive knowledge
of such fact; e.g. matters of
public record
Constructive Notice
“Such notice as implied or imputed
by law, as in the case of notice of
documents which have been
recorded with the appropriate
registry of deeds or probate. Notice
with which a person is charged by
reason of the notorious nature of
thing to be noticed, as contrasted
with the actual notice of such thing.”
Negligence
“The omission to do
something which a
reasonable man, guided by
those ordinary
considerations which
ordinarily regulate human
affairs, would do, or the
doing of something which a
reasonable and prudent
man would not do.”
Terms That Might Help
Foreseeability
Reasonable anticipation of the
possible results of an action,
such as what may happen if
one is negligent or
consequential damages
resulting a from breach of a
contract.
A danger which a reasonable person should anticipate as the result from
his/her actions. Foreseeable risk is a common affirmative defense put up
as a response by defendants in lawsuits for negligence.
Foreseeable Risk
47
Regulations
� Created by Government/Industry Regulatory Bodies
� Punitive
– Fines
– Shutdown
� Subject to (Operational/Financial) Audit – Annually
� Audit Conducted by Third Party
� Results are Board Issues
� May Create Vendor Requirements
– FFIEC
– HIPPA
Standards
� Voluntary
� Non-Punitive
� Auditable Through First, Second or Third Parties
� State of Flux
– NFPA 1600 is the ANSI National Standard is in Revision for 3rd Quarter 2009
Release
– ASIS/BS25999 are Currently in the Early Stages of Seeking ANSI Accreditation
not Due until at Least End of 2009
– ISO 22399/PAS (Publicly Available Specifications) Interim State
– New Australian Standard
– New Singapore Standard
– ………………………………..
Certification Risk/Reward
� Reward
– May Satisfy Customer Inquiries
– Create Uniformity
– No Insurance/Rating Advantage
� Risks
– Discoverable (Corrective Action Plan)
– May Not Provide Legal Protection
� Judge and Jury Decision
� No Known NFPA1600 Defense
– Quality of Auditors
– Potential Conflict
� Financial – Operational Audit
� Corporate Governance
� Regulation
– Expensive
Now For The Misinformation
51
Although voluntary right now, these standards could soon be
federal mandates for all private industry. - Not To Be Named
Consulting Firm in advertising for their webinar
Will share their best practices to meet the new "national
preparedness standard" known as NFPA 1600 – Not To Be Named
Consulting Firm
This voluntary program offers a number of potential benefits to the
certified organization, including:
•Possible insurance premium advantages
•Enhanced credit ratings
•Competitive differentiation - Not To Be Named Consulting Firm
The Problem
� Literal Interpretation of Using a Standard
– Precludes Use of Binding Regulations
– Standards are General in Nature
� No One Standard or Combination of Standards Will Meet
Prescriptive and/or Performance Based Requirements
� Standards Are Not Industry Specific
- Evacuation - NRC vs. NFPA
- Data Backup – HIPAA vs. BS25999
- Recovery Time – SWIFT vs. SS540
52
53
The Answer
� Aim is Preparedness
� Preparedness Elements Are Defined
� Sloan
� ANSI-ANAB
� Pick What is Appropriate
� Financial Requirements
� Utility Requirements
5454
The Answer
� Satisfy Industry Requirements
� Industry Specific
� One Size Doesn’t Fit All
� Acceptable to Private Sector
� Meets the Spirit of the Law
� Cost Effective – Single Audit – No Audit Conflict
� Gain Momentum – Quick Certification for 1,000s
Education and Training
� Certification for Auditors -
– Qualification CBCA and CBCLA – Available in October in Conjunction
with NFPA
– Provide Education for Practitioners and Auditors
� SME for Auditors
� Audit for SMEs
� Will Align with 110-53, NFPA, BS25999 and others
55
Q & A
Thank You
56
Statements concerning legal matters should be understood to be general observations based solely on our experience as risk consultants and should not be relied upon as legal advice, which we are not authorized to provide. All such matters should be reviewed with your own qualified legal advisors in these areas