4/7/2009 2:47 PM
The following is a DRAFT of the R&R Committee Mission Statement provided by Peter Laz on April 26, 2007, with the editorial support of the committee:
The mission of the DRJ Editorial Advisory Board's (EAB) Rules & Regulations Committee is to: Develop a repository of Business Continuity / Disaster Recovery regulations, statues and standards across various industries and countries Enable access to the repository for all Business Continuity / Disaster Recovery practitioners Maintain the repository
The above mission statement was reviewed and approved during the R&R Committee during our meeting on Tuesday, May 1, 2007.
aff8479a-ed27-4d5c-94f4-9cd815763018.xls R&R Mission Statement
Page 1 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
2002 ACH Rules Book
Regulation ACH (Federal Reserve’s Automated Clearinghouse Association)
U.S.A.
Requires 6 year file retention on all ACH transactionsx Non-compliant fines not more than · An ACH transaction is a batch-processed, value-dated $10,000 or imprisoned electronic funds transfer between originating and receiving not more than ten financial institutions years, or both
·
I
http://www.fms.treas. gov/ach/interim_2003. pdf (Treasury Department decision) (order form)
6 CFR Part 29: Procedures for Handling Critical Infrastructure Information (Interim, Feb 2004) ANAO Better Practice Guide: Business Continuity Management- Keeping the Wheels in Motion ANSI/ARMA 5-2003 Vital Records Programs
Regulation CFR (Code of Federal Regulations)
U.S.A.
· Continuity of operations for Critical Infrastructure
W
http://frwebgate.acces s.gpo.gov/cgi-bin/getcfr.cgi
Industry
August 4, 2007
· Disclosure of critical information to the government Standard ANAO (Australian National Audit Office) Australia, · Presents a structured approach to business continuity New management. The approach involves identifying preventative Zealand treatments for continuity risks that can be routinely managed · Managers should have an ongoing focus on business continuity Regulation ANSI (American National Standards Institute) / ARMA (Association of Records Managers and Administrators) U.S.A. Sets requirements for establishing a vital records program by: - Identifying and protecting vital records - Assessing and analyzing their vulnerability - Determining the impact of their loss on the organization E Addresses the development and implementation of a vital records program within the context of a formal records management program. Vital records are defined as records containing information essential to the survival of an organization in the event of a disaster. To be provided W To be provided
August 4, 2007
August 4, 2007
AS/NZ 4390, Records Management Standard AS/NZ 4444.2: 2000 Information Security Standard, includes business continuity section. AS/NZS 4360;2004 DRAFT, Risk Management Standard; Business Continuity
Standard
Standards Association of Australia Standards Association of Australia
Australia, Establishes guidelines for records management New Zealand Australia, · It is intended for use by employees or managers who are New implementing and maintaining information security in their Zealand organization · States that organizations need to undertake a risk assessment including business continuity planning Australia, Guidelines that assist with the development of an effective New Risk Management and Business Continuity Plan Zealand
W
August 4, 2007
Standard
W
To be provided
August 4, 2007
Standard
Standards Association of Australia
W
To be provided
August 4, 2007
Page 2 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
ASIS GDL BC 10 2004) -DRAFT- Business Continuity Guideline
Standard
ASIS International
U.S.A.
· Tool to allow organizations to consider the factors and steps necessary to prepare for a crisis (disaster or emergency) so that it can manage and survive the crisis and take appropriate actions to ensure its continued viability · Outlines a planning pr
W
http://www.asisonline. org/guidelines/guideli nesbusinesscon.pdf
Industry
Australia BCP
Regulation Australia Financial Markets Association Regulation Australian Government Regs Regulation Basel
Australia
Australian Commonwealth Criminal Code Banks Act (94/1990) Basel II: New Basel Capital Accord (April 2003) BS7799-2; 2002, Section 9, Business Continuity and Disaster Recovery Planning Bulletin R-67
Australia South Africa
Will be enforced by audit (once published) but recommended BCP, Vital records, DR by audit at the moment. Requires need for BCP Site documentation and testing at least annually, planning for different scenarios. Establishing criminal penalties for officers and directors of organizations that experience a major disaster and fail to have a proper business continuity plan in place.
