1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology Consortium Empowering the Industry Through Innovative Ideas

June 18, “TITLE IX, FACT VS. FICTION” “THE ROLE OF STANDARDS IN TITLE IX” “TITLE IX, A PRACTITIONERS POINT OF VIEW” Panel Moderator VOLUNTARY EMERGENCY PREPAREDNESS WHAT YOU NEED TO KNOW ABOUT TITLE IX

June 18, Voluntary Preparedness Al Martinez-Fonts – “TITLE IX, FACT VS. FICTION” Department of Homeland Security Assistant Secretary, Private Sector Office Matthew Deane – “THE ROLE OF STANDARDS IN TITLE IX” Director of Homeland Security Standards American National Standards Institute (ANSI) Randy Till – “TITLE IX, A PRACTITIONERS POINT OF VIEW” Global Business Continuity Management MasterCard, Worldwide David Nolan – Moderator CEO, Fusion Risk Management, Inc

June 18, 2008 VOLUNTARY EMERGENCY PREPAREDNESS TITLE IX, FACT VS. FICTION Al Martinez-Fonts, Department of Homeland Security Assistant Secretary, Private Sector Office

June 18, Background “Implementing the Recommendations of the 9/11 Commission Act of 2007” – Public Law signed on August 3, 2007 Requirement to develop a National Voluntary Private Sector Preparedness Accreditation and Certification Program. – Establish a common set of standards for private sector preparedness relating to disaster management, emergency management, and business continuity

June 18, Goal Improve private sector preparedness in disaster management, emergency management, and business continuity to enhance nationwide resilience in an all hazards environment “…the government does not, and cannot work alone… private sector organizations play a key role before, during and after an incident.” National Response Framework (2007)

June 18, Key Program Requirements Voluntary participation Provide method to independently certify preparedness of private sector entities Administered by non-government entity DHS designate one or more standards based on published target criteria Integrate/leverage existing regulatory requirements and existing efforts, if feasible DHS maintain and make public a listing of any public entity certified as being compliant, if that public entity consents to being listed Small business consideration

June 18, Level 2 (3rd Party Certification) Program Phase 1 Program & Target Criteria Development Program Phase 2 Basic Preparedness and Enhanced Target Criteria Refinement Program Phase 3 Enhanced Preparedness Level 1 (Declaration of Conformity) Basic (Current) Standards Draft Program Concept Establish Accrediting Body Contract Existing Preparedness Standards - TBD Existing Preparedness Programs - TBD (e.g. “Ready.Gov” and others) New / Revised Preparedness Programs (e.g., updated / improved Ready.Gov and others) Target Criteria for Standards (in work) – Standards process – Scope and Policy – Requirements – Risk Assessment – Objectives and Strategies – Operational and Control Strategies – Competence and Training – Communication and Warning Strategies – Resource Management – Assessment and Evaluation – Continuing Review Level 2 (3rd Party Certification) New / Revised Preparedness Standards TBD (Incorporating CIKR / Sector Specific requirements - as required) Level 1 (Declaration of Conformity) Enhanced (Future) Standards

June 18, Engagement Plan Sector Coordinating Council reps and others Partnership for Critical Infrastructure Security Standards community International Security Managers Association Business Executives for National Security Small Business Administration and other government agencies FEMA National Advisory Council – Subcommittee for Private Sector Preparedness Other organizations Public Notice of draft target criteria (Federal Register)

June 18, 2008 VOLUNTARY EMERGENCY PREPAREDNESS THE ROLE OF STANDARDS IN TITLE IX Matthew Deane Director of Homeland Security Standards American National Standards Institute (ANSI)

June 18, Key Definitions Standard A Standard is a Document, Not a Technical Regulation Document [emphasis added] established by consensus and approved by a recognized body that provides for common and repeated use, rules, guidelines or characteristics for activities or their results aimed at achieving the optimum degree of order… ISO/IEC Guide 2 Conformity Assessment (accreditation/certification) Any activity concerned with determining directly or indirectly that requirements are fulfilled Relevant to requirements for products, services, systems and organizations. May be conducted by: - a supplier (first party) - a buyer (second party) - an organization independent of both buyer and seller (third party)

June 18, Highlighted Text from PL (standards) “The program developed and implemented under this subsection shall assess whether a private sector entity complies with voluntary preparedness standards.” “The term ‘voluntary preparedness standards’ means a common set of criteria for preparedness, disaster management, emergency management, and business continuity programs, such as the Standard on Disaster/ Emergency Management and Business Continuity Programs (ANSI/NFPA 1600).’’ “shall adopt one or more appropriate voluntary preparedness standards that promote preparedness, which may be tailored to address the unique nature of various sectors within the private sector”

June 18, Highlighted Text from PL (accreditation/certification) “A selected entity shall manage the accreditation process and oversee the certification process in accordance with the program established under this subsection and accredit qualified third parties to carry out the certification program established under this subsection.” “Certification under this subsection shall be voluntary for any private sector entity.”

