Docstoc

Australian Standard Transfer Form - Excel

Document Sample
Australian Standard Transfer Form - Excel Powered By Docstoc
					                                                                                                               7/10/2010 1:57 PM




 The following is a DRAFT of the R&R Committee Mission Statement provided by Peter Laz on April 26, 2007, with the editorial
 support of the committee:


 The mission of the DRJ Editorial Advisory Board's (EAB) Rules & Regulations Committee is to:

    Develop a repository of Business Continuity / Disaster Recovery regulations, statues and standards across various
    industries and countries

    Enable access to the repository for all Business Continuity / Disaster Recovery practitioners

    Maintain the repository



 The above mission statement was reviewed and approved during the R&R Committee during our meeting on Tuesday, May
 1, 2007.




0c4d7e96-6dee-46e0-bd94-87a56b439c62.xls
R&R Mission Statement                                      Page 1 of 24
    Disaster Recovery Journal                                                                                                          Rules Regulations Committee                                                                                                                                                                                                        7/10/2010 1:57 PM
    Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                        Infrastructure Category




                                                                                                                                                                                                                                                                                                                          Information Distribution
                                                                                                                                                                                                              Banking & Finance




                                                                                                                                                                                                                                                                                                                            & Communications
                                                                                                                                                                                                                                                                       Energy (including




                                                                                                                                                                                                                                                                                                      Agriculture, Food
                                                                                                                                                                     (E, A, W, I)




                                                                                                                                                                                                                                                    Transportation &




                                                                                                                                                                                                                                                                                                                                                     Public Agencies
                          Regulation /

                                                                                                                                                                                                                                                                                                                                                                         DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                       Supply & Water
                                                                                                                                                                                                                                  Public Health &




                                                                                                                                                                                                                                                                                                                                                     Government &
                                                                                                                                                                      Category
                                                                    Country
                                                                                                                                                 Significant
                           Standard




                                                                                                                                                                                                                                    Healthcare


                                                                                                                                                                                                                                                       Shipping


                                                                                                                                                                                                                                                                           nuclear)

                                                                                                                                                                                                                                                                                           Industry
                                                                                                                                                                                         Notes
        Title                            Governing Body                                                 Summary                                 Dates, Fines,
                                                                                                                                                                                       /Comments                                                                                                                                                                       Date of Last Review or
                                                                                                                                                  Penalties
                                                                                                                                                                                                                                                                                                                                                                           Confirmation

2002 ACH Rules Book     Regulation ACH (Federal
                                   Reserve’s Automated
                                                                   U.S.A.     ·       Requires 6 year file retention on all ACH transactionsx Non-compliant fines
                                                                                                                                              not more than
                                                                                                                                                                          I         http://www.fms.treas.
                                                                                                                                                                                    gov/ach/interim_2003.
                                                                                                                                                                                                                                                                                                                                                                           August 4, 2007

                                   Clearinghouse                              ·       An ACH transaction is a batch-processed, value-dated $10,000 or imprisoned                    pdf
                                   Association)                               electronic funds transfer between originating and receiving     not more than ten
                                                                              financial institutions                                          years, or both                        (Treasury Department
                                                                                                                                                                                    decision)

                                                                                                                                                                                    (order form)



6 CFR Part 29:
Procedures for
                        Regulation CFR (Code of Federal
                                   Regulations)
                                                                   U.S.A.     · Continuity of operations for Critical Infrastructure                                     W          http://frwebgate.acces
                                                                                                                                                                                    s.gpo.gov/cgi-bin/get-
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Handling Critical                                                                                                                                                                   cfr.cgi
Infrastructure                                                                · Disclosure of critical information to the government
Information (Interim,
Feb 2004)
ANAO Better Practice
Guide: Business
                        Standard         ANAO (Australian
                                         National Audit Office)
                                                                  Australia, · Presents a structured approach to business continuity
                                                                    New      management. The approach involves identifying preventative
                                                                                                                                                                         W          To be provided
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Continuity                                                         Zealand treatments for continuity risks that can be routinely managed
Management- Keeping
the Wheels in Motion                                                          · Managers should have an ongoing focus on business
                                                                              continuity
ANSI/ARMA 5-2003
Vital Records
                        Regulation          ANSI (American
                                          National Standards
                                                                   U.S.A.     Sets requirements for establishing a vital records program by:
                                                                              - Identifying and protecting vital records
                                                                                                                                                                          E         Addresses the
                                                                                                                                                                                    development and
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Programs                                   Institute) / ARMA                  - Assessing and analyzing their vulnerability                                                         implementation of a
                                            (Association of                   - Determining the impact of their loss on the organization                                            vital records program
                                         Records Managers and                                                                                                                       within the context of a
                                            Administrators)                                                                                                                         formal records
                                                                                                                                                                                    management
                                                                                                                                                                                    program. Vital records
                                                                                                                                                                                    are defined as records
                                                                                                                                                                                    containing information
                                                                                                                                                                                    essential to the
                                                                                                                                                                                    survival of an
                                                                                                                                                                                    organization in the
                                                                                                                                                                                    event of a disaster.

AS/NZ 4390, Records
Management Standard
                        Standard         Standards Association
                                         of Australia
                                                                  Australia, Establishes guidelines for records management
                                                                    New
                                                                                                                                                                         W          To be provided
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

                                                                   Zealand

AS/NZ 4444.2: 2000
Information Security
                        Standard         Standards Association
                                         of Australia
                                                                  Australia, · It is intended for use by employees or managers who are
                                                                    New      implementing and maintaining information security in their
                                                                                                                                                                         W          To be provided
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Standard, includes                                                 Zealand organization
business continuity
section.                                                                     · States that organizations need to undertake a risk
                                                                             assessment including business continuity planning
AS/NZS 4360;2004
DRAFT, Risk
                        Standard         Standards Association
                                         of Australia
                                                                  Australia, Guidelines that assist with the development of an effective
                                                                    New      Risk Management and Business Continuity Plan
                                                                                                                                                                         W          To be provided
                                                                                                                                                                                                                                                                                                                                                                     August 4, 2007

Management                                                         Zealand
Standard; Business
Continuity




                                                                                                                                               Page 2 of 24
     Disaster Recovery Journal                                                                                                         Rules Regulations Committee                                                                                                                                                                                                        7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                        Infrastructure Category




                                                                                                                                                                                                                                                                                                                          Information Distribution
                                                                                                                                                                                                              Banking & Finance




                                                                                                                                                                                                                                                                                                                            & Communications
                                                                                                                                                                                                                                                                       Energy (including




                                                                                                                                                                                                                                                                                                      Agriculture, Food
                                                                                                                                                                     (E, A, W, I)




                                                                                                                                                                                                                                                    Transportation &




                                                                                                                                                                                                                                                                                                                                                     Public Agencies
                           Regulation /

                                                                                                                                                                                                                                                                                                                                                                         DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                       Supply & Water
                                                                                                                                                                                                                                  Public Health &




                                                                                                                                                                                                                                                                                                                                                     Government &
                                                                                                                                                                      Category
                                                                     Country
                                                                                                                                                   Significant
                            Standard




                                                                                                                                                                                                                                    Healthcare


                                                                                                                                                                                                                                                       Shipping


                                                                                                                                                                                                                                                                           nuclear)

                                                                                                                                                                                                                                                                                           Industry
                                                                                                                                                                                         Notes
        Title                             Governing Body                                                  Summary                                 Dates, Fines,
                                                                                                                                                                                       /Comments                                                                                                                                                                       Date of Last Review or
                                                                                                                                                    Penalties
                                                                                                                                                                                                                                                                                                                                                                           Confirmation

ASIS GDL BC 10 2004)     Standard         ASIS International        U.S.A.     · Tool to allow organizations to consider the factors and steps
                                                                               necessary to prepare for a crisis (disaster or emergency) so
                                                                                                                                                                         W          http://www.asisonline.
                                                                                                                                                                                    org/guidelines/guideli
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

-DRAFT- Business                                                               that it can manage and survive the crisis and take appropriate                                       nesbusinesscon.pdf
Continuity Guideline                                                           actions to ensure its continued viability

                                                                               · Outlines a planning pr
Australia BCP            Regulation Australia Financial
                                    Markets Association
                                                                   Australia   Will be enforced by audit (once published) but recommended BCP, Vital records, DR
                                                                               by audit at the moment. Requires need for BCP                   Site
                                                                                                                                                                          E         To be provided
                                                                                                                                                                                                                                                                                                                                                                           August 4, 2007

                                                                               documentation and testing at least annually, planning for
                                                                               different scenarios.
Australian
Commonwealth
                         Regulation Australian
                                    Government
                                                                   Australia   Establishing criminal penalties for officers and directors of
                                                                               organizations that experience a major disaster and fail to have
                                                                                                                                                                          E         To be provided
                                                                                                                                                                                                                                                                                                                                                                     August 4, 2007

Criminal Code                                                                  a proper business continuity plan in place.
Banks Act (94/1990)         Regs                                    South
                                                                    Africa
                                                                                                                                                                                    http://www.acts.co.za
                                                                                                                                                                                    /Banks/Index.htm
                                                                                                                                                                                                                                                                                                                                                                           August 4, 2007


Basel II: New Basel
Capital Accord (April
                         Regulation Basel                         Internation Addresses Operational Risk and defines it as ―the risk of loss
                                                                       al     resulting from inadequate or failed internal processes, people
                                                                                                                                                                         W          http://www.federalres
                                                                                                                                                                                    erve.gov/boarddocs/pr
                                                                                                                                                                                                                                                                                                                                                                           August 4, 2007

2003)                                                                         and systems, or from external events.‖                                                                ess/bcreg/2004/20040
                                                                                                                                                                                    626/attachment.pdf

BS7799-2; 2002,
Section 9, Business
                         Regulation BSI                               UK       · Part 1 was the basis for ISO 7799                                                       W          http://www.itgoverna
                                                                                                                                                                                    nce.co.uk/files/ISMS
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Continuity and                                                                 · Part 2 has not been adopted by ISO but is accepted by                                              %20Implementation
Disaster Recovery                                                              many other national standards                                                                        %20and%20ITG%2
Planning                                                                                                                                                                            0Tools.pdf
Bulletin R-67            Regulation Federal Home Loan
                                    Bank
                                                                    U.S.A.     Follows intent of BC 177 which required:
                                                                               - Documented, exercised and maintained recovery plans are
                                                                                                                                                                          E         Comptroller of
                                                                                                                                                                                    Currency BC-177
                                                                                                                                                                                                                                                                                                                                                                           August 4, 2007

                                                                               required for all user environments and business functions                                            (1983, 1987)
                                                                               - Recovery Plans must be tested ―periodically‖ and results                                           superceded by FFIEC
                                                                               documented                                                                                           and Federal Home
                                                                               - Plans reviewed annually b                                                                          Loan Bank Bulletin R-
                                                                                                                                                                                    67 (1986) superceded
                                                                                                                                                                                    by FFIEC - Requires
                                                                                                                                                                                    banking institutions to
                                                                                                                                                                                    develop and maintain
                                                                                                                                                                                    Business Recovery
                                                                                                                                                                                    Plans.
                                                                                                                                                                                    Inter-Agency Policy
                                                                                                                                                                                    from Federal Financial

Business Continuity at
Bank of Japan.
                         Standard         BOJ (Bank of Japan)       Japan      Consensus- This plan assumes an approach to aim at
                                                                               operational continuity. Proper documentation.
                                                                                                                                                                          E         To be provided
                                                                                                                                                                                                                                                                                                                                                                           August 4, 2007


                                                                               System / people recovery

                                                                               Corporate-wide testing at least annually

                                                                               Planning for different scenarios

                                                                               No clear guideline to follow
Business Continuity
Institute
                         Standard         BCI (Business
                                          Continuity Institute)
                                                                      UK       · In alignment with DRII ―Professional Practices‖                                         W          http://www.thebci.org
                                                                                                                                                                                                                                                                                                                                                                     August 4, 2007

―Good Practices‖                                                               · More specific




                                                                                                                                                 Page 3 of 24
     Disaster Recovery Journal                                                                                                        Rules Regulations Committee                                                                                                                                                                                                          7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                         Infrastructure Category




                                                                                                                                                                                                                                                                                                                           Information Distribution
                                                                                                                                                                                                               Banking & Finance




                                                                                                                                                                                                                                                                                                                             & Communications
                                                                                                                                                                                                                                                                        Energy (including




                                                                                                                                                                                                                                                                                                       Agriculture, Food
                                                                                                                                                                        (E, A, W, I)




                                                                                                                                                                                                                                                     Transportation &




                                                                                                                                                                                                                                                                                                                                                      Public Agencies
                          Regulation /

                                                                                                                                                                                                                                                                                                                                                                          DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                        Supply & Water
                                                                                                                                                                                                                                   Public Health &




                                                                                                                                                                                                                                                                                                                                                      Government &
                                                                                                                                                                         Category
                                                                     Country
                                                                                                                                                  Significant
                           Standard




                                                                                                                                                                                                                                     Healthcare


                                                                                                                                                                                                                                                        Shipping


                                                                                                                                                                                                                                                                            nuclear)

                                                                                                                                                                                                                                                                                            Industry
                                                                                                                                                                                            Notes
        Title                            Governing Body                                                Summary                                   Dates, Fines,
                                                                                                                                                                                          /Comments                                                                                                                                                                     Date of Last Review or
                                                                                                                                                   Penalties
                                                                                                                                                                                                                                                                                                                                                                            Confirmation

Business Continuity
Planning Committee
                        Standard         SIA (Securities
                                         Industry Association)
                                                                    U.S.A.     · Each firm should have in place a BC (Business Continuity)
                                                                               program
                                                                                                                                                                            W          http://www.imagingse
                                                                                                                                                                                       rvices.com/content.pa
                                                                                                                                                                                                                                                                                                                                                                     August 4, 2007