E
To be provided
August 4, 2007
E
To be provided http://www.acts.co.za /Banks/Index.htm
August 4, 2007 August 4, 2007 August 4, 2007
Internation Addresses Operational Risk and defines it as ―the risk of loss al resulting from inadequate or failed internal processes, people and systems, or from external events.‖ UK · Part 1 was the basis for ISO 7799 · Part 2 has not been adopted by ISO but is accepted by many other national standards
W
http://www.federalres erve.gov/boarddocs/pr ess/bcreg/2004/20040 626/attachment.pdf
Regulation BSI
W
http://www.itgoverna nce.co.uk/files/ISMS %20Implementation %20and%20ITG%2 0Tools.pdf
Comptroller of Currency BC-177 (1983, 1987) superceded by FFIEC and Federal Home Loan Bank Bulletin R67 (1986) superceded by FFIEC - Requires banking institutions to develop and maintain Business Recovery Plans. Inter-Agency Policy from Federal Financial To be provided
August 4, 2007
Regulation Federal Home Loan Bank
U.S.A.
Follows intent of BC 177 which required: - Documented, exercised and maintained recovery plans are required for all user environments and business functions - Recovery Plans must be tested ―periodically‖ and results documented - Plans reviewed annually b
E
August 4, 2007
Business Continuity at Bank of Japan.
Standard
BOJ (Bank of Japan)
Japan
Consensus- This plan assumes an approach to aim at operational continuity. Proper documentation. System / people recovery Corporate-wide testing at least annually Planning for different scenarios
E
August 4, 2007
Business Continuity Institute ―Good Practices‖
Standard
BCI (Business Continuity Institute)
UK
No clear guideline to follow · In alignment with DRII ―Professional Practices‖ · More specific
W
http://www.thebci.org
August 4, 2007
Page 3 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
Business Continuity Planning Committee Best Practice Guidelines (Aug 2002)
Standard
SIA (Securities Industry Association)
U.S.A.
· Each firm should have in place a BC (Business Continuity) program · BC Policy Document · Executive and corporate group responsible for overseeing BC program · Business managers should review, implement, fund, and sign-off of BC plans
W
http://www.imagingse rvices.com/content.pa ges/bestpractices.pdf
Industry
Business Continuity Planning Supervisory Policy Manual - TM-G2
Regulation The Hong Kong Monetary Authority
Hong Kong · Recovery sets out the HKMA's latest supervisory policies This Manual and practices, the minimum standards authorized institutions ("AIs") are expected to attain in order to satisfy the requirements of the Banking Ordinance and recommendations on best practices tha
This manual takes a supervisory approach where the HKMA’s objective is to help ensure that Authorized Institutions ("AIs") have workable and well thought through BCPs to protect all the critical areas of their business and to cope with prolonged disruptio E
August 4, 2007
California SB 1386Security of NonEncrypted Customer Information (July 1, 2003) CAN/CSA-Z 731-03 CAN/CSA-Z 731-03 China Circular to Licensed Corporations "Business continuity planning against serious communicable diseases"
Regulation State of California
U.S.A.
