Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Regulations, Best Practices and Standards by suf46043


									 Regulations, Best Practices and
   An Overview and Case Study for
Putting it to Work in Your Organization

            Flagg Management Conference
               March 17, 2009 – 3:10 P.M.

   Tom Martin          Tim Mathews        Karen Hughes
 Level Setting Definitions
 Regulations (Source: Georgetown Law School)
 A type of "delegated legislation" promulgated by a state, federal or local administrative
 agency given authority to do so by the appropriate legislature. Regulations generally
 are very specific in nature, they are also referred to as "rules" or simply "administrative

Best Practices (Source: Business Dictionary. COM)
Methods and techniques that have consistently shown results superior than those
achieved with other means, and which are used as benchmarks to strive for.
     There is, however, no practice that is best for everyone or in every situation, and
     no best practice remains best for very long as people keep on finding better ways
     of doing things.

Standards (Source: International Standards Organization - ISO)
Documented agreements containing technical specifications or other precise criteria
to be used consistently as rules, guidelines or definitions of characteristics, to ensure
that materials, products, processes and services are fit for their purpose.

                                             2                                       5/19/08
Regulations, Best Practices & Standards

• Regulatory (US)
   FFIEC - Federal Financial Institutions Examination Council
   OCC - Office of the Controller of the Currency
     FINRA - The Financial Industry Regulatory Authority
     SEC - Securities and Exchange Commission
     HIPAA - Health Insurance Portability and Accountability Act
     SOX - Sarbanes-Oxley
     + Others
• Regulatory (International)
   FSA - Financial Services Authority (UK)
   MAS - Monetary Authority of Singapore
   Basel II – G10 Countries (Basel, Switzerland – June 2004)

                                  3                                 5/19/08
 Regulations, Best Practices & Standards

• Best Practices
   ASIS International - Preparedness & Continuity Management Best
    Practice Standard
   DRII/BCI - Professional Practices for Business Continuity Planners
   BCI - The BCI Good Practice Guidelines 2007 (United Kingdom)
   DRJ/DRII - Generally Accepted Practices (GAP)
   Basel Committee on Banking Supervision - High Level Principles for
    Business Continuity (2006)

                                  4                                5/19/08
 Regulations, Best Practices & Standards

• Standards
  NFPA1600 - Standard on Disaster/Emergency Management and Business
   Continuity Programs (ANSI/US)
  BS 25999 - Business Continuity Management (BSI/UK)
       -1 Code of Practice
       -2 Specification
  ISO/PAS 22399 - Incident Preparedness & Continuity Management
  Title IX – PL 110-53 - Voluntary Certification against yet to be Announced
   Standards (US)
  ISO 24762 – Guide for Information and Communications Technology for Disaster
   Recovery (ISO/International)
  HB 292:2006 - A Practitioners Guide to Business Continuity Management
  CSA Z1600 - Standard on Emergency Management and Business Continuity
   Programs (Canada)
  TR19:2004 - BCM Framework & Technical Reference (Singapore)
  SI 24001:2007 - Security & Continuity Management Systems (Israel)

                                      5                                  5/19/08
   Recent Events

• July 2008
   – Repligen Corp. (biopharmaceutical) becomes the first US firm to be certified
     in BS 25999
   – BSI Certification Status
       • 22 firms certified worldwide
       • 160 active applications
   – S&P announced they will enhance their ratings process for nonfinancial
     companies through an enterprise risk management review (creating a more
     systematic framework for an inherently subjective topic)
• August 2008
   – BS 25777 introduced – Code of Practice for Information and
     Communications Technology Continuity
       • Similar to ISO 24762 – Guide for ICT and DR
   – DHS signed agreement with ANSI-ASQ National Accreditation Board
     (ANAB) – to establish and oversee the implementation and accreditation of
     Title IX

                                        6                               5/19/08
 Recent Events (cont’d)

• August 2008 (cont’d)
  – ASIS announces plans for a new US Business Continuity
    and Risk standard
     • Solicits the support of ANSI organization
         – ASIS is an ANSI accredited Standards Development Organization (SDO)
     • DRII protests and rallies others to do the same
  – Carnegie Mellon – Cert Resiliency Framework Code of
    Practice Standards Crosswalk (11 standards) published
• October 2008
  – ANSI Homeland Security Standards Panel discussion
     • Subject was Public law 110-53 Title XI voluntary standards
  – ASIS hosted stakeholder deliberation meeting and then re-
    affirms its direction in developing a new ANSI standard

                                      7                                      5/19/08
  Recent Events (cont’d)