Best Practice                                                                                                                                                                          ges/bestpractices.pdf
Guidelines (Aug 2002)                                                          · BC Policy Document

                                                                               · Executive and corporate group responsible for overseeing
                                                                               BC program

                                                                               · Business managers should review, implement, fund, and
                                                                               sign-off of BC plans

                                                                  Hong Kong · Recovery sets out the HKMA's latest supervisory policies
Business Continuity
Planning Supervisory
                        Regulation The Hong Kong
                                   Monetary Authority
                                                                            This Manual
                                                                            and practices, the minimum standards authorized institutions
                                                                                                                                              This manual takes a
                                                                                                                                              supervisory approach
                                                                                                                                                                                                                                                                                                                                                                            August 4, 2007

Policy Manual - TM-G-                                                       ("AIs") are expected to attain in order to satisfy the            where the HKMA’s
2                                                                           requirements of the Banking Ordinance and recommendations         objective is to help
                                                                            on best practices tha                                             ensure that Authorized
                                                                                                                                              Institutions ("AIs")
                                                                                                                                              have workable and
                                                                                                                                              well thought through
                                                                                                                                              BCPs to protect all the
                                                                                                                                              critical areas of their
                                                                                                                                              business and to cope
                                                                                                                                              with prolonged
                                                                                                                                              disruptio

California SB 1386-
Security of Non-
                        Regulation State of California              U.S.A.     Bill requires all agencies, persons or businesses that conduct Effective July 1, 2003.
                                                                               business in California that owns or licenses computerized data
                                                                                                                                                                             E         http://www.legalarch
                                                                                                                                                                                       iver.org/sb1386.htm
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

Encrypted Customer                                                             containing personal information to notify the owner or
Information (July 1,                                                           licensee of the information of any breach of security of the
2003)                                                                          data.
CAN/CSA-Z 731-03        Standard         CSA (Canadian
                                         Standards Association)
                                                                   Canada      Canada’s Emergency Preparedness and Response Standards                                       W          To be provided
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007


CAN/CSA-Z 731-03        Standard         CSA (Canadian
                                         Standards Association)
                                                                   Canada      · Canada’s Emergency Preparedness and Response Standards                                     W          To be provided
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007


China                       N/A                                     China · There are extensive regulations and standards around
                                                                          Information Protection within the People’s Republic of China
                                                                                                                                                                             E         To be provided
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

                                                                          (PRC)
Circular to Licensed
Corporations -
                        Standard         Securities and Futures Hong Kong The Securities and Futures Commission used the circular to
                                         Commission of Hong               remind licensed persons to take precautions against a
                                                                                                                                              Suggestions were
                                                                                                                                              given in the circular
                                                                                                                                                                                       To be provided
                                                                                                                                                                                                                                                                                                                                                                            August 4, 2007

"Business continuity                     Kong                             reoccurrence of SARS or other serious communicable                  on procedure and
planning against                                                          diseases. The Commission was concerned of the potential             policies to be
serious communicable                                                      disruption to intermediaries' opera                                 reviewed, revised or
diseases"                                                                                                                                     devised to ensure
                                                                                                                                              business continuity or
                                                                                                                                              prevent material
                                                                                                                                              disruption to operation
                                                                                                                                              in the event of staff
                                                                                                                                              infection.

                                                                                                                                              1/24/2003




                                                                                                                                               Page 4 of 24
     Disaster Recovery Journal                                                                                                          Rules Regulations Committee                                                                                                                                                                                                          7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                           Infrastructure Category




                                                                                                                                                                                                                                                                                                                             Information Distribution
                                                                                                                                                                                                                 Banking & Finance




                                                                                                                                                                                                                                                                                                                               & Communications
                                                                                                                                                                                                                                                                          Energy (including




                                                                                                                                                                                                                                                                                                         Agriculture, Food
                                                                                                                                                                         (E, A, W, I)




                                                                                                                                                                                                                                                       Transportation &




                                                                                                                                                                                                                                                                                                                                                        Public Agencies
                             Regulation /

                                                                                                                                                                                                                                                                                                                                                                            DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                          Supply & Water
                                                                                                                                                                                                                                     Public Health &




                                                                                                                                                                                                                                                                                                                                                        Government &
                                                                                                                                                                          Category
                                                                    Country
                                                                                                                                                    Significant
                              Standard




                                                                                                                                                                                                                                       Healthcare


                                                                                                                                                                                                                                                          Shipping


                                                                                                                                                                                                                                                                              nuclear)

                                                                                                                                                                                                                                                                                              Industry
                                                                                                                                                                                             Notes
        Title                               Governing Body                                              Summary                                    Dates, Fines,
                                                                                                                                                                                           /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                                     Penalties
                                                                                                                                                                                                                                                                                                                                                                              Confirmation

Civil Contingencies Bill
(Bill 53, Feb 2004)
                           Regulation British Law                   UK        · Local arrangements for civil protection                                                       E         To be provided
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007

                                                                              · Requires persons or bodies listed in the document to assess
                                                                              the risk of an emergency and maintain plans for the purpose
                                                                              of ensuring that if an emergency occurs that the persons or
                                                                              bodies are able to continue to
COBIT-Control
Objectives for
                           Standard         IT Governance
                                            Institute Standards
                                                                   U.S.A.     Generally accepted information technology control objectives
                                                                              for information technology.
                                                                                                                                                                              E         http://www.isaca.org/
                                                                                                                                                                                        Content/NavigationMe
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

information and                                                                                                                                                                         nu/Members_and_Lea
related Technology                                                            Domains include:                                                                                          ders/COBIT6/Obtain_
(4.1) (May 2007)                                                                                                                                                                        COBIT/CobiT4.1_Broc
                                                                                Planning and Organization                                                                               hure.pdf

                                                                                Acquisition and Implementation

                                                                                Delivery and Support

                                                                              Monitoring and EvaluationAreas Reviewed for compliance
Computer Fraud and
Abuse Act
                           Regulation FTC (Federal Trade
                                      Commission)
                                                                   U.S.A.     Makes it a federal offense to produce, buy, sell or transfer a
                                                                              credit card or other access devices that are counterfeit,
                                                                                                                                                                              E         http://www.techfirm.c
                                                                                                                                                                                        om/cfaa.htm
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007

                                                                              forged, lost or stolen; or to produce, buy, sell, transfer or
                                                                              process equipment used to produce such fraudulent access
                                                                              devices.

                                                                              It wa
Consumer Credit
Protection Act (CCPA)
                           Regulation                              U.S.A.     · The purpose of this title to provide a basic framework
                                                                              establishing the rights, liabilities, and responsibilities of
                                                                                                                                                 · Takes effect upon
                                                                                                                                                 the expiration of
                                                                                                                                                                              I         http://www.fdic.gov/r
                                                                                                                                                                                        egulations/laws/rules/
                                                                                                                                                                                                                                                                                                                                                                              August 4, 2007

of 1992, Section 2001                                                         participants in electronic fund transfer systems. The primary      eighteen months from                   6500-200.html
Title IX- Electronic                                                          objective of this title, however, is the provision of individual   the date of its
Funds Transfer                                                                consumer                                                           enactment, except
                                                                                                                                                 that sections 909 and
                                                                                                                                                 911 take effect upon
                                                                                                                                                 the expiration of
                                                                                                                                                 ninety days after the
                                                                                                                                                 date of enactment

                                                                                                                                                 · Non-compliant fines
                                                                                                                                                 not more than
                                                                                                                                                 $10,000 or imprisone

COSO Enterprise Risk
Management
                           Standard         COSO (Committee of
                                            Sponsoring
                                                                   U.S.A.     Defines essential enterprise risk management components,
                                                                              discusses key ERM principles and concepts, suggests a
                                                                                                                                                                              E         http://www.coso.org/P
                                                                                                                                                                                        ublications/ERM/COSO
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007

Framework                                   Organizations of the              common ERM language, and provides clear direction and                                                     _ERM_ExecutiveSumm
(September 2004)                            Treadway                          guidance for enterprise risk management.                                                                  ary.pdf
                                            Commission)




                                                                                                                                                 Page 5 of 24
     Disaster Recovery Journal                                                                                                          Rules Regulations Committee                                                                                                                                                                                                        7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                         Infrastructure Category




                                                                                                                                                                                                                                                                                                                           Information Distribution
                                                                                                                                                                                                               Banking & Finance




                                                                                                                                                                                                                                                                                                                             & Communications
                                                                                                                                                                                                                                                                        Energy (including




                                                                                                                                                                                                                                                                                                       Agriculture, Food
                                                                                                                                                                      (E, A, W, I)




                                                                                                                                                                                                                                                     Transportation &




                                                                                                                                                                                                                                                                                                                                                      Public Agencies
                           Regulation /

                                                                                                                                                                                                                                                                                                                                                                          DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                        Supply & Water
                                                                                                                                                                                                                                   Public Health &




                                                                                                                                                                                                                                                                                                                                                      Government &
                                                                                                                                                                       Category
                                                                    Country
                                                                                                                                                     Significant
                            Standard




                                                                                                                                                                                                                                     Healthcare


                                                                                                                                                                                                                                                        Shipping


                                                                                                                                                                                                                                                                            nuclear)

                                                                                                                                                                                                                                                                                            Industry
                                                                                                                                                                                          Notes
        Title                             Governing Body                                                  Summary                                   Dates, Fines,
                                                                                                                                                                                        /Comments                                                                                                                                                                       Date of Last Review or
                                                                                                                                                      Penalties
                                                                                                                                                                                                                                                                                                                                                                            Confirmation

CTIA
Telecommunication
                         Standard         CTIA                     U.S.A.     · The CTIA (Cellular Telecommunications and Internet
                                                                              Association) is working on plans to offer standard business
                                                                                                                                                                          W          This certification and
                                                                                                                                                                                     industry standard is in
                                                                                                                                                                                                                                                                                                                                                                            August 4, 2007

Industry BCM standard                                                         continuity guidance to the communications industry.                                                    the planning phase.
and certification                                                                                                                                                                    CTIA is currently (May
                                                                              · IA CTIA BCM certification will be granted to organizations                                           2005) meeting with
                                                                              that display a (soon to b                                                                              industry leads to
                                                                                                                                                                                     discuss the feasibility
                                                                                                                                                                                     of the requirements
                                                                                                                                                                                     and verification
                                                                                                                                                                                     method.
DRAFT Information
Security Policy as
                         Standard         Department of Public
                                          Service and
                                                                   South
                                                                   Africa
                                                                              Presents a suite of integrated solutions which, together, offer
                                                                              the tools necessary to integrate information security best
                                                                                                                                                                                     http://www.dpsa.gov.z
                                                                                                                                                                                     a/documents/acts&reg
                                                                                                                                                                                                                                                                                                                                                                     August 4, 2007

presented by the                          Administration                      practices.                                                                                             ulations/frameworks/e-
Department of Public                                                                                                                                                                 commerce/POSITION
Service and                                                                   Based in ISO 17799 and BS 7799.                                                                        %20PAPER%20ON%2
Administration                                                                                                                                                                       0INFORMATION%20S
                                                                                                                                                                                     ECURITY1.pdf


DRI International        Standard         DRII (Disaster
                                          Recovery Institute
                                                                 Internation Professional practice letters include developing business
                                                                      al     continuity management strategies and other contingency
                                                                                                                                                                          W          http://www.drii.org
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

―Ten Professional                         International)                     planning
Practices for Business
Continuity                                                                    Areas reviewed include:
Professionals‖
                                                                              · Potential for data loss

                                                                              · Vital records creation, storage and retention

                                                                                 Establishes the recovery
                                                                              · Business and ITbasic responsibilities, rights and liabilities of
Electronic Fund
Transfer Act (EFTA)
                         Regulation OCC                            U.S.A.
                                                                              consumers and financial institutions who use electronic fund
                                                                                                                                                                           I         http://www.ftc.gov/bc
                                                                                                                                                                                     p/conline/pubs/credit/
                                                                                                                                                                                                                                                                                                                                                                            August 4, 2007

                                                                              transfer services and of that offer these services.                                                    elbank.pdf

                                                                              · BCP to meet ―reasonable standard of care‖
                                                                                                                                                                                     www.occ.treas.gov/ne
                                                                                                                                                                                     tbank/ebguide.htm
Fair Credit Reporting
Act
                         Regulation FTC (Federal Trade
                                    Commission)
                                                                   U.S.A.     · Ensures credit information is accurate and up-to-date      · Civil penalty of not
                                                                                                                                           more than $2,500 per
                                                                                                                                                                           I         http://www.ftc.gov/os
                                                                                                                                                                                     /statutes/fcra.htm
                                                                                                                                                                                                                                                                                                                                                                            August 4, 2007

                                                                              · Designed to promote accuracy and ensure the privacy of the violation
                                                                              information used in consumer reports
                                                                                                                                           · State action of
                                                                                                                                           damages of not more
                                                                                                                                           than $1,000 for each
                                                                                                                                           willful or negligent
                                                                                                                                           violation
FDICIA –Federal
Deposit Insurance
                         Regulation FDIC (Federal Deposit
                                    Insurance
                                                                   U.S.A.     Relevance ?
                                                                              Requires at the beginning of the year that all FDIC-insured
                                                                                                                                                                           E         http://www.fdic.gov/r
                                                                                                                                                                                     egulations/laws/rules/
                                                                                                                                                                                                                                                                                                                                                                            August 4, 2007

Corporation                         Corporation)                              depository institutions with total assets of $500 million or                                           8000-2400.html
Improvement Act of                                                            more certify that there is effective functioning of their internal
1991                                                                          controls systems.