Standard Standard N/A Standard
CSA (Canadian Standards Association) CSA (Canadian Standards Association)
Canada Canada China
Bill requires all agencies, persons or businesses that conduct Effective July 1, 2003. business in California that owns or licenses computerized data containing personal information to notify the owner or licensee of the information of any breach of security of the data. Canada’s Emergency Preparedness and Response Standards · Canada’s Emergency Preparedness and Response Standards
http://www.legalarch iver.org/sb1386.htm
August 4, 2007
W W E
To be provided To be provided To be provided To be provided
August 4, 2007 August 4, 2007 August 4, 2007 August 4, 2007
· There are extensive regulations and standards around Information Protection within the People’s Republic of China (PRC) Securities and Futures Hong Kong The Securities and Futures Commission used the circular to Commission of Hong remind licensed persons to take precautions against a Kong reoccurrence of SARS or other serious communicable diseases. The Commission was concerned of the potential disruption to intermediaries' opera
Suggestions were given in the circular on procedure and policies to be reviewed, revised or devised to ensure business continuity or prevent material disruption to operation in the event of staff infection. 1/24/2003
Page 4 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
Civil Contingencies Bill (Bill 53, Feb 2004)
Regulation British Law
UK
· Local arrangements for civil protection · Requires persons or bodies listed in the document to assess the risk of an emergency and maintain plans for the purpose of ensuring that if an emergency occurs that the persons or bodies are able to continue to Generally accepted information technology control objectives for information technology. Domains include: Planning and Organization Acquisition and Implementation Delivery and Support Monitoring and EvaluationAreas Reviewed for compliance Makes it a federal offense to produce, buy, sell or transfer a credit card or other access devices that are counterfeit, forged, lost or stolen; or to produce, buy, sell, transfer or process equipment used to produce such fraudulent access devices. It wa · The purpose of this title to provide a basic framework establishing the rights, liabilities, and responsibilities of participants in electronic fund transfer systems. The primary objective of this title, however, is the provision of individual consumer · Takes effect upon the expiration of eighteen months from the date of its enactment, except that sections 909 and 911 take effect upon the expiration of ninety days after the date of enactment · Non-compliant fines not more than $10,000 or imprisone
E
To be provided
COBIT-Control Objectives for information and related Technology (4.1) (May 2007)
Standard
IT Governance Institute Standards
U.S.A.
E
http://www.isaca.org/ Content/NavigationMe nu/Members_and_Lea ders/COBIT6/Obtain_ COBIT/CobiT4.1_Broc hure.pdf
Industry
August 4, 2007
Computer Fraud and Abuse Act
Regulation FTC (Federal Trade Commission)
U.S.A.
E
http://www.techfirm.c om/cfaa.htm
August 4, 2007
Consumer Credit Protection Act (CCPA) of 1992, Section 2001 Title IX- Electronic Funds Transfer
Regulation
U.S.A.
I
http://www.fdic.gov/r egulations/laws/rules/ 6500-200.html
August 4, 2007
COSO Enterprise Risk Management Framework (September 2004)
Standard
COSO (Committee of Sponsoring Organizations of the Treadway Commission)
U.S.A.
Defines essential enterprise risk management components, discusses key ERM principles and concepts, suggests a common ERM language, and provides clear direction and guidance for enterprise risk management.
E
http://www.coso.org/P ublications/ERM/COSO _ERM_ExecutiveSumm ary.pdf
August 4, 2007
Page 5 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
Industry
CTIA Telecommunication Industry BCM standard and certification
Standard
CTIA
U.S.A.
· The CTIA (Cellular Telecommunications and Internet Association) is working on plans to offer standard business continuity guidance to the communications industry. · IA CTIA BCM certification will be granted to organizations that display a (soon to b
W
This certification and industry standard is in the planning phase. CTIA is currently (May 2005) meeting with industry leads to discuss the feasibility of the requirements and verification method. http://www.dpsa.gov.z a/documents/acts® ulations/frameworks/ecommerce/POSITION %20PAPER%20ON%2 0INFORMATION%20S ECURITY1.pdf
DRAFT Information Security Policy as presented by the Department of Public Service and Administration
Standard
Department of Public Service and Administration
South Africa
Presents a suite of integrated solutions which, together, offer the tools necessary to integrate information security best practices. Based in ISO 17799 and BS 7799.
August 4, 2007
DRI International ―Ten Professional Practices for Business Continuity Professionals‖
Standard
DRII (Disaster Recovery Institute International)
Internation Professional practice letters include developing business al continuity management strategies and other contingency planning Areas reviewed include: · Potential for data loss · Vital records creation, storage and retention
W
http://www.drii.org
August 4, 2007
Electronic Fund Transfer Act (EFTA)
Regulation OCC
U.S.A.
· Business and ITbasic responsibilities, rights and liabilities of Establishes the recovery consumers and financial institutions who use electronic fund transfer services and of that offer these services. · BCP to meet ―reasonable standard of care‖
I
http://www.ftc.gov/bc p/conline/pubs/credit/ elbank.pdf
August 4, 2007
www.occ.treas.gov/ne tbank/ebguide.htm Fair Credit Reporting Act Regulation FTC (Federal Trade Commission) U.S.A. · Civil penalty of not more than $2,500 per · Designed to promote accuracy and ensure the privacy of the violation information used in consumer reports · State action of damages of not more than $1,000 for each willful or negligent violation Relevance ? Requires at the beginning of the year that all FDIC-insured depository institutions with total assets of $500 million or more certify that there is effective functioning of their internal controls systems. · Ensures credit information is accurate and up-to-date I http://www.ftc.gov/os /statutes/fcra.htm
August 4, 2007
FDICIA –Federal Deposit Insurance Corporation Improvement Act of 1991
Regulation FDIC (Federal Deposit Insurance Corporation)
U.S.A.