June 18, Selected Standards and Guidelines StandardsGuidelines/Frameworks NFPA Standard on Disaster/ Emergency Management and Business Continuity Programs - American National Standard - Freely available at: ISO/PAS Guideline for incident preparedness and operational continuity management - International Organization for Standardization (ISO) Publicly Available Specification (PAS) BS – Business Continuity Management - British Standard - Two parts ASIS International – Organizational Resilience: Preparedness and Continuity Management - ASIS draft guideline document Other National Standards - Standards Australia, SPRING Singapore (TR 19) CERT ® Resiliency Engineering Framework - Partnership between Carnegie Mellon and FSTC Emergency Management Accreditation Program (EMAP) Standards

June 18, "Framework for Voluntary Preparedness" Alfred P. Sloan Foundation funded initiative to enable stakeholder dialogue with the U.S. DHS on the considerations and strategies relevant to the private sector preparedness certification program under Public Law Series of roundtables coordinated by NYU International Center for Enterprise Preparedness (InterCEP) Key deliverable is the Framework prepared by an interdisciplinary group consisting of representatives from: – ASIS International – Disaster Recovery Institute International (DRII) – National Fire Protection Association (NFPA) – Risk and Insurance Management Society, Inc. (RIMS)

June 18, Key Points from "Framework” In order for the private sector to adequately and voluntarily establish preparedness programs, it should be given the flexibility to choose from various standards, guidelines and best practices that best meet their needs Report identifies core common elements of a preparedness program and provides a crosswalk of existing standards, guidelines and best practices Businesses and organizations should be afforded the flexibility to build on their existing programs Small businesses in particular need to tailor their preparedness and resilience strategies to their financial realities A major barrier to preparedness and resilience management is a lack of knowledge and tools, particularly in case of small businesses

June 18, 2008 VOLUNTARY EMERGENCY PREPAREDNESS TITLE IX, A PRACTITIONERS POINT OF VIEW Randall J. Till Global Business Continuity Management MasterCard Worldwide

June 18, Voluntary Emergency Preparedness Considerations: Demonstrates the importance of preparedness and readiness in today's business climate – Government involvement in private sector preparedness – Promotes the need for strong resiliency practices – Expands preparedness and continuity planning as a required business practice for all organization

June 18, Voluntary Emergency Preparedness Considerations: Voluntary certification will help consolidate and solidify standards and practices – Provides a measure to assess and validate business preparedness and readiness – Builds on existing standards and proven accreditation/certification processes – Provide flexibility to address preparedness needs of various size businesses and industry sectors – Option for self-assessment of organizations

June 18, Voluntary Emergency Preparedness Concerns: Size and complexity of certification process – Simple enough to encourage smaller companies – Significant enough to influence larger organizations – Flexible enough to encourage ongoing readiness preparation following certification Financial Institutions are already heavily regulated – Increases complexity and requirements for compliance – Cost and drain on resources to achieve certification – Voluntary certification becomes mandatory - business partners require certification

June 18, Voluntary Emergency Preparedness Concerns (continued): Business Continuity lacks strong industry standards and consistent planning methodologies – Difficult to define single body of knowledge/standards – How to define clear standards and requirements with inconsistent planning practices Difficult to measure effectiveness of an organizations readiness and preparedness – Preparedness practices are institutionalized, practiced and executable International certification process to address requirements for global organizations

June 18, Voluntary Emergency Preparedness Opportunities: Financial industry can provide leadership and direction in defining voluntary certification processes Consolidation and standardization of preparedness practices and standards – Common set of criteria for preparedness Drives readiness for a larger sector of the business population providing greater overall resiliency Provides a method to assess readiness as part of supply chain management

June 18, Voluntary Emergency Preparedness Opportunities: Ability to demonstrate value-add services for the organization Convergence of risk management practices to address overall "operational risk management" Evolution of "maturity models" providing a more holistic approach for managing operational risks and resiliency – Provides a framework for achieving certification and improving resiliency practices – FSTC/CERT Resiliency Engineering Framework

June 18, Panel Discussion Al Martinez-Fonts “Title IX, Fact vs. Fiction” Department of Homeland Security Assistant Secretary, Private Sector Office Matthew Deane – “Standards and Title IX, What you need to know” Director of Homeland Security Standards American National Standards Institute (ANSI) Randy Till “Title IX, A Practitioners Point of View” Global Business Continuity Management MasterCard, Worldwide

25 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology Consortium Empowering the Industry Through Innovative Ideas