Presentation on theme: "Examining the Regulatory Landscape"— Presentation transcript:
1 Examining the Regulatory Landscape Glenn’ slideNEDRIX Annual ConferenceOctober 20, 2009Al BermanDRI International
2 DRI International – Who Are We? A Non-Profit Organization Committed to:Promoting a base of common knowledge for the continuity management industryCertifying qualified individuals in the discipline of Business ContinuityPromoting the credibility and professionalism of certified individualsCelebrating out Twentieth Anniversary in 2008.The Industry’s Premier Education and Certification Program Body
3 DRI International – Who Are We? DRII has Certified INDIVIDUALS in over 90 Countries.DRII conducts training courses in over 40 countries.More individuals choose to maintain their certification through us than all other organizations in our industry combined (Over 7,500 active individuals as of 2008)DRII Certifies individuals in English, Spanish, French, Japanese, Mandarin (expanding to Portuguese and Russian this year, Italian and Korean early next year)
4 Post-9/11 Pre-9/11 DRII Title IX – 110-53 Sarbanes-Oxley Act of 2002HIPAA, Final Security RuleFFIEC BCP Handbook -2003/ 2008Fair Credit Reporting ActNASD Rule 3510NERC Security GuidelinesFERC Security StandardsNAIC Standard on BCPNIST Contingency Planning GuideFRB-OCC-SEC Guidelines forStrengthening the Resilience of USFinancial SystemNYSE Rule 446California SB 1386Australia Standards BCM HandbookGAO Potential Terrorist AttacksGuidelineFederal and Legislative BCRequirements for IRSBasel Capital AccordMAS Proposed BCP Guidelines(Singapore)NFA Compliance Rule 2-38FSA Handbook (UK)BCI Standard, PAS 56 (UK)Civil Contingencies Bill (UK)FPC 65NYS Circular Letter 7ASISState of NY FIRM White Paper on CPNISCC Good Practices (Telecomm)Australian Prudential Standard on BCMHB221HB292BS25999SS507 – SS540TR19CA Z1600ISO/PAS 22399HiTech Act of 2009Pre-9/11Consumer Credit Protection ActOMB Circular A-130FEMA Guidance DocumentPaperwork Reduction ActISO (Previously ISO17799)FFIEC BCP HandbookComputer Security Act12 CFR Part 18Presidential Decision Directive 67FDA Guidance on Computerized Systemsused in Clinical TrialsANSI/NFPA Standard 1600Turnbull Report (UK)ANAO Best Practice Guide (Australia)SEC Rule 17 a-4FEMA FPC 65CARJHACODRIITitle IX –
5 BCP Standards for Financial Institutions Federal Financial Institutions Examination Council (FFIEC) BCP HandbookBusiness continuity planning is about maintaining, resuming, and recovering the business, not just the recovery of the technology.The planning process should be conducted on an enterprise-wide basis.A thorough business impact analysis and risk assessment are the foundation of an effective BCP.The effectiveness of a BCP can only be validated through testing or practical application.The BCP and test results should be subjected to an independent audit and reviewed by the board of directors.A BCP should be periodically updated to reflect and respond to changes in the financial institution or its service provider(s).not just the recovery of the technology
6 BCP Standards for Financial Institutions NASD Rule 3510Rule 3510 will require a business continuity plan that addresses, at a minimum:Data back-up and recovery (hard copy and electronic)Mission critical systemsFinancial and operational assessmentsAlternate communications between customers and the firmAlternate communications between the firm and its employeesBusiness constituent, bank and counter-party impactRegulatory reportingCommunications with regulators
7 BCP Standards for Financial Institutions NYSE Rule 446National Association of Insurance Commissioners (NAIC)National Futures Association Compliance Rule 2-38(a) Members and member organizations must develop and maintain a written business continuity and contingency plan establishing procedures to be followed in the event of an emergency or significant business disruption. Members and member organizations must make such plan available to the Exchange upon request.(b) Members and member organizations must conduct a yearly review of their business continuity and contingency plan to determine whether any modifications are necessary in light of changes to the member's or member organization's operations, structure, business or location.(a) Each Member must establish and maintain a written business continuity and disaster recovery plan that outlines procedures to be followed in the event of an emergency or significant business disruption. The plan shall be reasonably designed to enable the Member to continue operating, to reestablish operations, or to transfer its business to another Member with minimal disruption to its customers, other Members, and the commodity futures markets.
8 BCP Standards for Financial Institutions Electronic Funds Transfer Act - held that banks were liable for actual damages caused by failing to transfer funds in a timely fashion. This required the establishment of contingency plans to meet the standard of “reasonable” standard of care (the care that a reasonable man would exercise under the circumstances; the standard for determining legal duty.)Basel Committee’s Capital Accords and Sound Practices for the Management and Supervision of Operational Risk - “Banks should have in place contingency and business continuity plans to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption.” – Seventh Principle in Sound Practices for Management and Supervision of Operational RiskReserve Bank of India - Operational Risk Management - Business Continuity Planning - Business Continuity planning is a key pre-requisite for minimising the adverse effects of one of the important areas of operational risk – business disruption and system failures.
9 FINRA (Financial Industry Regulatory Authority) Business Continuity PlanningNASD Rules 3510 and 3520 require firms to create and maintain business continuity plans (BCP) to use in the event of a significant business disruption.Rule filings associated with Business Continuity Planning (SR-NASD ) FINRA’s Business Continuity PlanSmall Firm Emergency Partner Program: A Voluntary Addition to a Firm's BCPSecurities and Exchange Commission / Board of Governors of the Federal Reserve System / Office of the Comptroller of the Currency Joint White Paper on Business Continuity Planning The Disaster Recovery Institute Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security
10 BCP Standards for the Healthcare/Life Science Industries Health Insurance Portability and Accountability Act of 1996 (HIPAA), Final Security Rule7. Contingency Plan (§ (a)(7)(i))We proposed that a contingency plan must be in effect for responding to system emergencies. The plan would include an applications and data criticality analysis, a data backup plan, a disaster recovery plan, an emergency mode operation plan, and testing and revision procedures.In this final rule, we make the implementation specifications for testing and revision procedures and an applications and data criticality analysis addressable, but otherwise require that the contingency features proposed be met.HiTech Act of 2009 – More Reporting of Breaches, More Oversight
11 HIPAA BCP REQUIREMENTS State privacy laws are NOT preempted by federal privacy rules, unless there is a direct conflictIf state law is “more stringent,” or covers an area not covered by federal rules, state law controlsIs it enough ????
12 BCP Standards for the Healthcare/Life Science Industries ManufacturingLaboratoryClinicalFDA’s GxP: Good PracticesFDA Guidance on Computerized Systems in Clinical TrialsIX. SYSTEM CONTROLSB. Contingency PlansWritten procedures should describe contingency plans for continuing the study by alternate means in the event of failure of the computerized system.C. Backup and Recovery of Electronic RecordsBackup and recovery procedures should be clearly outlined in the SOPs and be sufficient to protect against data loss. Records should be backed up regularly in a way that would prevent a catastrophic loss and ensure the quality and integrity of the data.
13 BCP Standards for the Energy Industry Federal Electric Reliability Council’s (FERC) Security Standards for Electric Market Participants, July 2002North American Electric Reliability Council’s (NERC) Security Guidelines for the Electricity Sector, June 2002Business Continuity:Every participant operating a critical electric resource shall have contingency plans that define roles, responsibilities and actions for protecting the rest of the electric grid and market from the failure of its own critical resources. Those plans should further define the roles, responsibilities and actions needed to quickly recover or reestablish electric grid and market functions, processes and systems, in the event that a critical physical or cyber resource fails or suffers harm or attack. Such plans shall be tested or exercised regularly.Continuity of Business Processes:Reduces the likelihood of prolonged interruptions and enhances prompt resumption of operations when interruptions occur. Consider flexible plans that address key areas such as telecommunications, information technology, customer service centers, facilities security, operations, generation, power delivery, customer remittance and payroll processes. It is useful to revise and test plans on a regular basis. It also is advisable to train personnel so they fully understand their roles with respect to the plans.
14 Not Just IT FFIEC – March 2008 “Business continuity planning is about maintaining, resuming, and recovering the business, not just the recovery of the technology.” “The planning process should be conducted on an enterprise-wide basis”.Australian Prudential Standard – April 2005“Business continuity management (BCM) describes a whole of business approach to ensure critical business functions can be maintained, or restored in a timely fashion”Monetary Authority of Singapore – June 2003“Business Continuity Management (“BCM”) is an over-arching framework that aims to minimise the impact to businesses due to operational disruptions. It not only addresses the restoration of information technology (“IT”) infrastructure, but also focuses on the rapid recovery and resumption of critical business functions for the fulfillment of business obligations.”
15 Cross-Industry BCP Standards Sarbanes-Oxley Act of 2002SEC MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.IS THERE BCP IN SARBANES-OXLEY????
16 Is There BCP in Sarbanes-Oxley? PCAOB (Public Company Accounting Oversight Board)NO“Furthermore, management's plans that could potentially affect financial reporting in future periods are not controls. For example, a company's business continuity or contingency planning has no effect on the company's current abilities to initiate, authorize, record, process, or report financial data.Therefore, a company's business continuity or contingency planning is not part of internal control over financial reporting."
17 Is There BCP in Sarbanes-Oxley? PractitionersYES
18 Municipal Governments Continuity of Operations (COOP)Continuity of Government (COG)FEMA Federal Preparedness Circular (FPC) 65Originally Issued – June 1999 – James Lee WittRevised – June 2004 – Michael Brown
20 Are They A Client? FFIEC – Appendix E - Interdependencies THIRD-PARTY PROVIDERS, KEY SUPPLIERS, AND BUSINESS PARTNERSoutsourcing information, transaction processing, and settlement activitiesInstitutions should review and understand service providers' BCPs and ensure critical services can be restored within acceptable timeframes based upon the needs of the institution- If possible the institution should consider participating in their provider’s testing process.HOW FAR DOES THIS EXTEND?????
21 Are They A Client? HIPAA – Business Associate (aka Chain of Trust) the business associate must--(1) implement safeguards thatreasonably and appropriately protect the confidentiality,integrity, and availability of the electronic protected healthinformation that it creates, receives, maintains, or transmits onbehalf of the covered entity; (2) ensure that any agent, includinga subcontractor, to whom it provides this information agrees toimplement reasonable and appropriate safeguards;All Companies Are Reviewing The Preparedness Of Their Critical Supply Chain Vendors To Ensure End-to-end Operating Capabilities.Pandemic
22 Singapore – The Model for the Future? SS 540 – Revision to TR19 (PDCA – Plan Do Check Act) – New BCM FrameworkStandard for Business Continuity / Disaster Recovery Service Providers (SS507) - Singapore is the first country in the world to introduce a Standard and Certification program for BC/DR service providers. Developed by the Infocomm Development Authority of Singapore and the IT Standards Committee (ITSC), the Standard specifies the stringent requirements for BC/DR service providers. These requirements benchmark against the top practices in the region and stipulate the operating, monitoring and up-keeping of BC/DR services offered.TR19 – Technical Reference 19 - aims to help Singapore based enterprises build competence, capacity, resilience and readiness to respond to and recover from events that threaten to disrupt normal business operations.PROPOSED BUSINESS CONTINUITY MANAGEMENT REQUIREMENTS FOR SGX MEMBERS – May 2008KPMG
23 China & Japan Chinese Business Continuity Management Committee (CBCM) Setting Standards for ChineseEmergency ResponseBusiness ContinuityStill IT Centric (Committee exists under technology directorate)Will Greatly Influence its “Business Partners”Japanese Crisis Management & Prepareness Organization. (CMPO)Business Continuity Advancement Organization. (BCAO)
24 AustraliaIntroducing 3 New Standard Handbook to Align with ISO (Risk Management Standard) – Due for Release in May 2009Management StandardPractice StandardAudit Standard
25 Standards Uniform Commercial Code Preparing for foreseeable business disruptionNational Institute of Standards and Technology (NIST)Contingency Planning Guide for Information Technology SystemsIT Governance Institute Standards COBITControl objectives for information and related technology
26 ISO Standards and Business Continuity ISO/TS Applicable to any supplier to automotive original equipment manufacturerISO (Previously Designated (ISO17799) - Deals with Information SecurityISO 9001, Quality Management - Record Retention and Data AvailabilityISO 14001, Environmental Mgt - Emergency Preparedness and ResponseISO/PAS – Societal Security - Guideline for incident preparedness and operational continuity managementSection Contingency PlansThe organization shall prepare contingency plans to satisfy customer requirements in the event of an emergency such as a utility interruptions, labor shortages, key equipment failure, and field returns.11 BUSINESS CONTINUITY MANAGEMENT11.1 ASPECTS OF BUSINESS CONTINUITY MANAGEMENTBusiness continuity management processBusiness continuity and impact analysisWriting and implementing continuity plansBusiness continuity planning frameworkTesting, maintaining and re-assessing business continuity plans
27 Legal Standards Liability of Corporations Liability of Corporate ExecutivesLiability to Outside PartiesStandard of NegligenceStandard of Care:Prudent Man DoctrineExercise same care in managing company affairs as in managing own affairs.Informed Business Judgment v. Gross Negligence
28 Case Law – Legal Precedence Blake v. Woodford Bank & Trust Co. (1977) – Foreseeable workload – failure to prepareSun Cattle Company, Inc.vs. Miners Bank (1974) – Computer System Failure – Foreseeable Computer FailureUniform Commercial Code – Preparing for foreseeable business disruption
29 Meeting the Standards US v. Carroll Towing Co. (1947) 1. Probability of Harm (P): the chance that a damaging event will occur2. Magnitude of Harm (M): the amount of financial damage that would occur should a disaster happen3. Cost of Prevention (C): the price of putting in place a means of preventing the disaster’s effectsP * M = C
30 Negligent Failure To Plan/Prepare – Liability Pandemics 2003 – Canadian Nurses who contracted SARS file suit stating that the Government was Negligent in not preparing for the second wave of the disease after the first wave was identified.Munich Re:American Bar Association
31 BS25999 Part 1 is an extension of PAS56 Guidance Prescriptive Not Performance BasedPart 2Certification BodySpecificationAuditableCreate Ability to Demonstrate ComplianceStage 1 – Audit – Initial Assessment – Desktop ReviewSuccessful Completion Required Before Moving To Stage 2Stage 2 -Conformance Audit - Certification AuditDemonstrate ImplementationFailure Requires Corrective Action Plan Which Must be Agreed UponCompletion of Stage 1 & 2 Allows for Application to BS Certification Manager for CertificationSurveillance Audits(To be fair, British standard BS25999introduced "Maximum Tolerable Period of Disruption" (MTPD), another mind-bender destined for the verbal scrap heap, as well.)
32 BS UPDATEWill be revised and included with ASIS proposed standard. The new proposed ISO/ANSI standard will also include elements of the Dutch standard.The ANSI PINS (Project Initiation Notification System) filing will be reviewed by ANSI by the first week in November 2008 which ends the 30 day PINS comment periodA Technical committee will be formed to help create the standard. The technical committee will be open to a mixture of experts SDOs, users, managers, producers, etc.The new proposed standard may face some opposition in that there is an indication that it is in conflict with other ANSI standardsThe same group concluded unanimously that there is a “compelling” reason to have this standard.The effort to create and have the new standard approved may take anywhere from 6 months to 2 years to be approved.
33 PUBLIC LAW“IMPLEMENTING RECOMMENDATIONSOF THE 9/11 COMMISSION ACT OF 2007”TITLE IX
34 The Holy Grail or SOX for Business Continuity The Program Was Called For In Title IX Of "The Implementing The 9/11 Commission Recommendations Act Of 2007“ (Public Law ) Which Addresses A Diversity Of Other National Security Issues As Well. It Was Signed Into Law By The President On August 3, 2007.Intent – To Implement The Findings Of The 9/11 CommissionNFPA 1600 Was Recommendation Of Commission For StandardDRII’s Professional Practices Are The Basis For BCP In NFPA 1600Will It Become A “Standard”????VoluntaryNon-punitiveUnsuccessful Attempts By Federal Government To Address Private Sector BCMOvercome Investments By Private SectorStrain On Small And Medium Sized Businesses In Supply Chain
35 Title IX – a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs. The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification. b. The program will be voluntary. c. Key stakeholders are invited to participate in the development of the program. Consultation with a variety of organizations and various sectors is required by the legislation. Program development will likely include involvement by a diversity of private sector advisory groups and others. d. The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs. e. One or more preparedness standards can be designated. NFPA 1600 is reference by example. f. Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated. g. Special consideration will be made for small business. h. Proprietary and confidential information is to be protected.
36 Defining “The Standard” Process Used By Sloan Interdisciplinary TeamRepresentatives of:ASIS, DRI International, NFPA, RIMSReview Existing RegulationsFFIEC, NYSE, SEC, NASDNERCHIPAAProvide “Credit” for Work Already DoneReduce Start From Scratch OppositionCreate Core Elements for StandardCore elements are those basic components that, when implemented within an organization’s unique governance and culture, provide the underlying framework to enable the organization to sustain itself in spite of a disruptive event (i.e., the “common set of criteria for preparedness, disaster management, emergency management, and business continuity programs...." called for under the law.)
37 Core Elements 13 Become 8Policy statement and management commitment - Scope, program roles, responsibilities, and resourcesRisk identification, assessments and criticality impact analyses, including legal and other requirementsPrevention and Mitigation Evaluation and PlanningIncident management (procedures and controls before, during and after a disruption, including emergency management of people, business operations and technology) includes communicationsRecovery Planning - May be considered to include rebuilding, repairing, and / or restoringAwareness and trainingExercises and testingProgram revision and improvement
39 TO BE REPLACED WITH A NEW PROPOSED ANSI/ISO STANDARD UNDER DEVELOPMENT Standards CrosswalkNFPA 1600:2007 Standard on Disaster/ Emergency Management and Business Continuity ProgramsCSA Z1600 Standard on Emergency Management and Business Continuity ProgramsDRI International Professional Practices for Business Continuity PlannersBS : 2007 Business Continuity Management – Part 2: SpecificationASIS International - Organizational Resilience: Preparedness and Continuity Management - Best Practices Standard Probably Become Part of ISO/PAS 22399TR19:2005 Technical Reference for Business Continuity Management (BCM) includes TS507ISO/PAS 22399:2007 Societal Security: Guidelines for Incident Preparedness and Operational Continuity ManagementTO BE REPLACED WITH A NEW PROPOSED ANSI/ISO STANDARD UNDER DEVELOPMENT
40 Flexibility Within A Framework Existing Industry EffortsRegulationsFFIEC – NYSE – SEC – HIPAA – NERCStandardsISO, ANSI, BSINOT Sarbanes-Oxley
41 Process For Implementation of Title IX 1. DHS will designate one or more organizations to act as the accrediting body, and oversee the certification process, and to accredit qualified third parties to carry out the certification program. 2. DHS will separately designate one or more standards for assessing private sector preparedness. 3. DHS will provide information and promote the business case for voluntary compliance with preparedness standards. 4. DHS will monitor the effectiveness program on an on-going basis.
44 NFPA gets new DHS support - PRECURSOR TO A STANDARDS CHOICE? The US Department of Homeland Security (DHS) has designated the National Fire Protection Association (NFPA) codes and standards development process as a ‘Qualified Anti-Terrorism Technology’ (QATT) under the Support Anti-terrorism by Fostering Effective Technologies Act of 2002 (SAFETY Act). NFPA is the first standards development organization to receive this designation. Under provisions of the SAFETY Act, NFPA’s codes and standards development process was also certified as an ‘Approved Product for Homeland Security.’According to DHS, the SAFETY Act encourages the development and deployment of new and innovative anti-terrorism products and services by providing liability protections. Designation as a QATT and certification as an approved product for homeland security under the SAFETY Act provides legal protections for the NFPA codes and standards development process as applied to anti-terrorism.“NFPA is pleased to have its codes and standards development process recognized as an effective anti-terrorism technology which reflects the openness, balance and fairness NFPA strives to achieve in its voluntary codes and standards development process,” said NFPA President James M. Shannon.Federal protections under the DHS Designation and Certification are retroactive and recognize NFPA’s technology’s ‘first date of sale’ as September 11, 2001.Shannon added, “The commitment and involvement of NFPA in anti-terrorism standards predates the events of 9/11. NFPA has long been committed to making its codes and standards development process available for the creation and continual improvement of standards used to protect first responders and the public in terrorist events. We believe we have a world-class system which attracts numerous experts from diverse fields to develop codes and standards that mitigate the effects of terrorism on people and property.”All NFPA safety codes and standards are developed through a process accredited by the American National Standards Institute (ANSI). The more than 250 technical committees responsible for developing and updating all 300 codes and standards include approximately 4,000 volunteers, representing enforcing authorities, installers and maintainers, labor, research and testing laboratories, insurers, special experts, consumers and other users.NFPA was the developer of the NFPA 1600 ‘Standard on Disaster/Emergency Management and Business Continuity Programs’.
45 TITLE IX UPDATE – December 2008 At ANSI – HSSP (Homeland Security Standards Panel ) - DHS “unveiled” its “Voluntary Private Sector Preparedness Accreditation and Certification Program – Proposed Target Criteria for Preparedness Standard”Internally developed and will be open for comment when DHS publishes a notice in the Federal RegistryDecember 24, 2008 DHS files notice for comments in the Federal Register. “We note that the designated officer will consider adoption of the American National Standards Institute (ANSI) National Fire Protection Association (NFPA) 1600 Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/NFPA 1600)—the standard specifically mentioned in both the statute and the 9/11 Commission’s recommendation—as well as any other private sector preparedness standards submitted for adoption.”AWAITING DHS FEDERAL REGISTRY FILINGOF APPLICABLE STANDARDS
46 Will it meet customer requirements ImplicationsCertificationBenefit To Passing CertificationIf You Can’t Pass Don’t StartLegalLitigation Standard“Voluntary Negligence”No TeethNon-PunitiveWill it meet customer requirements
47 What We Know Right NowTitle IX of PL is an unfunded effort, there are no tangible rewards; e.g., tax reductions in the form of deductions or tax credits to use as an incentive. While there are ongoing efforts to provide some insurance relief for business continuity planning, at this time no such incentives are available – Sloan Foundation ReportFEMA has been designated to lead the effortANSI – will oversee the certification processManage AccreditationAccredit third parties to carry out certificationCollaborate to develop procedures and requirements for certification and accreditation
48 Now For The Misinformation Although voluntary right now, these standards could soon be federal mandates for all private industry. - Not To Be Named Consulting Firm in advertising for their webinarWill share their best practices to meet the new "national preparedness standard" known as NFPA 1600 – Not To Be Named Consulting FirmThis voluntary program offers a number of potential benefits to the certified organization, including: Possible insurance premium advantagesEnhanced credit ratingsCompetitive differentiation - Not To Be Named Consulting Firm
49 Certification Risk/Reward May Satisfy Customer InquiriesCreate UniformityNo Insurance/Rating AdvantageRisksDiscoverable (Corrective Action Plan)May Not Provide Legal ProtectionJudge and Jury DecisionNo Known NFPA1600 DefenseQuality of AuditorsPotential ConflictFinancial – Operational AuditCorporate GovernanceRegulationExpensive
50 The Problem Literal Interpretation of Using a Standard Precludes Use of Binding RegulationsStandards are General in NatureNo One Standard or Combination of Standards Will Meet Prescriptive and/or Performance Based StandardsStandards Are Not Industry SpecificEvacuation - NRC vs. NFPAData Backup – HIPAA vs. BS25999Recovery Time – SWIFT vs. SS540Failure to Adapt ``(E) CONSIDERATIONS.--In developing and implementing the program under this subsection, the designated officer shall–``(i) consider the unique nature of various sectors within the private sector, including preparedness standards, business continuity standards, or best practices, established--
51 Created by Government/Industry Regulatory Bodies Punitive RegulationsCreated by Government/Industry Regulatory BodiesPunitiveFinesShutdownSubject to (Operational/Financial) Audit – AnnuallyAudit Conducted by Third PartyResults are Board IssuesMay Create Vendor RequirementsFFIECHIPPA
52 Auditable Through First, Second or Third Parties State of Flux StandardsVoluntaryNon-PunitiveAuditable Through First, Second or Third PartiesState of FluxNFPA 1600 is the ANSI National Standard is in Revision for 3rd Quarter 2009 ReleaseASIS/BS25999 are Currently in the Early Stages of Seeking ANSI Accreditation not Due until at Least End of 2009ISO 22399/PAS (Publicly Available Specifications) Interim StateNew Australian StandardNew Singapore Standard………………………………..
53 The AnswerAim is PreparednessPreparedness Elements Are DefinedSloanANSI-ANABPick What is AppropriateFinancial RequirementsUtility RequirementsSatisfy Industry Requirements
54 Satisfy Industry Requirements Industry Specific The AnswerSatisfy Industry RequirementsIndustry SpecificOne Size Doesn’t Fit AllAcceptable to Private SectorMeets the Spirit of the LawCost Effective – Single Audit – No Audit ConflictGain Momentum – Quick Certification for 1,000s54
55 Next Steps QUALIFYING “CERTIFYING BODY” Meet ANSI-ANAB Requirements Designed for SMEs (Emergency/Disaster Management and Business Continuity to Understand Audit Concepts)Designed for Auditors (To Understand Emergency/Disaster Management and Business Continuity)Earn a CBCA (Certified Business Continuity Auditor) or CBCLA (Certified Business Continuity Lead Auditor)Provide ConsistencyProvide RecognitionHelp Auditing, Help ProfessionalsSelf AssessmentSecond Party AssessmentThird Party Assessment
56 Q & AThank YouStatements concerning legal matters should be understood to be general observations based solely on our experience as risk consultants and should not be relied upon as legal advice, which we are not authorized to provide. All such matters should be reviewed with your own qualified legal advisors in these areas