• October 2008 (cont’d)
   – Singapore (SPRING) launches new certifiable standard SS540 which
     replaces TR 19:2004
• January 2009
   – NFPA issues 2010 version of NFPA1600 for public comment
   – ASIS International holds joint working group meeting to outline new US
     standard based largely on BS 25999
   – 1st public feedback session on Title IX sponsored by the DHS
   – The Business Continuity Institute announced the release of an updated
     version of its business continuity Good Practice Guidelines -- designated
     as GPG2008-2
• February 2009
   – 2nd public feedback session on Title IX sponsored by the DHS
                              Work Continues

                                      8                                 5/19/08
BS25999: A Case Study
  Tuesday, March 17, 2009

         Tim Mathews
    Director, Enterprise Resiliency
 Educational Testing Service
        Educational Testing Service
• Our Mission: To advance quality and equity in education by
  providing fair and valid assessments, research and related services. Our
  products and services measure knowledge and skills, promote learning
  and educational performance, and support education and professional
  development for all people worldwide.

• Our Vision: To be recognized as the global leader in providing fair
  and valid assessments, research and related products and services to
  help individuals, parents, teachers, educational institutions, businesses,
  governments, countries, states and school districts, as well as
  measurement specialists and researchers.

• Our Values: Social responsibility, equity, opportunity, and quality.
  We practice these values by listening to educators, parents and critics.
  We learn what students and the institutions they attend need.

We lead in the development of products and services to
help teachers teach, students learn and parents
measure the intellectual progress of their children.
            Today’s agenda:

• Why pursue a standard?
• Why BS 25999?
• What is the process?
• What have we learned?
                 Why pursue a standard?
  Support the Corporate Strategy

• Establish and maintain trust – enhance and preserve the Brand
• Supply chain risk management
     – Critical vendors and suppliers may experience a disaster
     – What do we know about their resiliency?
• Competitive advantage – may increase or maintain margin vis-à-
  vis competition
     – Certified BCMS is a differentiator (RFI,RFP and Contract)
     – May reduce the burdens of internal and external audits from
       your key customers.
• SLA and scope “expectation” management
     – Key customers are vague
     – As DHS voluntary compliance percolates through the
       business community, there will be a “Wal-Mart” effect
• Training and knowledge transfer
                  Why pursue a standard?
      Effective Risk Management

• Debt valuation and risk ratings
    – S&P (and Moody’s)
          • Enterprise Risk Management (ERM) will be added as an
            element of all corporate ratings
          • Requires that a firm address all its risks
          • Operational risk is a critical element … encompassing
            security, resilience, etc
    “..the extent to which companies are adopting standards, …
        would bolster the view that management has a proactive
        culture and attitude towards risk. However it’s too early ….
        to know what weight we’d place on that evidence.”
    – Firms must show they are addressing risks in a systematic
• Tort Negligence: Industry standards inform prudent practice and
  “affirmative defense.” – ’93 WTC bombing decision
    – Port Authority held more liable than terrorists ($100M)
                 Why pursue a standard?
    Compliance and Governance

• DHS voluntary mandate - Title IX
• Various compliance requirements
     – Regulatory
     – Periodic external financial control audits
     – Insurability audits
     – Independent client audits
• Common framework for communication of capabilities
     – Business development
     – Supply chain
     – Inter-company (parent and subs)
• Integrated recovery planning and exercises (with subs, key
  suppliers and clients)
• Leverage plan development and maintenance activities
                  Why BS 25999?

• Accepted Standard that establishes the process, principles and
  terminology of business continuity management (BCM)
• BS 25999-1 Code of Practice – provides guidance and
• BS 25999-2 Detailed Specification – appears to meet or exceed
  the published DHS criteria
• Provides a non-prescriptive, generic model to follow in creating
  and maintaining preparedness processes and activities
• ETS Enterprise Resiliency program aligned well to the standard
• Gaps were straight forward to implement
   BS25999-2 Certification Process
  Standard (Criteria)
                        +    Assessment (Evidence)
                                                     =        Certification

                            Demonstrate                  Address any non-
                            compliance with              conformities
             Self-          specification
                                                         Refresh program
                                 Pre-                    Demonstrate on-going
                              assessment                 compliance with
                                    Stage 1              specification
Industry practices                   audit
Peer discussion                          Stage 2
Online self                 Review Policy and SOP         Remediation
                            Risk Assessments and                        Surveillanc
Part 1: Code of             Internal Audit                                  e
                            Review BIA, BCP,
Part 2: Specification       TDRPs and ERP
  BS25999-2 Certification Timeline
 Standard (Criteria)
                        +   Assessment (Evidence)
                                                    =       Certification

                                 7 months                    2 months
                                9/08 – 4/09               annual recurring
3 months                    assessment
                                  Stage 1
            1 month                    Stage 2
                             2 days
                                  2 days                6 weeks           e
    4 months
                                       10 days                          2 days
   4/08 – 8/08
                Lessons Learned

• A really good and effective BC program does not necessarily
  meet the standard.
• Learn standards “speak”
     – “shall = will”
     – Do what you say you do – write it down!
• BC/DR planning software may introduce a document
  management gap
• Internal Audit is not an Internal Audit
• You cannot dance around the Maximum Tolerable Period of
  Disruption (MTOTB)
• Risk Assessment – must be part of your program
• Who needs a CAPA?
• Light on the Technology aspects of recovery planning
• Dot the i’s and cross the t’s – the devil is in the details!
Flagg Management Conference

                   Presented by
                  Karen Hughes
     Director of Homeland Security Standards

                 March 17, 2009

   ANSI-HSSP Overview
   Title IX Program
   Trajectory of ISO/PAS 22399
   Business Case for Certification

                           Flagg Management Conference
                                  March 17, 2009         Slide 20
ANSI-Homeland Security Standards Panel

   Identify and facilitate the development and enhancement of
    homeland security standards
   Serve as private/public sector partnership for standards
    issues that cut cross-sector
   Provide a forum for information sharing on homeland
    security standards issue, as well as the overall standards
    development and conformity assessment processes
   Facilitate dialogue and networking on key issues for
    homeland security stakeholders

                            Flagg Management Conference
                                   March 17, 2009          Slide 21
Voluntary Private Sector Preparedness
Accreditation & Certification Program

   Goal
    Improve private sector preparedness in disaster
    management, emergency management, and business
    continuity to enhance nationwide resilience in an all hazards

   Background
    Mandated by the Implementing Recommendations of the
    9/11 Commission Act of 2007 to establish a common set of
    criteria for private sector preparedness

                             Flagg Management Conference
                                    March 17, 2009           Slide 22
Voluntary Private Sector Preparedness
Accreditation & Certification Program

Key Guiding Principles
 Participation is voluntary

 Provide method to independently certify preparedness of private
  sector entities
 Administered by non-government entity (ANAB)

 DHS designation of one or more standards to be used in
  assessing private sector preparedness
 Incorporate existing regulatory requirements and existing efforts

 Certification of private sector entities will be performed by non-
  government certifying bodies

                               Flagg Management Conference
                                      March 17, 2009             Slide 23
Voluntary Private Sector Preparedness
Accreditation & Certification Program

Possible Standards
 International

    ISO 22399

    ISO 22301

 National

    NFPA 1600 (USA)

    BS 25999 (UK)

    CSA Z1600 (Canada)

                          Flagg Management Conference
                                 March 17, 2009         Slide 24
ISO/PAS 22399:2007
ISO/TC 223 – Societal Security
 Scope

   International standardization in the area of societal security, aimed at
   increasing crisis management and business continuity capabilities,
   amongst all interested parties.
 Structure

   WG 1 – Framework standard on societal security management
   WG 2 – Terminology
   WG 3 – Command and control, coordination and cooperation
   WG 4 – Preparedness and continuity
 Membership

   Participating countries: 37
   Observing countries: 17

                                   Flagg Management Conference
                                          March 17, 2009                  Slide 25
ISO/PAS 22399:2007

ISO/TC 223 Work Program
 ISO/PAS 22399:2007
  Societal security - Guideline for incident preparedness and
  operational continuity management

   Next Steps:
      Development of ISO 22301 – Management system
       standard focused on preparedness and continuity
      Conversion of ISO 22399 from PAS to Draft International
       Standard as a guide to ISO 22301

                            Flagg Management Conference
                                   March 17, 2009         Slide 26

   International Center for Enterprise Preparedness
   Catalyst focused on Private Sector Preparedness &
    Corporate Resilience
   Working Groups
       Supply Chain Management
       Legal Liability Mitigation
       Insurance Acknowledgement
       Rating Agency Acknowledgement
   Online Clearinghouse of information

                           Flagg Management Conference
                                  March 17, 2009         Slide 27
Business Case for Certification

According to the Institute for Business & Home Safety, an
estimated 25% of businesses do not reopen following a
major disaster.

Compliance with preparedness standards can…
    Minimize impact of business disruptions

    Reduce overall costs

    Enhance corporate reputation

    Employee protection

    Link between good practice/standards (what to do) and
     benefits (why to do it)

                              Flagg Management Conference
                                     March 17, 2009          Slide 28
Further Information
   For additional information about:
        ANSI:
        ANAB:
        InterCEP:
        PS-Prep:
        ISO:
        HSSD:

        Questions can be directed to:
             Karen Hughes
              Program Director, Homeland Security Standards
              (; 212-642-4992)

                                     Flagg Management Conference
                                            March 17, 2009         Slide 29

To top