                                                                                                                                                   Page 6 of 24
     Disaster Recovery Journal                                                                                                        Rules Regulations Committee                                                                                                                                                                                                          7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                         Infrastructure Category




                                                                                                                                                                                                                                                                                                                           Information Distribution
                                                                                                                                                                                                               Banking & Finance




                                                                                                                                                                                                                                                                                                                             & Communications
                                                                                                                                                                                                                                                                        Energy (including




                                                                                                                                                                                                                                                                                                       Agriculture, Food
                                                                                                                                                                     (E, A, W, I)




                                                                                                                                                                                                                                                     Transportation &




                                                                                                                                                                                                                                                                                                                                                      Public Agencies
                           Regulation /

                                                                                                                                                                                                                                                                                                                                                                          DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                        Supply & Water
                                                                                                                                                                                                                                   Public Health &




                                                                                                                                                                                                                                                                                                                                                      Government &
                                                                                                                                                                      Category
                                                                   Country
                                                                                                                                                Significant
                            Standard




                                                                                                                                                                                                                                     Healthcare


                                                                                                                                                                                                                                                        Shipping


                                                                                                                                                                                                                                                                            nuclear)

                                                                                                                                                                                                                                                                                            Industry
                                                                                                                                                                                         Notes
        Title                             Governing Body                                             Summary                                   Dates, Fines,
                                                                                                                                                                                       /Comments                                                                                                                                                                        Date of Last Review or
                                                                                                                                                 Penalties
                                                                                                                                                                                                                                                                                                                                                                            Confirmation

Federal Acquisition
Regulation; Electronic
                         Regulation SEC                           U.S.A.     Addresses the collection of EFT information through the
                                                                             contract process for vendors providing goods and services to
                                                                                                                                                                          E         http://www.fms.treas.
                                                                                                                                                                                    gov/eft/regulations/far
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

Funds Transfer Final                                                         the Federal Government                                                                                 eft.txt
Rule
FEMA 141: Disaster
Planning Guide for
                         Standard         FEMA                    U.S.A.     Designed to provide guidance for business and industry
                                                                             officials to respond and recover from disasters.
                                                                                                                                                                         W          SEE ABOVE
                                                                                                                                                                                                                                                                                                                                                                     August 4, 2007

Business and Industry

FEMA Emergency
Management Guide for
                         Standard         FEMA (Federal
                                          Emergency
                                                                  U.S.A.     A step-by-step approach to emergency planning, response and
                                                                             recovery for companies of all sizes.
                                                                                                                                                                         W          http://www.fema.gov/
                                                                                                                                                                                    pdf/library/bizindst.pdf
                                                                                                                                                                                                                                                                                                                                                                     August 4, 2007

Business and Industry                     Management Agency)

FFIEC BCP Handbook:
Business Continuity
                         Regulation FFIEC                         U.S.A.     - Emphasizes that Business Continuity planning is about
                                                                             maintaining, resuming and recovering the whole Business
                                                                                                                                             Ineffective or
                                                                                                                                             incomplete BC plans
                                                                                                                                                                          E         http://www.ffiec.gov/f
                                                                                                                                                                                    fiecinfobase/booklets/
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

Planning (May 2003)                                                          - planning should occur for a BCP                               may lead to qualified                  bcp/bus_continuity_pl
                                                                             - Business Impact Analysis and Risk assessment are              examination reports                    an.pdf
―IT Examination                                                              encouraged as the foundation of an effective BCP                and loss of trust by
Handbook‖                                                                    - Testing                                                       regulators and
                                                                                                                                             financial market
FFIEC FIL 67-97/82-96 Regulation FFIEC (Federal
                                 Financial Institutions
                                                                  U.S.A.     Board of Directors is responsible for ensuring that a
                                                                             comprehensive business resumption and contingency plan has
                                                                                                                                                                         A          http://www.ffiec.gov/f
                                                                                                                                                                                    fiecinfobase/booklets/
                                                                                                                                                                                                                                                                                                                                                                            August 4, 2007

                                 Examination Council)                        been implemented, to encompass distributed computing and                                               bcp/bus_continuity_pl
                                                                             external service bureaus.                                                                              an.pdf

                                                                             Areas Reviewed for Compliance:

                                                                             IT Specific recovery document
FFIEC FIL-81-2005 -
Information
                         Standard         FDIC (Federal Deposit
                                          Insurance
                                                                             Information Technology Risk Management Program (IT-RMP)
                                                                             for conducting IT examinations of FDIC-supervised financial
                                                                                                                                                                                    http://www.fdic.gov/n
                                                                                                                                                                                    ews/news/financial/20
                                                                                                                                                                                                                                                                                                                                                                            August 4, 2007

Technology Risk                           Corporation)                       institutions, and cover practices for: Risk assessment,                                                05/fil8105.pdf
Management Program                                                           Operations security and risk management, Audit and
(IT-RMP) for                                                                 independent review, Disaster rec
conducting IT
examinations
FFIEC Policy SP-5        Regulation FFIEC                         U.S.A.     Policy mandating corporate-wide contingency planning,           Issued July 1989             E         With the issuance of                                                                                                                                                                     August 4, 2007
                                                                             including the development of recovery alternatives for                                                 the new FFIEC
                                                                             distributed processing and service bureau information                                                  Information
                                                                             processing.                                                                                            Technology
                                                                                                                                                                                    Examination
                                                                                                                                                                                    Handbook, several
                                                                                                                                                                                    Supervisory Policies
                                                                                                                                                                                    (SP) found in
                                                                                                                                                                                    Chapter 25 of the
                                                                                                                                                                                    1996 Handbook
                                                                                                                                                                                    have been
                                                                                                                                                                                    rescinded, including
                                                                                                                                                                                    SP-5, Interagency
                                                                                                                                                                                    Policy on Contingency
                                                                                                                                                                                    Planning for Financial
                                                                                                                                                                                    Institutions




                                                                                                                                             Page 7 of 24
     Disaster Recovery Journal                                                                                                 Rules Regulations Committee                                                                                                                                                                                                            7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                    Infrastructure Category




                                                                                                                                                                                                                                                                                                                      Information Distribution
                                                                                                                                                                                                          Banking & Finance




                                                                                                                                                                                                                                                                                                                        & Communications
                                                                                                                                                                                                                                                                   Energy (including




                                                                                                                                                                                                                                                                                                  Agriculture, Food
                                                                                                                                                                  (E, A, W, I)




                                                                                                                                                                                                                                                Transportation &




                                                                                                                                                                                                                                                                                                                                                 Public Agencies
                           Regulation /

                                                                                                                                                                                                                                                                                                                                                                     DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                   Supply & Water
                                                                                                                                                                                                                              Public Health &




                                                                                                                                                                                                                                                                                                                                                 Government &
                                                                                                                                                                   Category
                                                            Country
                                                                                                                                            Significant
                            Standard




                                                                                                                                                                                                                                Healthcare


                                                                                                                                                                                                                                                   Shipping


                                                                                                                                                                                                                                                                       nuclear)

                                                                                                                                                                                                                                                                                       Industry
                                                                                                                                                                                      Notes
        Title                             Governing Body                                        Summary                                    Dates, Fines,
                                                                                                                                                                                    /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                             Penalties
                                                                                                                                                                                                                                                                                                                                                                       Confirmation

Financial Institutions
Reform, Recovery,
                         Regulation                        U.S.A.     Policy allows regulators/examiners to impose civil penalties for Tiers of penalties for
                                                                      violations or non-compliance with regulations, laws,             Individual and/or
                                                                                                                                                                       I         http://www.academon
                                                                                                                                                                                 .com/lib/essay/term-
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

and Enforcement Act-                                                  temporary agency orders or any breach of a written               corporate after tax                       paper-11995.html
(FIRREA) of 1989;                                                     agreement between an agency and the institution.                 fines:
(P.L. 101-73 1989 HR                                                                                                                                                              (summary and
1278)                                                                                                                                    ·      Tier 1: up to                    purchase information)
                                                                                                                                         $5,000 per day

                                                                                                                                         ·      Tier 2: up to
                                                                                                                                         $25,000 per day

                                                                                                                                         ·      Tier 3: up to
                                                                                                                                         $1,000,000 per day
FISMA: Federal
Information Security
                         Regulation FTC                    U.S.A.     Details requirements to                                                                          E         http://csrc.nist.gov/p
                                                                                                                                                                                 olicies/FISMA-
                                                                                                                                                                                                                                                                                                                                                                 August 4, 2007

Management Act of                                                     - Assess Risk                                                                                              final.pdf
2002
                                                                      - Determine levels of security necessary to protect such                                                   ? May apply to
                                                                      information                                                                                                organizations and
                                                                                                                                                                                 institutions
                                                                      - Periodically test and evaluate information security controls                                             communicating with,
                                                                      and techniques
                                                                                                                                                                                 performing work for,
                                                                                                                                                                                 on behalf of a
                                                                      - Develop plans and procedures to ensure continuity of
                                                                                                                                                                                 federal agency
                                                                      operati
Foreign Corrupt
Practices Act of 1977:
                         Regulation                        U.S.A.     Policy states that Directors and Officers can be held liable for
                                                                      ―failure to enact standards of care‖ and should they fail to
                                                                                                                                         Issued in 1977                I         http://www.usdoj.gov/
                                                                                                                                                                                 criminal/fraud/fcpa/fc
                                                                                                                                                                                                                                                                                                                                                                 August 4, 2007

(P.L. 95-213)                                                         document their assessment processing determining not to            · Civil penalties can                   pastat.htm
                                                                      develop a contingency plan.                                        range from $5000 to
                                                                                                                                         $100,000 for
                                                                                                                                         individuals and from
                                                                                                                                         $50,000 to $500,000
                                                                                                                                         for business entities

                                                                                                                                         · Criminal sanctions
                                                                                                                                         may be imposed
                                                                                                                                         against anyone who
                                                                                                                                         knowingly violates the
                                                                                                                                         statute: up to $2
                                                                                                                                         million in fines for p




                                                                                                                                         Page 8 of 24
     Disaster Recovery Journal                                                                                                       Rules Regulations Committee                                                                                                                                                                                                              7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                            Infrastructure Category




                                                                                                                                                                                                                                                                                                                              Information Distribution
                                                                                                                                                                                                                  Banking & Finance




                                                                                                                                                                                                                                                                                                                                & Communications
                                                                                                                                                                                                                                                                           Energy (including




                                                                                                                                                                                                                                                                                                          Agriculture, Food
                                                                                                                                                                          (E, A, W, I)




                                                                                                                                                                                                                                                        Transportation &




                                                                                                                                                                                                                                                                                                                                                         Public Agencies
                           Regulation /

                                                                                                                                                                                                                                                                                                                                                                             DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                           Supply & Water
                                                                                                                                                                                                                                      Public Health &




                                                                                                                                                                                                                                                                                                                                                         Government &
                                                                                                                                                                           Category
                                                                  Country
                                                                                                                                                  Significant
                            Standard




                                                                                                                                                                                                                                        Healthcare


                                                                                                                                                                                                                                                           Shipping


                                                                                                                                                                                                                                                                               nuclear)

                                                                                                                                                                                                                                                                                               Industry
                                                                                                                                                                                              Notes
        Title                             Governing Body                                             Summary                                     Dates, Fines,
                                                                                                                                                                                            /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                                   Penalties
                                                                                                                                                                                                                                                                                                                                                                               Confirmation

FRB (Federal Reserve
Banks) SR 96-22
                         Regulation Board of Governors of
                                    the Federal Reserve
                                                                 U.S.A.     Reviews and enforces the FFIEC’s Interagency Supervisory
                                                                            Statement on Risk Management of Client/Server Systems SP-
                                                                                                                                                                               E         http://www.federalres
                                                                                                                                                                                         erve.gov/boarddocs/S
                                                                                                                                                                                                                                                                                                                                                                               August 4, 2007

                                    System                                  12.                                                                                                          RLETTERS/1996/sr962
                                                                                                                                                                                         2.htm
                                                                            · The statement addresses concerns for security and the
                                                                            controls that should be associated with client/server
                                                                            computing for the officer in charge of each federal reserve
                                                                            bank, including:

                                                                            ·        Management should ensure that systems and
                                                                            operations are recoverable after an event causing disruption in
                                                                            service.
                                                                            ·        Management should determine that database
GAO Supplier
Requirements
                         Regulation GAO (Government
                                    Accountability Office)
                                                                 U.S.A.     Requirements for federal agencies to include the requirement
                                                                            for contingency plans in contracts with private sector
                                                                                                                                                                               E         Will apply to all
                                                                                                                                                                                         organizations
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007

                                                                            organizations providing data processing services                                                             providing suppliers or
                                                                                                                                                                                         services to GAO or
                                                                                                                                                                                         Federal Agencies
General Principles for
Technology Risk
                         Standard         The Hong Kong
                                          Monetary Authority
                                                               Hong Kong To provide AIs with guidance on general principles which AIs In section 2.6,
                                                                         are expected to consider in managing technology-related risks policies, procedures or
                                                                                                                                                                                                                                                                                                                                                                               August 4, 2007

Management V.1 - TM-                                                                                                                   service agreements of
G-1                                                                                                                                    between AIs and the
                                                                                                                                       overseas offices (e.g.
                                                                                                                                       parent banks,
                                                                                                                                       subsidiaries, head
                                                                                                                                       offices or other
                                                                                                                                       regional offices of the
                                                                                                                                       same banking group)
                                                                                                                                       with regard to certain
                                                                                                                                       IT controls or support
                                                                                                                                       activities

Gramm-Leach-Bliley
Act of 1999, section
                         Regulation Public Law                   U.S.A.     Guidelines in this section address standards for developing
                                                                            and implementing administrative, technical and physical
                                                                                                                                              Effective July 1, 2001           E         http://banking.senate.
                                                                                                                                                                                         gov/conf/confrpt.htm
                                                                                                                                                                                                                                                                                                                                                                               August 4, 2007

501 (b): (P.L. 106-102                                                      safeguards to protect the security, confidentiality and integrity Bank must report to
1999 S 900)                                                                 of customer information                                           the board annually.