E
http://www.fdic.gov/r egulations/laws/rules/ 8000-2400.html
August 4, 2007
Page 6 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
Federal Acquisition Regulation; Electronic Funds Transfer Final Rule FEMA 141: Disaster Planning Guide for Business and Industry FEMA Emergency Management Guide for Business and Industry FFIEC BCP Handbook: Business Continuity Planning (May 2003) ―IT Examination Handbook‖
Regulation SEC
U.S.A.
Addresses the collection of EFT information through the contract process for vendors providing goods and services to the Federal Government Designed to provide guidance for business and industry officials to respond and recover from disasters. A step-by-step approach to emergency planning, response and recovery for companies of all sizes. - Emphasizes that Business Continuity planning is about maintaining, resuming and recovering the whole Business - planning should occur for a BCP - Business Impact Analysis and Risk assessment are encouraged as the foundation of an effective BCP - Testing Board of Directors is responsible for ensuring that a comprehensive business resumption and contingency plan has been implemented, to encompass distributed computing and external service bureaus. Areas Reviewed for Compliance: Ineffective or incomplete BC plans may lead to qualified examination reports and loss of trust by regulators and financial market
E
http://www.fms.treas. gov/eft/regulations/far eft.txt SEE ABOVE
Standard
FEMA
U.S.A.
W
Industry
August 4, 2007
Standard
FEMA (Federal Emergency Management Agency)
U.S.A.
W
http://www.fema.gov/ pdf/library/bizindst.pdf http://www.ffiec.gov/f fiecinfobase/booklets/ bcp/bus_continuity_pl an.pdf
August 4, 2007
Regulation FFIEC
U.S.A.
E
August 4, 2007
FFIEC FIL 67-97/82-96 Regulation FFIEC (Federal Financial Institutions Examination Council)
U.S.A.
A
http://www.ffiec.gov/f fiecinfobase/booklets/ bcp/bus_continuity_pl an.pdf
August 4, 2007
FFIEC FIL-81-2005 Information Technology Risk Management Program (IT-RMP) for conducting IT examinations FFIEC Policy SP-5
Standard
FDIC (Federal Deposit Insurance Corporation)
IT Specific recovery document Information Technology Risk Management Program (IT-RMP) for conducting IT examinations of FDIC-supervised financial institutions, and cover practices for: Risk assessment, Operations security and risk management, Audit and independent review, Disaster rec U.S.A. Policy mandating corporate-wide contingency planning, including the development of recovery alternatives for distributed processing and service bureau information processing. Issued July 1989 E
http://www.fdic.gov/n ews/news/financial/20 05/fil8105.pdf
August 4, 2007
Regulation FFIEC
With the issuance of the new FFIEC Information Technology Examination Handbook, several Supervisory Policies (SP) found in Chapter 25 of the 1996 Handbook have been rescinded, including SP-5, Interagency Policy on Contingency Planning for Financial Institutions
August 4, 2007
Page 7 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
Financial Institutions Reform, Recovery, and Enforcement Act(FIRREA) of 1989; (P.L. 101-73 1989 HR 1278)
Regulation
U.S.A.
Policy allows regulators/examiners to impose civil penalties for Tiers of penalties for violations or non-compliance with regulations, laws, Individual and/or temporary agency orders or any breach of a written corporate after tax agreement between an agency and the institution. fines: · Tier 1: up to $5,000 per day · Tier 2: up to $25,000 per day · Tier 3: up to $1,000,000 per day
I
http://www.academon .com/lib/essay/termpaper-11995.html (summary and purchase information)
FISMA: Federal Information Security Management Act of 2002
Regulation FTC
U.S.A.
Details requirements to - Assess Risk - Determine levels of security necessary to protect such information - Periodically test and evaluate information security controls and techniques - Develop plans and procedures to ensure continuity of operati Policy states that Directors and Officers can be held liable for ―failure to enact standards of care‖ and should they fail to document their assessment processing determining not to develop a contingency plan.
E
http://csrc.nist.gov/p olicies/FISMAfinal.pdf ? May apply to organizations and institutions communicating with, performing work for, on behalf of a federal agency
Industry
August 4, 2007
Foreign Corrupt Practices Act of 1977: (P.L. 95-213)
Regulation
U.S.A.
Issued in 1977 · Civil penalties can range from $5000 to $100,000 for individuals and from $50,000 to $500,000 for business entities · Criminal sanctions may be imposed against anyone who knowingly violates the statute: up to $2 million in fines for p
I
http://www.usdoj.gov/ criminal/fraud/fcpa/fc pastat.htm
August 4, 2007
Page 8 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
FRB (Federal Reserve Banks) SR 96-22
Regulation Board of Governors of the Federal Reserve System
U.S.A.
Reviews and enforces the FFIEC’s Interagency Supervisory Statement on Risk Management of Client/Server Systems SP12. · The statement addresses concerns for security and the controls that should be associated with client/server computing for the officer in charge of each federal reserve bank, including: · Management should ensure that systems and operations are recoverable after an event causing disruption in service. · Management should determine that database Requirements for federal agencies to include the requirement for contingency plans in contracts with private sector organizations providing data processing services
E
http://www.federalres erve.gov/boarddocs/S RLETTERS/1996/sr962 2.htm
GAO Supplier Requirements
Regulation GAO (Government Accountability Office)
U.S.A.
E
General Principles for Technology Risk Management V.1 - TMG-1
Standard
The Hong Kong Monetary Authority
Hong Kong To provide AIs with guidance on general principles which AIs In section 2.6, are expected to consider in managing technology-related risks policies, procedures or service agreements of between AIs and the overseas offices (e.g. parent banks, subsidiaries, head offices or other regional offices of the same banking group) with regard to certain IT controls or support activities U.S.A. Guidelines in this section address standards for developing Effective July 1, 2001 and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity Bank must report to of customer information the board annually. The act includes record-retention requirements t To better protect the insuring public and ensuring the healthy development of the industry in the information technology era. The scope of this Guidance Note covers the internet insurance activities of all service providers to the extent that such activit Point 11 address the issue of security in which service providers are advised to take all practicable steps to ensure a number of items including the integrity of data stored in the system hardware, whilst in transit and as displayed on the website (a), a E
Will apply to all organizations providing suppliers or services to GAO or Federal Agencies
Industry
August 4, 2007
August 4, 2007
Gramm-Leach-Bliley Act of 1999, section 501 (b): (P.L. 106-102 1999 S 900) Guidance Note on the Use of Internet for Insurance Activities (GN8)
Regulation Public Law
http://banking.senate. gov/conf/confrpt.htm
August 4, 2007
Standard
Office of the Hong Kong Commissioner of Insurance - The Government of the Hong Kong Special Administrative Region
To be provided
August 4, 2007
Page 9 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
IT environment including business continuity
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
Guidelines on Management of IT Environment HB 221: 2003, Business Continuity Management Handbook HIPAA (Health Insurance Portability and Accountability Act) Final Security Rule~ #7. Contingency Plan (164.308(a)(7)(i)) HKMA Supervisory Policy Manual, BCP TM-G-2 V.1 02.12.02
Regulation BNM - Bank Malaysia Standard Central Bank Standards Association of Australia
Malaysia
Outlines minimum responsibilities and requirements for planning and managing, as well as, establishing preventive and detective measures that should be implemented by institutions to mitigate the risks pertaining to IT environment
E
To be provided
Regulation GAO
Australia, Sets out the principles and guidance that the Commission New expects companies listed on the NZ Stock Exchange to follow Zealand for Business Continuity Management and establishing a Business Continuity Plan U.S.A. - Proposed contingency plan in effect with data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures and Applications and data Criticality Analysis. - Includes specific BCM points
W
To be provided
Industry
August 4, 2007
W
http://aspe.hhs.gov/a dmnsimp/pl104191.ht m (whole act)
August 4, 2007
Regulation Hong Kong Monetary Authority
- Applies to any organizat Hong Kong Enforced by onsite examinations, requires need for BCP documentation and testing at least annually, planning for different scenarios and prolong outages.
BCP organization & governance structure Approach to business continuity planning Documentation DR site & vendor management
E
To be provided
August 4, 2007
HKMA Supervisory Regulation Hong Kong Monetary Policy Manual, General Authority Principles for Technology Risk Management TM-G-1 V.1 24.06.03 HKMA, Supervisory Policy Manual, Supervision of EBanking TM-E-1 V.1 17.02.04 Homeland Security Strategy for Critical Infrastructure Protection in Financial Services Sector (May 2004) IDA By-law 17.19 Business Continuity Plan Requirement Regulation Hong Kong Monetary Authority
Hong Kong Refers to TM-G-2 on BCP on the need to provide continuous service.
Need to provide alternative service
E
August 4, 2007
Hong Kong Refers to TM-G-2 on BCP on the need to provide continuous and/or alternative services.
Need to provide alternative service
E
August 4, 2007
FSSCC (Financial Services Sector Coordinating Council for Critical Infrastructure Protection) Regulation OSC (Ontario Securities Commission)
Standard
U.S.A.
Ensuring the resiliency of the nation to minimize the damage and expedite the recovery from attacks that do occur.
W
http://www.sifma.org /services/business_ continuity/pdf/Nation alStrategy.pdf http://www.osc.gov. on.ca/MarketRegula tion/SRO/ida/rr/srrida_20050107_notpro-bylaw-17-19.pdf
August 4, 2007
Canada
The purpose of the proposed by-law is to require each IDA member to establish and maintain a business continuity plan, such that the member can stay in business in the event of a significant business disruption and can meet obligations to its customers and other capital markets counterparts.
E
August 4, 2007
Page 10 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
BCP, DR Site
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
India BCP
Regulation 1. Reserve Bank of India (RBI) 2. Securities & Exchange Board of India, (SEBI) 3. National Stock Exchange (NSE) 4. Bombay Stock Exchange (BSE) Regulation Bank Indonesia (Central Bank) Standard Canadian Institute of Chartered Accountants
India
Enforced by audit, requires need for BCP documentation and testing at least annually.
E
http://www.continuity central.com/news02 721.htm http://www.expressc omputeronline.com/ 20030519/indnews3 .shtml
Indonesia BCP
Information Technology Control Guidelines
Indonesia Requires BCP documentation and testing at least annually with BCP RTGS, DR Site focus on Bank Indonesia RTGS system. Requires Internal Audit to conduct an audit at least annually and provide report to Bank Indonesia. Canada Crisis Management for Directors
E
http://www.cica.ca/ multimedia/Downloa d_Library/Standards /CoCo/cris-engtxt.pdf
http://www.sec.gov/n ews/studies/3447638.htm
Industry
August 4, 2007
E
August 4, 2007
Interagency Paper for Strengthening the Resilience of US Financial System (May 2003; Implementation in 2007)
Regulation FRB (Federal Reserve Bank) OCC (Office of the Comptroller of the Currency) SEC (Securities and Exchange Commission)
U.S.A.
During discussions about the lessons learned from September 11, industry participants and others agreed that three business continuity objectives have special importance for all financial firms and the U.S. financial system as a whole:
For Market Utilities and Core Clearing and Settlement Agencies, goal to meet objectives is end of 2004. For Significant Role Firms, the goal is no later than 2006.
E
August 4, 2007
Rapid recovery and timely resumption of critical operations following a wide-scale disruption; Rapid recovery and timely resumption of critical operations following the loss or inaccessibility of staff in at least one major operating location; and A high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible. · Legal requirements for computer records containing tax information. · Requires off-site protection and documentation of computer records maintaining tax information
IRS Procedure 91-59 (Superseded IRS Procedure 86-19) ISO 9000
Regulation IRS (Internal Revenue Service)
U.S.A.
I
IRS Ruling 98-25 supersedes this: http://www.uiowa.edu /~fusrmp/irsruling9825.html
August 4, 2007
Standard
ISO
Internation ISO 9000:2000, Quality management systems - Fundamentals al and vocabulary. covers the basics of what quality management systems are and also contains the core language of the ISO 9000 series of standards. Purpose is to determine elements of quality control systems, especially maintenance of records and verification standards. While business continuity planning is not required by statute, vendors report that records retention and data availability are issues with their customers, and that they are specifically asked about their plans.
W
http://www.planning. sungard.com/Knowl edgeNet/Reference Desk/regulations.as p
August 4, 2007
http://en.wikipedia.or g/wiki/ISO_9000
Page 11 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
ISO 9001
Standard
ISO
Internation ISO 9001:2000 Quality management systems - Requirements al is intended for use in any organization which designs, develops, manufactures, installs and/or services any product or provides any form of service. It provides a number of requirements which an organization needs to fulfill if it is to achieve customer satisfaction through consistent products and services which meet customer expectations. This is the only implementation for which third-party auditors may grant certifications. Internation al Internation al Addresses risk management and continuity planning issues for compliance. ISO 9004:2000 Quality management systems - Guidelines for performance improvements. covers continual improvement. This gives you advice on what you could do to enhance a mature system. This standard very specifically states that it is not intended as a guide to implementation
W
http://www.planning. sungard.com/Knowl edgeNet/Reference Desk/regulations.as p http://en.wikipedia.or g/wiki/ISO_9000
ISO 9002, Quality assurance standard, ISO 9004 Quality management sysetms Guidelines for performance improvement ISO/IEC 17799:2000
Standard Standard
ISO ISO
W W
http://en.wikipedia.or g/wiki/ISO_9002 http://en.wikipedia.or g/wiki/ISO_9004
Industry
August 4, 2007 August 4, 2007
Standard
ISO (International Organization for Standardization)
Internation Focuses on al · Business continuity management process · Writing and implementing continuity plans · Business continuity planning framework · Business continuity and impact analysis · Testing and maintaining BCPs Areas reviewed include:
W
http://en.wikipedia.or g/wiki/ISO_17799
August 4, 2007
IT Security Guidelines G3
Standard
Information Hong Kong Technology Services Department - The Government of the Hong Kong Special Administrative Region
Introduces general concepts relating to Information Technology Security and elaborates interpretations on the Baseline IT Security Policy. It also provides readers some guidelines and considerations in defining security requirements.
In this document, government bureau and departments are suggested to consider implementing a BCP as part of business planning. 4/1/2003
http://www.ogcio.go v.hk/eng/prodev/ese cpol.htm
August 4, 2007
ITIL- IT Infrastructure Library
Standard
ITIL (IT Infrastructure Library)
U.S.A.
· Global standard in the area of service management. Contains comprehensive publicly accessible specialist documentation on the planning, provision and support of IT services. Covers areas dealing with: · Potential for data loss · Vital records cre
W
http://www.ogc.gov.u k/index.asp?id=2261 (official webpage) http://en.wikipedia.or g/wiki/ITIL
August 4, 2007
Page 12 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
JCAHO Accreditation Manual for Hospitals (1997)
U.S.A.
Guidelines for information management established by JCAHO Standard Label: IM.1.20 - The [organization] plans for the continuity of its information management processes.
E
http://www.jointcom mission.org/NR/rdon lyres/E2B871E6E315-4B1D-A7FD5C5E655C8605/0/sii _ahc_im_proposed_ revisions.pdf
(Industry) Available to order from the Institute of Directors (IoD): http://www.iodsa.co.z a/king.asp
King I Report - 1994 King II Report - 2002
Standard
King Committee on Corporate Governance
South Africa
This is a standard for good corporate governance which most companies in South Africa make reference to in their AFS and try to adhere to.
W
Industry
August 4, 2007
Korea BCP
Regulation Foreign Financial Supervisory
Korea
Recovery of core business (Bank, Securities, Futures) within 3 BCP, DR Site hours. Need for proper capacity planning Appropriate access control to DR system
E
http://www.fsc.go.kr/ eng/id/ck4.asp
August 4, 2007
Letter to Federally Regulated Financial Institutions, Insurance Companies, CBA etc. Mar 2006 Major Hazard Installation Regulations, 1993 Regulation Occupational Health & Safety
Canada
Regular and ad-hoc test requirement
E
August 4, 2007
South Africa
Talks about emergency plans-""emergency plan" means a plan in writing which, on the basis of identified potential incidents at the installation, together with their consequences, describes how such incidents and their consequences should be dealt with on-
http://www.labour.go v.za/useful_docs/do c_display.jsp?id=10 091 Subject to the provisions of subregulation (3) these regulations shall apply to employers, selfemployed persons and users, who have on their premises, either permanently or temp
August 4, 2007
Page 13 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
In section 36 under operational risk: An effective business continuity plan appropriate to the size of the firm is implemented to ensure that the firm is protected from the risk of interruption to its business continuity. Key processes in this area includ DR Site BCP development (DR site/vital records, etc)
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
Management, Supervision and Internal Control Guidelines ("The Internal Control Guidelines")
Standard
Securities and Futures Hong Kong ―A licensed or registered person should have internal control Commission of Hong procedures and financial and operational capabilities which Kong can be reasonably expected to protect its operations, its clients and other licensed or registered persons from financial loss arisin
Copies of the Guidelines are available at the SFC. They can also be found on the SFC's website at http://www.hksfc.org. hk.
Manila Bank BCP Manual for the Development of Contingency Plans in Financial Institutions. Japan FSA
Regulation Bank of Central Philippines (local central bank) Regulation FISC (The Center for Financial Industry Information System)
Philippines Enforced by audit, requires all banks to setup of a disaster recovery facility. Japan Audit matter Appointment of BCP manager Implementation of policy & standard Proper documentation Regular review of plan Corporate-wide testing at least annually Planning for different scenarios
E E
Industry
August 4, 2007 August 4, 2007
MAS Business Continuity Management Guidelines (June 2003) MAS Consultation Paper On Business Continuity Planning (BCP) Guidelines (10Jan-03) MAS Guidelines on Outsourcing - Section 6.6 BCM (Oct 2004)
reg
MAS (Monetary Authority of Singapore)
Regulation MAS (Monetary Authority of Singapore)
Singapore 7 Guiding Principles on Senior Management responsibilities for International BCM; embedding BCM into Business-as-usual activities, incorporating sound practices; testing BCP regularly, completely and meaningfully; developing recovery strategies and setting RTO for crit Singapore · Guidelines encourage adoption of BCP Practices by financial institutions in Singapore. · Guidelines help financial institutions to prepare to be aware by establishing a comprehensive Business Continuity Plan.
E
August 4, 2007
E
August 4, 2007
Standard
MAS (Monetary Authority of Singapore)
Singapore Guidelines on ensuring BC preparedness is not compromised International by outsourcing; taking steps to evaluate and satisfy itself that Issued October 2007 interdependency risk arising from the outsourcing Updated July 1 2005 arrangement can be adequately mitigated; and assurance on the functionality and ef
E
http://www.mas.gov.s g/legislation_guideline s/risk_mgt/Guidelines _on_Risk_Managemen t_Practices.html
August 4, 2007
Page 14 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
Ministry for Provincial & Local Government Disaster Management Act, 2002
Regulation
South Africa
Proposed national disaster management framework. Provides for: · An integrated and coordinated disaster management policy that focuses on preventing and reducing the risk of disasters, mitigating the severity of disasters, emergency preparedness, rapid member must create and maintain a written business · Each continuity plan identifying procedures relating to an emergency or significant business disruption. · Must update its plan in the event of any material change to the member's operations, structur
To be provided http://disaster.co.za/d ocs/DisasterManagem entAct572002.doc
NASD Rule 108 (Sept 9, 02) and SR-NASD2002-112 (March 10, 03) (Release No. 3448503; File No. SRNASD-2002-108) NASD Rule 3500: Emergency Preparedness Part 3510: Business continuity Plans
Regulation NASD (North American Securities Dealers Association)/ SEC
U.S.A.
E
http://www.sec.gov/ru les/sro/nasd2002108/ nasd2002108typea.ht m
Industry
August 4, 2007
Regulation NASD
U.S.A.
Requires a Business Continuity Plan addressing: · Alternate communications between customers, firm and employees · Business constituent, bank and counter party impact · