Presentation on theme: "1 Boston ACP – September 8, 2010. A Non-Profit Organization Committed to: Promoting a base of common knowledge for the continuity management industry."— Presentation transcript:
A Non-Profit Organization Committed to: Promoting a base of common knowledge for the continuity management industry Certifying qualified individuals in the discipline of Business Continuity Promoting the credibility and professionalism of certified individuals Founded in 1988. The Industrys Premier Education and Certification Program Body
DRII has Certified INDIVIDUALS in over 95 Countries. DRII conducts training courses in over 45 countries. More individuals choose to maintain their certification through us than all other organizations in our industry combined (Over 7,500 active individuals as of 2009) DRII Certifies individuals in English, Spanish, French, Japanese, Mandarin and Russian DRI International teaches in English, French, Spanish, Portuguese, Mandarin, Japanese, Italian and Russian In 2009 DRII taught more classes outside the US than within the US.
Government Organizations Chaired the Alfred P. Sloan Committee that drafted the Framework for Preparedness that has been the foundation for the Title IX Implementation. Member U.S. Chamber of Commerce Homeland Security Task Force Member of the Council of Experts for ANSI-ANAB who will set the credentialing standard for certifying bodies for PS-Prep Member of FEMA National Advisory Council Private Sector Subcommittee Member of Advisory Committee for Congressionally funded Project for National Security Reform Meeting with Special Assistant to The President for Homeland Security Standards Policy
Non-Government Organization Member of the NFPA 1600 Technical Committee Member of the BS25999 – ASIS Technical Committee Participant RIMS (Risk Insurance Managers Society) PERK (Professional Exchange of Risk Knowledge) Program Cooperative Education Credit Sharing with ISACA (Information Systems Audit and Control Association) Cooperative Education Credit Sharing with IC2 Audit Course Development and Training for Auditors with NFPA (National Fire Prevention Association) Developing Joint Program with Red Cross
Greater Marketplace Recognition Job Pre-Requisites Distinguishes Candidate HR Key Words CBCP, ABCP Financial Gain – certification is correlated with higher wages 6
Employer Benefit – confirms for the employer, the employee has a high level of knowledge of standard industry practices and processes – AND CONTINUES TO MAINTAIN CURRENT KINOWLEDGE Provides consistency of knowledge for multi- nationals 9
What Are We Trying to Accomplish? PREPAREDNESS Emergency Management Disaster management Business Continuity Is this New? Regulations Standards Guidances 11
Recommendation: We endorse the American National Standards Institutes recommended standard for private preparedness. We were encouraged by Secretary Tom Ridges praise of the standard, and urge the Department of Homeland Security to promote its adoption. We also encourage the insurance and credit-rating industries to look closely at a companys compliance with the ANSI standard in assessing its insurability and creditworthiness. We believe that compliance with the standard should define the standard of care owed by a company to its employees and the public for legal purposes. Private- sector preparedness is not a luxury; it is a cost of doing business in the post-9/11 world. 12
13 Consumer Credit Protection Act OMB Circular A-130 FEMA Guidance Document Paperwork Reduction Act ISO 27002 (Previously ISO17799) FFIEC BCP Handbook Computer Security Act 12 CFR Part 18 Presidential Decision Directive 67 FDA Guidance on Computerized Systems used in Clinical Trials used in Clinical Trials ANSI/NFPA Standard 1600 Turnbull Report (UK) ANAO Best Practice Guide (Australia) SEC Rule 17 a-4 FEMA FPC 65 CARJHACO Sarbanes-Oxley Act of 2002 HIPAA, Final Security Rule FFIEC BCP Handbook -2003/ 2008 Fair Credit Reporting Act NASD Rule 3510 NERC Security Guidelines FERC Security Standards NAIC Standard on BCP NIST Contingency Planning Guide FRB-OCC-SEC Guidelines for Strengthening the Resilience of US Strengthening the Resilience of US Financial System Financial System NYSE Rule 446 California SB 1386 Australia Standards BCM Handbook GAO Potential Terrorist Attacks Guideline Guideline Federal and Legislative BC Requirements for IRS Requirements for IRS Basel Capital Accord MAS Proposed BCP Guidelines (Singapore) (Singapore) NFA Compliance Rule 2-38 FSA Handbook (UK) BCI Standard, PAS 56 (UK) Civil Contingencies Bill (UK) Post-9/11 Pre-9/11 1991 - 2001 2002 -------------------------------------------------------2010 2002 Safety Act FCD-1/2 NYS Circular Letter 7 ASIS State of NY FIRM White Paper on CP NISCC Good Practices (Telecomm) Australian Prudential Standard on BCM HB221HB292BS25999 SS507 – SS540 TR19 CA Z1600 ISO/PAS 22399 HiTech Act of 2009 DRII Title IX – 110-53 Business Continuity Regulations and Standards
14 a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs. The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification. b. The program will be voluntary. c. Key stakeholders are invited to participate in the development of the program. Consultation with a variety of organizations and various sectors is required by the legislation. Program development will likely include involvement by a diversity of private sector advisory groups and others. d. The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs. e. One or more preparedness standards can be designated. NFPA 1600 is reference by example. f. Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated. g. Special consideration will be made for small business. h. Proprietary and confidential information is to be protected.
A list of Recommended Standards Against Which a Company May Certify: ASIS International SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management System – Requirements with Guidance for use (2009 Edition). British Standards Institution 25999 (2007 Edition) - Business Continuity Management.(BS 25999:2006-1 Code of practice for business continuity management and BS 25999: 2007-2 Specification for business continuity management) National Fire Protection Association 1600-Standard on Disaster / Emergency Management and Business Continuity Programs, 2007 and 2010 editions. 15
DRI/NFPA Course is proceeding with ANSI-CAP Accreditation for the Course ANSI-CAP follows the accreditation process outlined in the international standard ISO/IEC 17011, General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies and recognized by ANSI-ANAB Passing the Exam will Provide a Certificate of Completion (Because training is a requirement there can be no examination only) This Certificate will Be Required to Seek CBCA/CBCLAs DRI International will maintain recertification through continuing education (RSBSQA requirement) 17
Regulations Created by Government/Industry Regulatory Bodies Punitive Fines Shutdown Subject to Annual (Operational/Financial) Audit Audit Conducted by Third Party Results are Board Issues May Create Vendor Requirements FFIEC HIPPA
Standards Voluntary Non-Punitive Auditable Through First, Second or Third Parties State of Flux NFPA 1600 is the ANSI National Standard is in Revised Every 3 years ASIS/BS25999 are Currently in the Early Stages of Seeking ANSI Accreditation not Due until at Least End of 2009 ISO 22399/PAS (Publicly Available Specifications) Interim State New Australian Standard New Singapore Standard
A Certification by an Approved Certification Body No Endorsement by DHS/FEMA or Federal Government A Distancing by DHS from the Process Private Sector Certification Bodies Available Before PS-Prep NFPA 1600 BS 25999 SS507 – SS540 Private Companies 20
No Get Out of Jail Free (Safe Harbor) Safety Act of 2002 No Reduction in Insurance Premiums Does Not Exempt Regulatory Compliance DHS Cannot Make It Mandatory – Only Legislative Action Can Highly Unlikely Consider Sarbanes-Oxley 21
So Why Do It Rewards May Satisfy Customer Inquiries Supply Chain RFPs Create Uniformity Multi-Nationals Increase Preparedness PS-Prep Raised Awareness of Need to Prepare
Risks Risks May Not Provide Legal Protection Judge and Jury Decision No Known NFPA1600 Defense Quality of Auditors Proper Training No Control Precludes Any organization that provides preparedness consulting services to private sector entities
What to Do Now Focus on the Regs * Broaden Your Viewpoint * Keep Your Eyes on Transition * Hold Off On (the Actual) Certification * Walk Dont Run * Talk to Your General Counsel (DHS Does) * The Standards Race Author: Mark Carroll
Final Thoughts and Ideas Lets Work On Preparedness Small Steps – Easily Accomplished
27 The Greater Tampa Bay Chapter would act as the organizing administrator for the training class, and the participants would pay $1745.50 to ACP – GTB. At the conclusion of the DRI 501 class and exam, ACP – GTB will file the appropriate paperwork with the State of Florida for an education reimbursement, and the State of Florida would pay ACP – GTB for 50% of the cost of this training / exam program – or $872.50 per participant. GTB – ACP would then cut a check back to each participant for $872.50. The education grant only covers the cost of training, exams, and administrative fees associated with the class. That would bring the net cost to each participant down to $872.50 which is SIGNIFICANTLY lower than youd pay for the program at any of the major BCP / DR conferences Travel, lodging, and meals would be the responsibility of each participant, and we are working with our event coordinator to find a venue which would guarantee a block room rate.
29 (1)consistent with keeping PS-Prep a voluntary program, as directed by Congress, FEMA should expressly and strongly emphasize that neither program participation nor the accreditation or certification standards establish an enforceable duty, a standard of care or any other basis for imposing civil liability; (2) entities that are already subject to comprehensive emergency preparedness regulation under the Pipeline Safety Act, the Chemical Facility Anti-Terrorism Act, the Marine Transportation Security Act, etc., should be able to obtain PS-Prep certification solely by documenting their compliance (INGAA added that FEMA should do this accrediting the regulating agencies and instructing them to grant certification once an entity demonstrates its compliance with the emergency preparedness regulations); (3) entities with PS-Prep certification should be considered pre-qualified for protection under the Supporting Ant-terrorism by Fostering Effective Technologies (SAFETY) Act of 2002, or their SAFETY Act applications should at least be accorded priority processing; and (4) FEMA should examine and address the economic feasibility and cost considerations associated with approving the proposed PS-Prep standards and allowing PS-Prep certification through compliance with current emergency preparedness regulations. The Interstate Natural Gas Association of America (INGAA)
31 Legal o Common law precedent would substantiate certification as a way to mitigate potential liability o Development of statutory guidelines would provide additional legal motivation to pursue certification o Some corporations are concerned about possible disincentives associated with certification (e.g. identification of shortfalls) o Allowing multiple standards for certification could be legally problematic o Using a maturity model (levels of preparedness) may make certification more compelling from a legal perspective
32 Some corporations are concerned about possible disincentives associated with certification. o There is a potential disincentive pertaining to undertaking preparedness certification and the related documentation of preparedness actions undertaken by a company, especially with respect to the identification of risks to the company and its current vulnerabilities. o Absent some legal privilege such as attorney-client privilege or work product privilege, documents generated during the certification process could become discoverable and could be used against the company in any future litigation or investigations. That scenario functions as a disincentive to undertaking and documenting preparedness actions. International Center for Enterprise Preparedness th The Legal Working Group On the Voluntary Business Preparedness Accreditation and Certification Program International Center for Enterprise Preparedness (InterCEP) New York University Initial Meeting March 7, 2008
Your consent to our cookies if you continue to use this website.