                                                                            The act includes record-retention requirements t
Guidance Note on the
Use of Internet for
                         Standard         Office of the
                                          Commissioner of
                                                                Hong Kong   To better protect the insuring public and ensuring the healthy
                                                                            development of the industry in the information technology
                                                                                                                                               Point 11 address the
                                                                                                                                               issue of security in
                                                                                                                                                                                         To be provided
                                                                                                                                                                                                                                                                                                                                                                               August 4, 2007

Insurance Activities                      Insurance - The                   era. The scope of this Guidance Note covers the internet           which service
(GN8)                                     Government of the                 insurance activities of all service providers to the extent that   providers are advised
                                          Hong Kong Special                 such activit                                                       to take all practicable
                                          Administrative Region                                                                                steps to ensure a
                                                                                                                                               number of items
                                                                                                                                               including the integrity
                                                                                                                                               of data stored in the
                                                                                                                                               system hardware,
                                                                                                                                               whilst in transit and as
                                                                                                                                               displayed on the
                                                                                                                                               website (a), a




                                                                                                                                               Page 9 of 24
     Disaster Recovery Journal                                                                                                          Rules Regulations Committee                                                                                                                                                                                                         7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                          Infrastructure Category




                                                                                                                                                                                                                                                                                                                            Information Distribution
                                                                                                                                                                                                                Banking & Finance




                                                                                                                                                                                                                                                                                                                              & Communications
                                                                                                                                                                                                                                                                         Energy (including




                                                                                                                                                                                                                                                                                                        Agriculture, Food
                                                                                                                                                                         (E, A, W, I)




                                                                                                                                                                                                                                                      Transportation &




                                                                                                                                                                                                                                                                                                                                                       Public Agencies
                            Regulation /

                                                                                                                                                                                                                                                                                                                                                                           DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                         Supply & Water
                                                                                                                                                                                                                                    Public Health &




                                                                                                                                                                                                                                                                                                                                                       Government &
                                                                                                                                                                          Category
                                                                      Country
                                                                                                                                                     Significant
                             Standard




                                                                                                                                                                                                                                      Healthcare


                                                                                                                                                                                                                                                         Shipping


                                                                                                                                                                                                                                                                             nuclear)

                                                                                                                                                                                                                                                                                             Industry
                                                                                                                                                                                             Notes
        Title                              Governing Body                                                Summary                                    Dates, Fines,
                                                                                                                                                                                           /Comments                                                                                                                                                                     Date of Last Review or
                                                                                                                                                      Penalties
                                                                                                                                                                                                                                                                                                                                                                             Confirmation

Guidelines on
Management of IT
                          Regulation BNM - Bank                     Malaysia    Outlines minimum responsibilities and requirements for
                                                                                planning and managing, as well as, establishing preventive
                                                                                                                                                  IT environment
                                                                                                                                                  including business
                                                                                                                                                                              E         To be provided
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

Environment                                Malaysia                             and detective measures that should be implemented by              continuity
                                                                                institutions to mitigate the risks pertaining to IT environment
                                           Central Bank
HB 221: 2003,
Business Continuity
                          Standard         Standards Association
                                           of Australia
                                                                   Australia, Sets out the principles and guidance that the Commission
                                                                      New     expects companies listed on the NZ Stock Exchange to follow
                                                                                                                                                                             W          To be provided
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

Management                                                          Zealand for Business Continuity Management and establishing a
Handbook                                                                      Business Continuity Plan
HIPAA (Health
Insurance Portability
                          Regulation GAO                             U.S.A.   - Proposed contingency plan in effect with data backup plan,
                                                                              disaster recovery plan, emergency mode operation plan,
                                                                                                                                                                             W          http://aspe.hhs.gov/a
                                                                                                                                                                                        dmnsimp/pl104191.ht
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

and Accountability                                                            testing and revision procedures and Applications and data                                                 m
Act) Final Security                                                           Criticality Analysis.
Rule~ #7.                                                                                                                                                                               (whole act)
Contingency Plan                                                                - Includes specific BCM points
(164.308(a)(7)(i))
                                                                             - Applies to any organizat
HKMA Supervisory
Policy Manual, BCP
                          Regulation Hong Kong Monetary
                                     Authority
                                                                   Hong Kong Enforced by onsite examinations, requires need for BCP
                                                                             documentation and testing at least annually, planning for
                                                                                                                                                  BCP organization &
                                                                                                                                                  governance structure
                                                                                                                                                                              E         To be provided
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

TM-G-2 V.1 02.12.02                                                          different scenarios and prolong outages.
                                                                                                                                                  Approach to business
                                                                                                                                                  continuity planning

                                                                                                                                                  Documentation

                                                                                                                                                  DR site & vendor
                                                                                                                                                  management

HKMA Supervisory
Policy Manual, General
                       Regulation Hong Kong Monetary
                                  Authority
                                                                   Hong Kong Refers to TM-G-2 on BCP on the need to provide continuous
                                                                             service.
                                                                                                                                                  Need to provide
                                                                                                                                                  alternative service
                                                                                                                                                                              E
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

Principles for
Technology Risk
Management
TM-G-1 V.1 24.06.03
HKMA, Supervisory
Policy Manual,
                          Regulation Hong Kong Monetary
                                     Authority
                                                                   Hong Kong Refers to TM-G-2 on BCP on the need to provide continuous
                                                                             and/or alternative services.
                                                                                                                                                  Need to provide
                                                                                                                                                  alternative service
                                                                                                                                                                              E
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

Supervision of E-
Banking
TM-E-1 V.1 17.02.04

Homeland Security
Strategy for Critical
                          Standard   FSSCC (Financial
                                     Services Sector
                                                                     U.S.A.     Ensuring the resiliency of the nation to minimize the damage
                                                                                and expedite the recovery from attacks that do occur.
                                                                                                                                                                             W          http://www.sifma.org
                                                                                                                                                                                        /services/business_
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

Infrastructure                       Coordinating Council                                                                                                                               continuity/pdf/Nation
Protection in Financial              for Critical                                                                                                                                       alStrategy.pdf
Services Sector (May                 Infrastructure
2004)                                Protection)
IDA By-law 17.19 -
Business Continuity
                          Regulation OSC (Ontario
                                     Securities
                                                                    Canada      The purpose of the
                                                                                proposed by-law is to require each IDA member to
                                                                                                                                                                              E         http://www.osc.gov.
                                                                                                                                                                                        on.ca/MarketRegula
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

Plan                                 Commission)                                establish and maintain a business continuity plan, such that                                            tion/SRO/ida/rr/srr-
Requirement                                                                     the member can stay in business in the event of a                                                       ida_20050107_not-
                                                                                significant business disruption and can meet obligations to                                             pro-bylaw-17-19.pdf
                                                                                its customers and other capital markets counterparts.




                                                                                                                                                  Page 10 of 24
    Disaster Recovery Journal                                                                                                           Rules Regulations Committee                                                                                                                                                                                                         7/10/2010 1:57 PM
    Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                          Infrastructure Category




                                                                                                                                                                                                                                                                                                                            Information Distribution
                                                                                                                                                                                                                Banking & Finance




                                                                                                                                                                                                                                                                                                                              & Communications
                                                                                                                                                                                                                                                                         Energy (including




                                                                                                                                                                                                                                                                                                        Agriculture, Food
                                                                                                                                                                        (E, A, W, I)




                                                                                                                                                                                                                                                      Transportation &




                                                                                                                                                                                                                                                                                                                                                       Public Agencies
                          Regulation /

                                                                                                                                                                                                                                                                                                                                                                           DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                         Supply & Water
                                                                                                                                                                                                                                    Public Health &




                                                                                                                                                                                                                                                                                                                                                       Government &
                                                                                                                                                                         Category
                                                                    Country
                                                                                                                                                   Significant
                           Standard




                                                                                                                                                                                                                                      Healthcare


                                                                                                                                                                                                                                                         Shipping


                                                                                                                                                                                                                                                                             nuclear)

                                                                                                                                                                                                                                                                                             Industry
                                                                                                                                                                                            Notes
       Title                             Governing Body                                                 Summary                                   Dates, Fines,
                                                                                                                                                                                          /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                                    Penalties
                                                                                                                                                                                                                                                                                                                                                                             Confirmation

India BCP               Regulation 1. Reserve Bank of
                                   India (RBI)
                                                                   India      Enforced by audit, requires need for BCP documentation and
                                                                              testing at least annually.
                                                                                                                                                BCP, DR Site                 E         http://www.continuity
                                                                                                                                                                                       central.com/news02
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

                                   2. Securities &                                                                                                                                     721.htm
                                   Exchange Board of
                                   India, (SEBI)                                                                                                                                       http://www.expressc
                                   3. National Stock                                                                                                                                   omputeronline.com/
                                   Exchange (NSE)                                                                                                                                      20030519/indnews3
                                   4. Bombay Stock                                                                                                                                     .shtml
                                   Exchange (BSE)


Indonesia BCP           Regulation Bank Indonesia
                                   (Central Bank)
                                                                 Indonesia Requires BCP documentation and testing at least annually with BCP RTGS, DR Site
                                                                           focus on Bank Indonesia RTGS system. Requires Internal
                                                                                                                                                                             E
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

                                                                           Audit to conduct an audit at least annually and provide report
                                                                           to Bank Indonesia.
Information
Technology Control
                        Standard         Canadian Institute of
                                         Chartered Accountants
                                                                  Canada Crisis Management for Directors                                                                     E         http://www.cica.ca/
                                                                                                                                                                                       multimedia/Downloa
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

Guidelines                                                                                                                                                                             d_Library/Standards
                                                                                                                                                                                       /CoCo/cris-eng-
                                                                                                                                                                                       txt.pdf
Interagency Paper for
Strengthening the
                        Regulation FRB (Federal Reserve
                                   Bank)
                                                                   U.S.A.     During discussions about the lessons learned from September
                                                                              11, industry participants and others agreed that three
                                                                                                                                                For Market Utilities
                                                                                                                                                and Core Clearing and
                                                                                                                                                                             E         http://www.sec.gov/n
                                                                                                                                                                                       ews/studies/34-
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

Resilience of US                                                              business continuity objectives have special importance for all    Settlement Agencies,                   47638.htm
Financial System (May                    OCC (Office of the                   financial firms and the U.S. financial system as a whole:         goal to meet
2003; Implementation                     Comptroller of the                                                                                     objectives is end of
in 2007)                                 Currency)                                                                                              2004.
                                                                              Rapid recovery and timely resumption of critical operations
                                         SEC (Securities and                  following a wide-scale disruption;                                For Significant Role
                                         Exchange                                                                                               Firms, the goal is no
                                         Commission)                          Rapid recovery and timely resumption of critical operations       later than 2006.
                                                                              following the loss or inaccessibility of staff in at least one
                                                                              major operating location; and

                                                                              A high level of confidence, through ongoing use or robust
                                                                              testing, that critical internal and external continuity
                                                                              arrangements are effective and compatible.
IRS Procedure 91-59     Regulation IRS (Internal Revenue
                                   Service)
                                                                   U.S.A.     · Legal requirements for computer records containing tax
                                                                              information.
                                                                                                                                                                             I         IRS Ruling 98-25
                                                                                                                                                                                       supersedes this:
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

(Superseded IRS
Procedure 86-19)                                                              · Requires off-site protection and documentation of computer                                             http://www.uiowa.edu
                                                                              records maintaining tax information                                                                      /~fusrmp/irsruling98-
                                                                                                                                                                                       25.html
ISO 9000                Standard         ISO                     Internation ISO 9000:2000, Quality management systems - Fundamentals
                                                                      al     and vocabulary. covers the basics of what quality
                                                                                                                                                                            W          http://www.planning.
                                                                                                                                                                                       sungard.com/Knowl
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

                                                                             management systems are and also contains the core language                                                edgeNet/Reference
                                                                             of the ISO 9000 series of standards.                                                                      Desk/regulations.as
                                                                                                                                                                                       p
                                                                              Purpose is to determine elements of quality control systems,
                                                                              especially maintenance of records and verification standards.                                            http://en.wikipedia.or
                                                                              While business continuity planning is not required by statute,                                           g/wiki/ISO_9000
                                                                              vendors report that records retention and data availability are
                                                                              issues with their customers, and that they are specifically
                                                                              asked about their plans.




                                                                                                                                                Page 11 of 24
     Disaster Recovery Journal                                                                                                             Rules Regulations Committee                                                                                                                                                                                                            7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                                Infrastructure Category




                                                                                                                                                                                                                                                                                                                                  Information Distribution
                                                                                                                                                                                                                      Banking & Finance




                                                                                                                                                                                                                                                                                                                                    & Communications
                                                                                                                                                                                                                                                                               Energy (including




                                                                                                                                                                                                                                                                                                              Agriculture, Food
                                                                                                                                                                              (E, A, W, I)




                                                                                                                                                                                                                                                            Transportation &




                                                                                                                                                                                                                                                                                                                                                             Public Agencies
                            Regulation /

                                                                                                                                                                                                                                                                                                                                                                                 DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                               Supply & Water
                                                                                                                                                                                                                                          Public Health &




                                                                                                                                                                                                                                                                                                                                                             Government &
                                                                                                                                                                               Category
                                                                        Country
                                                                                                                                                         Significant
                             Standard




                                                                                                                                                                                                                                            Healthcare


                                                                                                                                                                                                                                                               Shipping


                                                                                                                                                                                                                                                                                   nuclear)

                                                                                                                                                                                                                                                                                                   Industry
                                                                                                                                                                                                  Notes
        Title                              Governing Body                                                      Summary                                  Dates, Fines,
                                                                                                                                                                                                /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                                          Penalties
                                                                                                                                                                                                                                                                                                                                                                                   Confirmation

ISO 9001                   Standard        ISO                       Internation ISO 9001:2000 Quality management systems - Requirements
                                                                          al     is intended for use in any organization which designs,
                                                                                                                                                                                  W          http://www.planning.
                                                                                                                                                                                             sungard.com/Knowl
                                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

                                                                                 develops, manufactures, installs and/or services any product                                                edgeNet/Reference
                                                                                 or provides any form of service. It provides a number of                                                    Desk/regulations.as
                                                                                 requirements which an organization needs to fulfill if it is to                                             p
                                                                                 achieve customer satisfaction through consistent products and
                                                                                 services which meet customer expectations. This is the only                                                 http://en.wikipedia.or
                                                                                 implementation for which third-party auditors may grant                                                     g/wiki/ISO_9000
                                                                                 certifications.
ISO 9002, Quality
assurance standard,
                           Standard        ISO                       Internation
                                                                          al
                                                                                   Addresses risk management and continuity planning issues for
                                                                                   compliance.
                                                                                                                                                                                  W          http://en.wikipedia.or
                                                                                                                                                                                             g/wiki/ISO_9002
                                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

ISO 9004 Quality
management sysetms -
                           Standard        ISO                       Internation
                                                                          al
                                                                                   ISO 9004:2000 Quality management systems - Guidelines for
                                                                                   performance improvements. covers continual improvement.
                                                                                                                                                                                  W          http://en.wikipedia.or
                                                                                                                                                                                             g/wiki/ISO_9004
                                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

Guidelines for                                                                     This gives you advice on what you could do to enhance a
performance                                                                        mature system. This standard very specifically states that it is
improvement                                                                        not intended as a guide to implementation

ISO/IEC 17799:2000         Standard        ISO (International
                                           Organization for
                                                                     Internation Focuses on
                                                                          al
                                                                                                                                                                                  W          http://en.wikipedia.or
                                                                                                                                                                                             g/wiki/ISO_17799
                                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

                                           Standardization)                      · Business continuity management process

                                                                                   · Writing and implementing continuity plans

                                                                                   · Business continuity planning framework

                                                                                   · Business continuity and impact analysis

                                                                                   · Testing and maintaining BCPs

                                                                                   Areas reviewed include:

IT Security Guidelines -
G3
                           Standard        Information
                                           Technology Services
                                                                 Hong Kong         Introduces general concepts relating to Information
                                                                                   Technology Security and elaborates interpretations on the
                                                                                                                                                      In this document,
                                                                                                                                                      government bureau
                                                                                                                                                                                             http://www.ogcio.go
                                                                                                                                                                                             v.hk/eng/prodev/ese
                                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

                                           Department - The                        Baseline IT Security Policy. It also provides readers some         and departments are                    cpol.htm
                                           Government of the                       guidelines and considerations in defining security                 suggested to consider
                                           Hong Kong Special                       requirements.                                                      implementing a BCP
                                           Administrative Region                                                                                      as part of business
                                                                                                                                                      planning.

                                                                                                                                                      4/1/2003
ITIL- IT Infrastructure
Library
                           Standard        ITIL (IT Infrastructure
                                           Library)
                                                                       U.S.A.      · Global standard in the area of service management.
                                                                                   Contains comprehensive publicly accessible specialist
                                                                                                                                                                                  W          http://www.ogc.gov.u
                                                                                                                                                                                             k/index.asp?id=2261
                                                                                                                                                                                                                                                                                                                                                                            August 4, 2007

                                                                                   documentation on the planning, provision and support of IT
                                                                                   services. Covers areas dealing with:                                                                      (official webpage)

                                                                                   · Potential for data loss                                                                                 http://en.wikipedia.or
                                                                                                                                                                                             g/wiki/ITIL
                                                                                   · Vital records cre




                                                                                                                                                      Page 12 of 24
     Disaster Recovery Journal                                                                                                       Rules Regulations Committee                                                                                                                                                                                                        7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                      Infrastructure Category




                                                                                                                                                                                                                                                                                                                        Information Distribution
                                                                                                                                                                                                            Banking & Finance




                                                                                                                                                                                                                                                                                                                          & Communications
                                                                                                                                                                                                                                                                     Energy (including




                                                                                                                                                                                                                                                                                                    Agriculture, Food
                                                                                                                                                                   (E, A, W, I)




                                                                                                                                                                                                                                                  Transportation &




                                                                                                                                                                                                                                                                                                                                                   Public Agencies
                            Regulation /

                                                                                                                                                                                                                                                                                                                                                                       DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                     Supply & Water
                                                                                                                                                                                                                                Public Health &




                                                                                                                                                                                                                                                                                                                                                   Government &
                                                                                                                                                                    Category
                                                                   Country
                                                                                                                                                  Significant
                             Standard




                                                                                                                                                                                                                                  Healthcare


                                                                                                                                                                                                                                                     Shipping


                                                                                                                                                                                                                                                                         nuclear)

                                                                                                                                                                                                                                                                                         Industry
                                                                                                                                                                                       Notes
        Title                              Governing Body                                             Summary                                    Dates, Fines,
                                                                                                                                                                                     /Comments                                                                                                                                                                       Date of Last Review or
                                                                                                                                                   Penalties
                                                                                                                                                                                                                                                                                                                                                                         Confirmation

JCAHO Accreditation
Manual for Hospitals
                                                                  U.S.A.     Guidelines for information management established by JCAHO
                                                                             Standard Label: IM.1.20 - The [organization] plans for the
                                                                                                                                                                        E         http://www.jointcom
                                                                                                                                                                                  mission.org/NR/rdon
                                                                                                                                                                                                                                                                                                                                                                         August 4, 2007

(1997)                                                                       continuity of its information management processes.                                                  lyres/E2B871E6-
                                                                                                                                                                                  E315-4B1D-A7FD-
                                                                                                                                                                                  5C5E655C8605/0/sii
                                                                                                                                                                                  _ahc_im_proposed_
                                                                                                                                                                                  revisions.pdf

King I Report - 1994
King II Report - 2002
                          Standard         King Committee on
                                           Corporate Governance
                                                                  South
                                                                  Africa
                                                                             This is a standard for good corporate governance which most
                                                                             companies in South Africa make reference to in their AFS and
                                                                                                                                                                       W          (Industry) Available to
                                                                                                                                                                                  order from the
                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

                                                                             try to adhere to.                                                                                    Institute of Directors
                                                                                                                                                                                  (IoD):
                                                                                                                                                                                  http://www.iodsa.co.z
                                                                                                                                                                                  a/king.asp
Korea BCP                 Regulation Foreign Financial
                                     Supervisory
                                                                  Korea      Recovery of core business (Bank, Securities, Futures) within 3 BCP, DR Site
                                                                             hours.
                                                                                                                                                                        E         http://www.fsc.go.kr/
                                                                                                                                                                                  eng/id/ck4.asp
                                                                                                                                                                                                                                                                                                                                                                         August 4, 2007


                                                                             Need for proper capacity planning

                                                                             Appropriate access control to DR system

                                                                             Regular and ad-hoc test requirement
Letter to Federally
Regulated Financial
                                                                  Canada                                                                                                E
                                                                                                                                                                                                                                                                                                                                                                         August 4, 2007

Institutions, Insurance
Companies, CBA etc.
Mar
2006
Major Hazard
Installation
                          Regulation Occupational Health &
                                     Safety
                                                                  South
                                                                  Africa
                                                                             Talks about emergency plans-""emergency plan" means a plan
                                                                             in writing which, on the basis of identified potential incidents
                                                                                                                                                                                  http://www.labour.go
                                                                                                                                                                                  v.za/useful_docs/do
                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

Regulations, 1993                                                            at the installation, together with their consequences, describes                                     c_display.jsp?id=10
                                                                             how such incidents and their                                                                         091
                                                                             consequences should be dealt with on-
                                                                                                                                                                                  Subject to the
                                                                                                                                                                                  provisions of
                                                                                                                                                                                  subregulation (3)
                                                                                                                                                                                  these regulations
                                                                                                                                                                                  shall apply to
                                                                                                                                                                                  employers, self-
                                                                                                                                                                                  employed persons
                                                                                                                                                                                  and users, who
                                                                                                                                                                                  have on their
                                                                                                                                                                                  premises, either
                                                                                                                                                                                  permanently or temp




                                                                                                                                                Page 13 of 24
     Disaster Recovery Journal                                                                                                           Rules Regulations Committee                                                                                                                                                                                                              7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                                Infrastructure Category




                                                                                                                                                                                                                                                                                                                                  Information Distribution
                                                                                                                                                                                                                      Banking & Finance




                                                                                                                                                                                                                                                                                                                                    & Communications
                                                                                                                                                                                                                                                                               Energy (including




                                                                                                                                                                                                                                                                                                              Agriculture, Food
                                                                                                                                                                             (E, A, W, I)




                                                                                                                                                                                                                                                            Transportation &




                                                                                                                                                                                                                                                                                                                                                             Public Agencies
                            Regulation /

                                                                                                                                                                                                                                                                                                                                                                                 DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                               Supply & Water
                                                                                                                                                                                                                                          Public Health &




                                                                                                                                                                                                                                                                                                                                                             Government &
                                                                                                                                                                              Category
                                                                      Country
                                                                                                                                                     Significant
                             Standard




                                                                                                                                                                                                                                            Healthcare


                                                                                                                                                                                                                                                               Shipping


                                                                                                                                                                                                                                                                                   nuclear)

                                                                                                                                                                                                                                                                                                   Industry
                                                                                                                                                                                                 Notes
         Title                             Governing Body                                                Summary                                    Dates, Fines,
                                                                                                                                                                                               /Comments                                                                                                                                                                       Date of Last Review or
                                                                                                                                                      Penalties
                                                                                                                                                                                                                                                                                                                                                                                   Confirmation

Management,
Supervision and
                          Standard         Securities and Futures Hong Kong ―A licensed or registered person should have internal control
                                           Commission of Hong               procedures and financial and operational capabilities which
                                                                                                                                                  In section 36 under
                                                                                                                                                  operational risk: An                      Copies of the
                                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

Internal Control                           Kong                             can be reasonably expected to protect its operations, its             effective business                        Guidelines are
Guidelines ("The                                                            clients and other licensed or registered persons from financial       continuity plan                           available at the SFC.
Internal Control                                                            loss arisin                                                           appropriate to the size                   They can also be
Guidelines")                                                                                                                                      of the firm is                            found on the SFC's
                                                                                                                                                  implemented to                            website at
                                                                                                                                                  ensure that the firm is                   http://www.hksfc.org.
                                                                                                                                                  protected from the                        hk.
                                                                                                                                                  risk of interruption to
                                                                                                                                                  its business continuity.
                                                                                                                                                  Key processes in this
                                                                                                                                                  area includ
Manila Bank BCP           Regulation Bank of Central
                                     Philippines (local
                                                                  Philippines Enforced by audit, requires all banks to setup of a disaster
                                                                              recovery facility.
                                                                                                                                                  DR Site                         E
                                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

                                     central bank)
Manual for the
Development of
                          Regulation FISC (The Center for
                                     Financial Industry
                                                                     Japan      Audit matter                                                      BCP development (DR
                                                                                                                                                  site/vital records, etc)
                                                                                                                                                                                  E
                                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

Contingency Plans in                 Information System)                        Appointment of BCP manager
Financial Institutions.
Japan FSA                                                                       Implementation of policy & standard

                                                                                Proper documentation

                                                                                Regular review of plan

                                                                                Corporate-wide testing at least annually

                                                                                Planning for different scenarios

MAS Business
Continuity
                              reg          MAS (Monetary
                                           Authority of
                                                                   Singapore 7 Guiding Principles on Senior Management responsibilities for International
                                                                             BCM; embedding BCM into Business-as-usual activities,
                                                                                                                                                                                  E
                                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

Management                                 Singapore)                        incorporating sound practices; testing BCP regularly,
Guidelines (June                                                             completely and meaningfully; developing recovery strategies
2003)                                                                        and setting RTO for crit
MAS Consultation
Paper On Business
                          Regulation MAS (Monetary
                                     Authority of
                                                                   Singapore · Guidelines encourage adoption of BCP Practices by financial
                                                                             institutions in Singapore.
                                                                                                                                                                                  E
                                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

Continuity Planning                  Singapore)
(BCP) Guidelines (10-                                                           · Guidelines help financial institutions to prepare to be aware
Jan-03)                                                                         by establishing a comprehensive Business Continuity Plan.

MAS Guidelines on
Outsourcing - Section
                          Standard         MAS (Monetary
                                           Authority of
                                                                   Singapore Guidelines on ensuring BC preparedness is not compromised International
                                                                             by outsourcing; taking steps to evaluate and satisfy itself that Issued October 2007
                                                                                                                                                                                  E         http://www.mas.gov.s
                                                                                                                                                                                            g/legislation_guideline
                                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

6.6 BCM (Oct 2004)                         Singapore)                        interdependency risk arising from the outsourcing                Updated July 1 2005                           s/risk_mgt/Guidelines
                                                                             arrangement can be adequately mitigated; and assurance on                                                      _on_Risk_Managemen
                                                                             the functionality and ef                                                                                       t_Practices.html




                                                                                                                                                  Page 14 of 24
     Disaster Recovery Journal                                                                                                  Rules Regulations Committee                                                                                                                                                                                                        7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                 Infrastructure Category




                                                                                                                                                                                                                                                                                                                   Information Distribution
                                                                                                                                                                                                       Banking & Finance




                                                                                                                                                                                                                                                                                                                     & Communications
                                                                                                                                                                                                                                                                Energy (including




                                                                                                                                                                                                                                                                                               Agriculture, Food
                                                                                                                                                              (E, A, W, I)




                                                                                                                                                                                                                                             Transportation &




                                                                                                                                                                                                                                                                                                                                              Public Agencies
                            Regulation /

                                                                                                                                                                                                                                                                                                                                                                  DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                Supply & Water
                                                                                                                                                                                                                           Public Health &




                                                                                                                                                                                                                                                                                                                                              Government &
                                                                                                                                                               Category
                                                              Country
                                                                                                                                           Significant
                             Standard




                                                                                                                                                                                                                             Healthcare


                                                                                                                                                                                                                                                Shipping


                                                                                                                                                                                                                                                                    nuclear)

                                                                                                                                                                                                                                                                                    Industry
                                                                                                                                                                                  Notes
        Title                              Governing Body                                        Summary                                  Dates, Fines,
                                                                                                                                                                                /Comments                                                                                                                                                                       Date of Last Review or
                                                                                                                                            Penalties
                                                                                                                                                                                                                                                                                                                                                                    Confirmation

Ministry for Provincial
& Local Government
                          Regulation                         South
                                                             Africa
                                                                        Proposed national disaster management framework.                                                     To be provided
                                                                                                                                                                                                                                                                                                                                                              August 4, 2007

Disaster Management                                                     Provides for:                                                                                        http://disaster.co.za/d
Act, 2002                                                                                                                                                                    ocs/DisasterManagem
                                                                        · An integrated and coordinated disaster management policy                                           entAct572002.doc
                                                                        that focuses on preventing and reducing the risk of disasters,
                                                                        mitigating the severity of disasters, emergency preparedness,
                                                                        rapid member must create and maintain a written business
NASD Rule 108 (Sept
9, 02) and SR-NASD-
                          Regulation NASD (North
                                     American Securities
                                                             U.S.A.     · Each
                                                                        continuity plan identifying procedures relating to an
                                                                                                                                                                   E         http://www.sec.gov/ru
                                                                                                                                                                             les/sro/nasd2002108/
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

2002-112 (March 10,                  Dealers Association)/              emergency or significant business disruption.                                                        nasd2002108typea.ht
03)                                                                                                                                                                          m
                                           SEC                          · Must update its plan in the event of any material change to
(Release No. 34-                                                        the member's operations, structur
48503; File No. SR-
NASD-2002-108)
NASD Rule 3500:
Emergency
                          Regulation NASD                    U.S.A.     Requires a Business Continuity Plan addressing:                                            E         http://www.nasd.com/
                                                                                                                                                                             web/groups/rules_reg
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Preparedness Part                                                       · Alternate communications between customers, firm and                                               s/documents/notice_t
3510: Business                                                          employees                                                                                            o_members/nasdw_00
continuity Plans                                                                                                                                                             3095.pdf
                                                                        · Business constituent, bank and counter party impact

                                                                        · Regulatory Reporting

                                                                        · Mission Critical Systems

                                                                        · Operational and Finan members to provide NASD with
NASD Rule 3500:
Emergency
                          Regulation NASD                    U.S.A.     Rule 3520 requires NASD
                                                                        emergency contact information and to update any
                                                                                                                                                                   E         http://www.nasd.com/
                                                                                                                                                                             web/groups/rules_reg
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Preparedness Part                                                       information upon the occurrence of a material change. The                                            s/documents/notice_t
3520: Emergency                                                         Rule requires members to designate two emergency contact                                             o_members/nasdw_00
Contact Information                                                     persons that NASD may contact in the e                                                               3095.pdf

                                                                                                                                                                             (notice to members)


NFA Compliance Rule
2-38: Business
                       Regulation CFTC (Commodity
                                  Futures Trading
                                                             U.S.A.     Requires all National Futures Association members to
                                                                        establish and maintain a written business continuity and
                                                                                                                                                                   E         http://www.nfa.future
                                                                                                                                                                             s.org/printerFriendly.a
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Continuity and                    Commission)                           disaster recovery plan that outlines procedures to be followed                                       sp?tag=2-38
Disaster Recovery Plan                                                  in the event of an emergency or significant disruption.

NFPA 111:Standard on
Stored Electrical
                          Standard         NFPA              U.S.A.     Guideline of a step-by-step approach to emergency planning,
                                                                        response and recovery for companies.
                                                                                                                                                                  W          http://www.nfpa.org/a
                                                                                                                                                                             boutthecodes/AboutTh
                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

Energy Emergency                                                                                                                                                             eCodes.asp?DocNum=
and Standby Power                                                                                                                                                            111
Systems
                                                                                                                                                                             (ordering information)

                                                                                                                                                                             http://www.nfpa.org/a
                                                                                                                                                                             ssets/files/PDF/111-05-
                                                                                                                                                                             ROPDraft.pdf

                                                                                                                                                                             (report on proposals)




                                                                                                                                         Page 15 of 24
     Disaster Recovery Journal                                                                                                         Rules Regulations Committee                                                                                                                                                                                                           7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                           Infrastructure Category




                                                                                                                                                                                                                                                                                                                             Information Distribution
                                                                                                                                                                                                                 Banking & Finance




                                                                                                                                                                                                                                                                                                                               & Communications
                                                                                                                                                                                                                                                                          Energy (including




                                                                                                                                                                                                                                                                                                         Agriculture, Food
                                                                                                                                                                        (E, A, W, I)




                                                                                                                                                                                                                                                       Transportation &




                                                                                                                                                                                                                                                                                                                                                        Public Agencies
                           Regulation /

                                                                                                                                                                                                                                                                                                                                                                            DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                          Supply & Water
                                                                                                                                                                                                                                     Public Health &




                                                                                                                                                                                                                                                                                                                                                        Government &
                                                                                                                                                                         Category
                                                                    Country
                                                                                                                                                  Significant
                            Standard




                                                                                                                                                                                                                                       Healthcare


                                                                                                                                                                                                                                                          Shipping


                                                                                                                                                                                                                                                                              nuclear)

                                                                                                                                                                                                                                                                                              Industry
                                                                                                                                                                                            Notes
        Title                             Governing Body                                               Summary                                   Dates, Fines,
                                                                                                                                                                                          /Comments                                                                                                                                                                       Date of Last Review or
                                                                                                                                                   Penalties
                                                                                                                                                                                                                                                                                                                                                                              Confirmation

NFPA 232: Standard
on Protection of
                         Standard         NFPA                     U.S.A.     Standards for protection of business records, archives and
                                                                              records centers.
                                                                                                                                                                            W          http://www.nfpa.org/a
                                                                                                                                                                                       boutthecodes/AboutTh
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

Records                                                                                                                                                                                eCodes.asp?DocNum=
                                                                                                                                                                                       232

                                                                                                                                                                                       (ordering information)
NFPA Standard 1600
on
                         Standard         NFPA (National Fire
                                          Protection Association
                                                                   U.S.A.     Establishes minimum criteria for disaster management for the
                                                                              private and public sectors in the development of a program for
                                                                                                                                                                            W          http://www.nfpa.org/P
                                                                                                                                                                                       DF/nfpa1600.pdf?src=
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

Disaster/Emergency                                                            effective disaster mitigation, preparedness, response and                                                nfpa
Management and                                                                recovery.
Business Continuity
Programs
NIST SP 800-34
Contingency Planning
                         Standard         NIST (National
                                          Institute of Standards
                                                                   U.S.A.     · Details the fundamental planning principles necessary for
                                                                              developing an effective contingency capability.
                                                                                                                                                                             E         http://csrc.nist.gov/pu
                                                                                                                                                                                       blications/nistpubs/80
                                                                                                                                                                                                                                                                                                                                                                              August 4, 2007

Guide                                     and Technology)                                                                                                                              0-34/sp800-34.pdf
                                                                              · Contingency planning guidance includes preliminary
                                                                              planning, business impact analysis, alternative site selection
                                                                              and recovery strategies.
NYSE Rule 446:
Business Continuity
                         Regulation NYSE (New York Stock
                                    Exchange)
                                                                   U.S.A.     · Members and member organizations must develop and
                                                                              maintain a written business continuity and contingency plan
                                                                                                                                               Possible Image and
                                                                                                                                               Reputation impacts for
                                                                                                                                                                             E         http://rules.nyse.com/
                                                                                                                                                                                       NYSETools/ExchangeV
                                                                                                                                                                                                                                                                                                                                                                              August 4, 2007

and Contingency                                                               establishing procedure sot be followed in the event of an        not complying with                      iewer.asp?selectednod
Planning                                                                      emergency or disruption.                                         stock market                            e=chp%5F1%5F5%5F
                                                                                                                                               regulations including,                  11%5F4&manual=%2
                                                                              · Yearly review must be conducted of the business conti          in extreme cases,                       Fnyse%2Fnyse%5Frul
                                                                                                                                               potential de-listing.                   es%2Fnyse%2Drules
                                                                                                                                                                                       %2F
OCC 2001-47: Third-
Party Relationships
                         Regulation OCC                            U.S.A.     Provides guidance to national banks on managing risks
                                                                              resulting from business relationships with third parties. It
                                                                                                                                                                             E         http://www.occ.treas.
                                                                                                                                                                                       gov/ftp/bulletin/2001-
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

(November 1, 2001)                                                            explains that third-party contracts should provide for:                                                  47.txt

                                                                              · Continuation of the business function in the event of
                                                                              problems with the third
OCC 2003-18: FFIEC
(March 2003)
                         Regulation OCC                            U.S.A.     Information Technology Examination Handbook- Business
                                                                              Continuity Planning and supervision of Technology Service
                                                                                                                                                                             E         http://www.occ.treas.
                                                                                                                                                                                       gov/ftp/bulletin/2003-
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

                                                                              Providers Booklets                                                                                       18.doc

                                                                              The BCP Booklet describes the process for managing business
                                                                              continuity based on risk as the following:

                                                                              · Business impact
OCC 97-23: Corporate     Regulation OCC                            U.S.A.     [NOTE: Rescinded—SEE 2003-18]                                                                  E         RESCINDED by OCC                                                                                                                                                                        August 4, 2007
Business Resumption                                                                                                                                                                    2003-18
and Contingency
Planning (May 16,
1997)
OCC 99-9:
Infrastructure Threats
                         Regulation OCC                            U.S.A.     · Identifies and raises awareness of vulnerabilities and
                                                                              threats of cyber terrorism to the financial services industry,
                                                                                                                                                                             E         http://www.occ.treas.
                                                                                                                                                                                       gov/ftp/bulletin/99-
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

from Cyber-Terrorists                                                         including ensuring that these threats are taken into account                                             9.txt
(March 5, 1999)                                                               when preparing and testing a disaster recovery/business
                                                                              contingen

                                                                              · Exp




                                                                                                                                               Page 16 of 24
     Disaster Recovery Journal                                                                                                     Rules Regulations Committee                                                                                                                                                                                                             7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                         Infrastructure Category




                                                                                                                                                                                                                                                                                                                           Information Distribution
                                                                                                                                                                                                               Banking & Finance




                                                                                                                                                                                                                                                                                                                             & Communications
                                                                                                                                                                                                                                                                        Energy (including




                                                                                                                                                                                                                                                                                                       Agriculture, Food
                                                                                                                                                                       (E, A, W, I)




                                                                                                                                                                                                                                                     Transportation &




                                                                                                                                                                                                                                                                                                                                                      Public Agencies
                         Regulation /

                                                                                                                                                                                                                                                                                                                                                                          DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                        Supply & Water
                                                                                                                                                                                                                                   Public Health &




                                                                                                                                                                                                                                                                                                                                                      Government &
                                                                                                                                                                        Category
                                                                Country
                                                                                                                                                Significant
                          Standard




                                                                                                                                                                                                                                     Healthcare


                                                                                                                                                                                                                                                        Shipping


                                                                                                                                                                                                                                                                            nuclear)

                                                                                                                                                                                                                                                                                            Industry
                                                                                                                                                                                           Notes
        Title                           Governing Body                                              Summary                                    Dates, Fines,
                                                                                                                                                                                         /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                                 Penalties
                                                                                                                                                                                                                                                                                                                                                                            Confirmation

OSHA - Occupational
Safety and Health
                       Regulation OSHA (Occupational
                                  Safety and Health
                                                               U.S.A.     · Disaster preparedness                                                                           I         http://www.osha.gov/
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

Administration                    Administration)                         · OSHA requires that all businesses with more than 10
                                                                          employees have a written Emergency Contingency Plan (ECP).

                                                                          · For businesses with 10 or less a written plan is not
                                                                          mandated but recommended.
Personal Data
(Privacy) Ordinance
                       Standard         Office of the Privacy
                                        Commissioner for
                                                              Hong Kong   The purpose of the Ordinance is to protect the privacy
                                                                          interests of living individuals in relation to personal data. It
                                                                                                                                             Base on the Data
                                                                                                                                             Protection Principles
                                                                                                                                                                                      http://www.pco.org.hk
                                                                                                                                                                                      /english/ordinance/ord
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

                                        Personal Data - The               also contributes to Hong Kong's continued economic well-           published, the relevant                  glance.html
                                        Government of the                 being by safeguarding the free flow of personal data to Hong       principles to BCM are
                                        Hong Kong Special                 Kong from restrict                                                 Principle 2 - the
                                        Administrative Region                                                                                personal data should
                                                                                                                                             be accurate, up-to-
                                                                                                                                             date and kept no
                                                                                                                                             longer than necessary;
                                                                                                                                             Principle 4 -
                                                                                                                                             appropriate security
                                                                                                                                             measures should be
                                                                                                                                             applied to persona

Post 9-11 Crisis
Communications, Best
                       Standard         Business Roundtable
                                        (The Southwestern
                                                               U.S.A.     This document is a toolkit to enable companies to develop a
                                                                          crisis communications plan that includes crisis preparation,
                                                                                                                                                                           W          http://www.businessr
                                                                                                                                                                                      oundtable.org/pdf/722
                                                                                                                                                                                                                                                                                                                                                                     August 4, 2007

Practices for Crisis                    Area Commerce &                   prevention, and continuous improvement                                                                      .pdf
Planning, Prevention                    Industry Association
and Continuous                          of Connecticut)
Improvement (June
2002)
Privacy Act of 1974
(SUSC552a)
                       Regulation                              U.S.A.     Requires management to safeguard and to keep the
                                                                          information accurate and current to protect the individual.
                                                                                                                                                                            I         http://www.usdoj.gov/
                                                                                                                                                                                      foia/privstat.htm
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007




                                                                                                                                             Page 17 of 24
    Disaster Recovery Journal                                                                                                       Rules Regulations Committee                                                                                                                                                                                                        7/10/2010 1:57 PM
    Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                     Infrastructure Category




                                                                                                                                                                                                                                                                                                                       Information Distribution
                                                                                                                                                                                                           Banking & Finance




                                                                                                                                                                                                                                                                                                                         & Communications
                                                                                                                                                                                                                                                                    Energy (including




                                                                                                                                                                                                                                                                                                   Agriculture, Food
                                                                                                                                                                  (E, A, W, I)




                                                                                                                                                                                                                                                 Transportation &




                                                                                                                                                                                                                                                                                                                                                  Public Agencies
                         Regulation /

                                                                                                                                                                                                                                                                                                                                                                      DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                    Supply & Water
                                                                                                                                                                                                                               Public Health &




                                                                                                                                                                                                                                                                                                                                                  Government &
                                                                                                                                                                   Category
                                                                  Country
                                                                                                                                               Significant
                          Standard




                                                                                                                                                                                                                                 Healthcare


                                                                                                                                                                                                                                                    Shipping


                                                                                                                                                                                                                                                                        nuclear)

                                                                                                                                                                                                                                                                                        Industry
                                                                                                                                                                                      Notes
       Title                            Governing Body                                               Summary                                  Dates, Fines,
                                                                                                                                                                                    /Comments                                                                                                                                                                       Date of Last Review or
                                                                                                                                                Penalties
                                                                                                                                                                                                                                                                                                                                                                        Confirmation

Prudent Man Concept    Regulation Common Law                   Internation · As per the Uniform Commercial Code, legal standard used
                                                                    al     to determine whether appropriate action was taken in a
                                                                                                                                                                       I         Uniform Commercial
                                                                                                                                                                                 Code
                                                                                                                                                                                                                                                                                                                                                                  August 4, 2007

                                                                           particular situation.
                                                                                                                                                                                 http://www.dodson-
                                                                            · Directors, senior management, officers and agents, when                                            edgars.com/services.h
                                                                            working for an organization, are considered to be in a posi                                          tm

                                                                                                                                                                                 Any company,
                                                                                                                                                                                 regardless of its
                                                                                                                                                                                 industry, is expected
                                                                                                                                                                                 to exercise due-care to
                                                                                                                                                                                 implement and
                                                                                                                                                                                 maintain security
                                                                                                                                                                                 mechanisms and
                                                                                                                                                                                 practices that protect
                                                                                                                                                                                 the company, its
                                        Negligence Liability                                                                                                                     employees,
                                                                                                                                                                                 customers, and
                                                                                                                                                                                 partners., Due-Care
                                                                                                                                                                                 can be compared to
                                                                                                                                                                                 the "prudent man"
                                                                                                                                                                                 concept. A prudent
                                                                                                                                                                                 man is seen as
                                                                                                                                                                                 responsible, careful,
                                                                                                                                                                                 cautious, and
                                                                                                                                                                                 practical. A company
                                                                                                                                                                                 practicing due-care is
                                                                                                                                                                                 seen in the same light
                                                                                                                                                                                 by State and Federal
                                                                                                                                                                                 Courts.
Public Finance          Regulation                               South      Unable to find anything specific to BC or DR… ―availability of                                       http://www.acts.co.za                                                                                                                                                                   August 4, 2007
Management Act,                                                  Africa     financial information‖ was included…                                                                 /public_fin_man/index
1999- DRAFT Treasury                                                                                                                                                             .htm
Relations
Publicly Available
Specification (PAS) 56-
                         Standard BSI (British Standards
                                   Institute)
                                                                  UK        · Describes establishment of a BCM practice and provides
                                                                            recommendations.
                                                                                                                                                                       E         http://www.pas56.co
                                                                                                                                                                                 m/
                                                                                                                                                                                                                                                                                                                                                                 August 4, 2007

Guide to Business
Continuity                                                                  ·    Provides BCM framework for anticipation and response to
Management                                                                  incidents.

                                                                            PAS56 is intended for the person responsible for managing
                                                                            and applying business continuity within the or




                                                                                                                                             Page 18 of 24
    Disaster Recovery Journal                                                                                                          Rules Regulations Committee                                                                                                                                                                                                           7/10/2010 1:57 PM
    Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                           Infrastructure Category




                                                                                                                                                                                                                                                                                                                             Information Distribution
                                                                                                                                                                                                                 Banking & Finance




                                                                                                                                                                                                                                                                                                                               & Communications
                                                                                                                                                                                                                                                                          Energy (including




                                                                                                                                                                                                                                                                                                         Agriculture, Food
                                                                                                                                                                         (E, A, W, I)




                                                                                                                                                                                                                                                       Transportation &




                                                                                                                                                                                                                                                                                                                                                        Public Agencies
                          Regulation /

                                                                                                                                                                                                                                                                                                                                                                            DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                          Supply & Water
                                                                                                                                                                                                                                     Public Health &




                                                                                                                                                                                                                                                                                                                                                        Government &
                                                                                                                                                                          Category
                                                                  Country
                                                                                                                                                 Significant
                           Standard




                                                                                                                                                                                                                                       Healthcare


                                                                                                                                                                                                                                                          Shipping


                                                                                                                                                                                                                                                                              nuclear)

                                                                                                                                                                                                                                                                                              Industry
                                                                                                                                                                                             Notes
        Title                            Governing Body                                                 Summary                                 Dates, Fines,
                                                                                                                                                                                           /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                                  Penalties
                                                                                                                                                                                                                                                                                                                                                                              Confirmation

Risk Management
Standard, AIRMIC,
                        Standard         AIRMIC (Association
                                         of Insurance and Risk
                                                                  UK        Establishes guidelines for Risk Management including                                             W          http://www.airmic.co
                                                                                                                                                                                        m/
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007

ALARM, IRM; 2002                         Managers)                          · Risk Assessment

                                         ALARM (National                    · Risk Reporting
                                         Forum for risk
                                         Management in the                  · Risk Treatment
                                         Public Sector
                                                                            9.4 The role of the Risk Management function should include
                                                                            the following:
                                                                            · (bullet 8) developing risk response processes, including
                                                                            contin Continuity Procedures for SA Reserve Bank and
SAMOS and CLS
Business Continuity
                        Standard         South African Reserve
                                         Bank
                                                                 South
                                                                 Africa
                                                                            Business
                                                                            Participants
                                                                                                                                                                              E         www.reservebank.c
                                                                                                                                                                                        o.za/internet/Publica
                                                                                                                                                                                                                                                                                                                                                                              August 4, 2007

Procedures- SA                                                                                                                                                                          tion.nsf/LADV/8B8A
Reserve Bank                             National Payment                                                                                                                               38FD0C1E5F50422
                                         System Department                                                                                                                              56FCE00308106/$F
                                                                                                                                                                                        ile/CLSBCP_SARB.
                                                                                                                                                                                        pdf
Sarbanes-Oxley Act of
2002: (P.L. 107-204
                        Regulation PCAOB - Public
                                   Company Accounting
                                                                 U.S.A.     · Auditors are increasing scrutiny of all areas of internal
                                                                            control, including security and business continuity controls
                                                                                                                                              Non-complying
                                                                                                                                              organizations may
                                                                                                                                                                              E         http://news.findlaw.co
                                                                                                                                                                                        m/hdocs/docs/gwbush
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

2002 HR 3763) -                    Oversight Board                                                                                            receive qualified                         /sarbanesoxley072302
SECTION 404                                                                 · Potential for data loss (ability to identify and rebuild lost   opinions on their                         .pdf
                                                                            transactions and source documentation)                            internal controls from
                                                                                                                                              their external auditors.
                                                                            · Vital records creation,
Sarbanes-Oxley Act of
2002: SECTION 409
                        Regulation PCAOB - Public
                                   Company Accounting
                                                                 U.S.A.     · Issuers must disclose information on material changes in
                                                                            financial condition on a regular basis
                                                                                                                                              · If IT processing
                                                                                                                                              disruption results in
                                                                                                                                                                              E         http://news.findlaw.co
                                                                                                                                                                                        m/hdocs/docs/gwbush
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

                                   Oversight Board                                                                                            lost data, officers and                   /sarbanesoxley072302
                                                                            Areas assessed include:                                           external auditors may                     .pdf
                                                                                                                                              not be able to sign off
                                                                            · Potential for data loss (ability to identify and rebuild lost   on quarterly or annual
                                                                            transactions and source documentation)                            SOX disclosure and
                                                                                                                                              internal control
                                                                            · Vital records creatio                                           operating
                                                                                                                                              effectiveness
                                                                                                                                              certifications/opinion.




                                                                                                                                              Page 19 of 24
     Disaster Recovery Journal                                                                                                         Rules Regulations Committee                                                                                                                                                                                                       7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                       Infrastructure Category




                                                                                                                                                                                                                                                                                                                         Information Distribution
                                                                                                                                                                                                             Banking & Finance




                                                                                                                                                                                                                                                                                                                           & Communications
                                                                                                                                                                                                                                                                      Energy (including




                                                                                                                                                                                                                                                                                                     Agriculture, Food
                                                                                                                                                                       (E, A, W, I)




                                                                                                                                                                                                                                                   Transportation &




                                                                                                                                                                                                                                                                                                                                                    Public Agencies
                           Regulation /

                                                                                                                                                                                                                                                                                                                                                                        DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                      Supply & Water
                                                                                                                                                                                                                                 Public Health &




                                                                                                                                                                                                                                                                                                                                                    Government &
                                                                                                                                                                        Category
                                                                   Country
                                                                                                                                                  Significant
                            Standard




                                                                                                                                                                                                                                   Healthcare


                                                                                                                                                                                                                                                      Shipping


                                                                                                                                                                                                                                                                          nuclear)

                                                                                                                                                                                                                                                                                          Industry
                                                                                                                                                                                           Notes
        Title                             Governing Body                                               Summary                                   Dates, Fines,
                                                                                                                                                                                         /Comments                                                                                                                                                                    Date of Last Review or
                                                                                                                                                   Penalties
                                                                                                                                                                                                                                                                                                                                                                          Confirmation

Statement on Auditing
Standards (SAS) 70
                         Standard         American Institute of
                                          Certified Public
                                                                  U.S.A.     SAS 70 is a widely recognized auditing standard
                                                                             developed by the American Institute of Certified
                                                                                                                                               Effective 1993                         http://www.sas70.com
                                                                                                                                                                                      /                                                                                                                                                                             August 4, 2007

audit reports                             Accountants (AICPA).               Public Accountants (AICPA). A service auditor's
                                                                             examination performed in accordance with SAS No.
                                                                             70 ("SAS 70 Audit") is widely recognized, because it
                                                                             represents that a service organization has been
                                                                             through an in-depth audit of their control objectives
                                                                             and control activities, which often include controls
                                                                             over information technology and related processes.

                                                                             Service organizations receive significant value from
                                                                             having a SAS 70 engagement performed. A Service
                                                                             Auditor's Report with an unqualified opinion that is
                                                                             issued by an Independent Accounting Firm
                                                                             differentiates the service organization from its peers
                                                                             by demonstrating the establishment of effectively
                                                                             designed control objectives and control activities. A
                                                                             Service Auditor's Report also helps a service
                                                                             organization build trust with its user organizations
                                                                             (i.e. customers).
SEC 38-a : Investment
Company Act of 1940
                                          SEC                     U.S.A.                                                                                                    E         http://www.law.uc.ed
                                                                                                                                                                                      u/CCL/InvCoAct/sec38
                                                                                                                                                                                                                                                                                                                                                                          August 4, 2007

                                                                                                                                                                                      .html

SEC Act of 1934: (15
U.S.C.A 78A)
                         Regulation SEC                           U.S.A.     Without a current Service Auditor's Report, a service
                                                                             organization may have to entertain multiple audit
                                                                                                                                                                            E         http://www.sec.gov/
                                                                                                                                                                                      about/laws/sea34.pd
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

                                                                             requests from its customers and their respective                                                         f
Rule 17a-4                                                                   auditors. Multiple visits from user auditors can place
                                                                             a strain on the service organization's resources. A                                                      http://www.sec.gov/
                                                                             Service Auditor's Report ensures that all user                                                           about/laws.shtml#se
                                                                             organizations and their auditors have access to the                                                      cexact1934
                                                                             same information and in many cases this will satisfy
                                                                                                                                                                                      (summary
                                                                             the user auditor's requirements.
                                                                                                                                                                                      information)
Securities and
Exchange Act,
                         Regulation SEC                           U.S.A.     · Policy addresses criminal liability of Directors and officers
                                                                             for failure to: Protect computerized information; Document
                                                                                                                                               Potential fines
                                                                                                                                               imposed include
                                                                                                                                                                            E         http://www.law.uc.ed
                                                                                                                                                                                      u/CCL/34Act/sec32.ht
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Sections 32(a) and (b)                                                       process used to assess risks of information loss; exercise        personal fines up to                   ml
                                                                             ―duty of care‖                                                    $10,000 and corporate
                                                                                                                                               fines up to
                                                                             · Burden of proof lies with the Directors and Officers            $1,000,000.




                                                                                                                                               Page 20 of 24
     Disaster Recovery Journal                                                                                                   Rules Regulations Committee                                                                                                                                                                                                       7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                 Infrastructure Category




                                                                                                                                                                                                                                                                                                                   Information Distribution
                                                                                                                                                                                                       Banking & Finance




                                                                                                                                                                                                                                                                                                                     & Communications
                                                                                                                                                                                                                                                                Energy (including




                                                                                                                                                                                                                                                                                               Agriculture, Food
                                                                                                                                                               (E, A, W, I)




                                                                                                                                                                                                                                             Transportation &




                                                                                                                                                                                                                                                                                                                                              Public Agencies
                          Regulation /

                                                                                                                                                                                                                                                                                                                                                                  DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                Supply & Water
                                                                                                                                                                                                                           Public Health &




                                                                                                                                                                                                                                                                                                                                              Government &
                                                                                                                                                                Category
                                                                Country
                                                                                                                                           Significant
                           Standard




                                                                                                                                                                                                                             Healthcare


                                                                                                                                                                                                                                                Shipping


                                                                                                                                                                                                                                                                    nuclear)

                                                                                                                                                                                                                                                                                    Industry
                                                                                                                                                                                   Notes
        Title                            Governing Body                                           Summary                                 Dates, Fines,
                                                                                                                                                                                 /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                            Penalties
                                                                                                                                                                                                                                                                                                                                                                    Confirmation

Supervision of
Technology Service
                        Standard         FFIEC                 U.S.A.     BUSINESS CONTINUITY PLANNING, SUPERVISION OF
                                                                          TECHNOLOGY SERVICE PROVIDER GUIDANCE RELEASED BY
                                                                                                                                                                   W          http://www.ffiec.gov/p
                                                                                                                                                                              ress/pr052003.htm
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Providers Booklets                                                        FEDERAL FINANCIAL REGULATORS
(May 2003)
                                                                          The Business Continuity Planning Booklet provides guidance
                                                                          and examination procedures to assist examiners in evaluating
                                                                          financial institution and service provider risk management
                                                                          processes to ensure the availability of critical financial
                                                                          services.

                                                                          Examiners should focus on:

                                                                          · Management of Technology- the planning and overseeing of
                                                                          technological resources and services and ensuring they
                                                                          support the strategic goals and objectives of the financial
                                                                          institution or technology service providers.

                                                                          · Int
Telecommunications
Act of 1996
                        Regulation FCC - Federal
                                   Communications
                                                               U.S.A.     The act was intended to promote competition in the
                                                                          telecommunications industry. Section 256 gives the FCC the
                                                                                                                                                                              www.fcc.gov/teleco
                                                                                                                                                                              m.html
                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

                                   Commission                             right to oversee that telecommunications networks
                                                                          “seamlessly and transparently transmit and receive
                                                                          information between and across telecommunications
                                                                          networks.”

                                                                          The FCC’s Network Reliability and Interoperability Council
                                                                          provides best practices for business continuity and disaster
                                                                          recovery in the telecommunications industry. (www.nric.org)



Terrorism- Real
Threats, Real Costs,
                        Standard         Business Roundtable   U.S.A.     The Roundtable examines the unique nature of the
                                                                          terrorist threat, as well as the strengths and
                                                                                                                                                                   W          http://www.abanet.or
                                                                                                                                                                              g/adminlaw/conferenc
                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

Joint solutions (June                                                     weaknesses of both government and business in                                                       e/2003/NewFrontier/N
2003)                                                                                                                                                                         ewfrontierprogram.ht
                                                                          addressing that threat. It then recommends various
                                                                                                                                                                              ml
                                                                          tools and procedures for government to use when
                                                                          regulating and outline the difficulty of allocating the
                                                                          costs of security.




                                                                                                                                         Page 21 of 24
    Disaster Recovery Journal                                                                                                  Rules Regulations Committee                                                                                                                                                                                                             7/10/2010 1:57 PM
    Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                     Infrastructure Category




                                                                                                                                                                                                                                                                                                                       Information Distribution
                                                                                                                                                                                                           Banking & Finance




                                                                                                                                                                                                                                                                                                                         & Communications
                                                                                                                                                                                                                                                                    Energy (including




                                                                                                                                                                                                                                                                                                   Agriculture, Food
                                                                                                                                                                  (E, A, W, I)




                                                                                                                                                                                                                                                 Transportation &




                                                                                                                                                                                                                                                                                                                                                  Public Agencies
                          Regulation /

                                                                                                                                                                                                                                                                                                                                                                      DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                    Supply & Water
                                                                                                                                                                                                                               Public Health &




                                                                                                                                                                                                                                                                                                                                                  Government &
                                                                                                                                                                   Category
                                                              Country
                                                                                                                                           Significant
                           Standard




                                                                                                                                                                                                                                 Healthcare


                                                                                                                                                                                                                                                    Shipping


                                                                                                                                                                                                                                                                        nuclear)

                                                                                                                                                                                                                                                                                        Industry
                                                                                                                                                                                      Notes
        Title                            Governing Body                                         Summary                                   Dates, Fines,
                                                                                                                                                                                    /Comments                                                                                                                                                                       Date of Last Review or
                                                                                                                                            Penalties
                                                                                                                                                                                                                                                                                                                                                                        Confirmation

Thailand BCP            Regulation Governing Body will
                                   be Bank of Thailand /
                                                            Thailand    The FCC’s Network Reliability and Interoperability Council
                                                                        provides best practices for business continuity and disaster
                                                                                                                                        BCP, Vital records, DR
                                                                                                                                        Site
                                                                                                                                                                       E         Unofficial Translation
                                                                                                                                                                                 by the courtesy of The
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007

                                   Securities and                       recovery in the telecommunications industry. (www.nric.org)                                              Foreign Banks'
                                   Exchange                                                                                                                                      Association
                                   Commission, Thailand.                                                                                                                         This translation is for
                                                                                                                                                                                 the convenience of
                                                                                                                                                                                 those unfamiliar with
                                                                                                                                                                                 the Thai language.
                                                                                                                                                                                 Please refer to the
                                                                                                                                                                                 Thai text for the
                                                                                                                                                                                 official version:

                                                                                                                                                                                 www.bot.or.th/fipcs/D
                                                                                                                                                                                 ocuments/FPG/2550/E
                                                                                                                                                                                 ngPDF/25500011.pdf




The Promotion of
Access to Information
                        Regulation Parliament of the
                                   Repulblic of South
                                                             South
                                                             Africa
                                                                        ACT - To give effect to the constitutional right of access to any
                                                                        information held by the State and any information that is held
                                                                                                                                                                                 www.info.gov.za/gaz
                                                                                                                                                                                 ette/acts/2000/a2-
                                                                                                                                                                                                                                                                                                                                                                  August 4, 2007

Act (#2 of 2000)                   Africa                               by another person and that is required for the exercise or                                               00.pdf
                                                                        protection of any rights; and to provide for matters connected
                                                                        ther
Turnbull Report
(September 1999)
                        Regulation Institute of Chartered
                                   Accountants in
                                                              UK        Internal Control-Guidance for Director on the Combined Code Those companies
                                                                                                                                          found in violation
                                                                                                                                                                       E         www.icaew.co.uk/in
                                                                                                                                                                                 dex.cfm?route=1209
                                                                                                                                                                                                                                                                                                                                                                  August 4, 2007

                                   England and Wales                    · States that anyone listed on the London Stock Exchange          could be de-listed                     07
                                                                        must have BCP                                                     from the London Stock
                                                                                                                                          Exchange.
                                                                        · Requires companies to report whether the board has
                                                                        reviewed the system of ―internal
USA Patriot Act of
2001: (P.L. 107-56
                        Regulation DHS                       U.S.A.     · The act includes requirements for records retention for
                                                                        compliance with section 326 on Customer Identification
                                                                                                                                        · Within 6 months
                                                                                                                                        after the date of
                                                                                                                                                                       E         http://www.epic.org/p
                                                                                                                                                                                 rivacy/terrorism/hr316
                                                                                                                                                                                                                                                                                                                                                                  August 4, 2007

2001 HR 3162)                                                           Programs.                                                       enactment of this act,                   2.html
                                                                                                                                        the secretary and
                                                                                                                                        other appropriate
                                                                                                                                        government agencies
                                                                                                                                        shall submit a report
                                                                                                                                        to Congress.

                                                                                                                                        · Imposes stiff prison
                                                                                                                                        terms for those who
                                                                                                                                        violate computer
                                                                                                                                        security or use
                                                                                                                                        computers in criminal
                                                                                                                                        or terrorist acts




                                                                                                                                        Page 22 of 24
     Disaster Recovery Journal                                                                                                 Rules Regulations Committee                                                                                                                                                                                                         7/10/2010 1:57 PM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                 Infrastructure Category




                                                                                                                                                                                                                                                                                                                   Information Distribution
                                                                                                                                                                                                       Banking & Finance




                                                                                                                                                                                                                                                                                                                     & Communications
                                                                                                                                                                                                                                                                Energy (including




                                                                                                                                                                                                                                                                                               Agriculture, Food
                                                                                                                                                                (E, A, W, I)




                                                                                                                                                                                                                                             Transportation &




                                                                                                                                                                                                                                                                                                                                              Public Agencies
                          Regulation /

                                                                                                                                                                                                                                                                                                                                                                  DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                Supply & Water
                                                                                                                                                                                                                           Public Health &




                                                                                                                                                                                                                                                                                                                                              Government &
                                                                                                                                                                 Category
                                                                Country
                                                                                                                                          Significant
                           Standard




                                                                                                                                                                                                                             Healthcare


                                                                                                                                                                                                                                                Shipping


                                                                                                                                                                                                                                                                    nuclear)

                                                                                                                                                                                                                                                                                    Industry
                                                                                                                                                                                    Notes
        Title                            Governing Body                                           Summary                                Dates, Fines,
                                                                                                                                                                                  /Comments                                                                                                                                                                     Date of Last Review or
                                                                                                                                           Penalties
                                                                                                                                                                                                                                                                                                                                                                    Confirmation

Various OCC
Comptroller's
                         Standard        Office of the
                                         Comptroller
                                                              U.S.A.      The OCC Comptroller Handbooks are issued to provide
                                                                          guidance for examiners. Several of these handbooks discuss
                                                                                                                                                                               www.occ.treas.gov/
                                                                                                                                                                               handbook/S&S.htm
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Handbooks                                                                 business continuity planning and provide guidance for
                                                                          examiners. Listed below are some of the OCC handbooks that
                                                                          discuss BCP:

                                                                          * Asset Management
                                                                          * Asset Securitization
                                                                          * Community Bank Fiduciary Activities Supervision
                                                                          * Community Bank Supervision
                                                                          * Custody Services
                                                                          * Emerging Market Country Products and Trading Activities
                                                                          * Federal Branches and Agencies Supervision
                                                                          * Insurance Activities
                                                                          * Internal and External Audits
                                                                          * Internal Controls
                                                                          * Internet Banking
                                                                          * Investment Management Services
                                                                          * Large Bank Supervision
                                                                          * Liquidity
                                                                          * Merchant Processing
                                                                          * Risk Management of Financial Derivatives
VISA CISP (Cardholder
Information Security
                         Standard        VISA, endorsed by
                                         AMEX, Diners,
                                                              U.S.A.      Required compliance standards for major credit card
                                                                          companies for regular security assessments and reporting.
                                                                                                                                       Failure to comply can
                                                                                                                                       result in:
                                                                                                                                                                     E         http://www.usa.visa.
                                                                                                                                                                               com/merchants/risk
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Program)                                 Discover, JCB                                                                                                                         _management/cisp_
                                                                                                                                       · Fines of $50,000 for                  overview.html?it=l2|/
                                                                                                                                       first violation,                        merchants/risk_man
                                                                                                                                       $100,000 for the                        agement/cisp.html|
                                                                                                                                       second violation.                       Overview#anchor_2
                                                                                                                                       · Restrictions on
                                                                                                                                       merchant

                                                                                                                                       · Permanent
                                                                                                                                       prohibition of
                                                                                                                                       participation in Visa


Enforced (E) Most frequently enforced for compliance purposes
Ambiguous (A) Further clarification regarding strong ties with Business Continuity need to happen
Watch List (W) Participating members should be looking for the presence of this item within the coming months/years
Invocation @ Incident (I) Likely to be invoked or brought to bear as a result of an ―incident‖ occurring involving your organization




                                                                                                                                       Page 23 of 24
                                                                                                                                                                               7/10/2010 1:57 PM




                                                                                                                                                   Homework Assigned by Rows


   Acromtn                   Country       Definition


   BSE                          India      Bombay Stock Exchange
   DHS                         U.S.A.      Department of Homeland Security (USA)
   FRB                         U.S.A.      Federal Reserve Bank
   FSSCC                       U.S.A.      Financial Services Sector Coordinating Council for Critical Infrastructure Protection
   NSE                          India      National Stock Exchange
   OCC                         U.S.A.      Office of the Comptroller of the Currency
   RBI                          India      Reserve Bank of India
   SEBI                         India      Securities & Exchange Board of India
   SEC                         U.S.A.      Securities and Exchange Commission




0c4d7e96-6dee-46e0-bd94-87a56b439c62.xls
R&R Acronyms                                                                                                                       Page 24 of 24

				
DOCUMENT INFO
Description: Australian Standard Transfer Form document sample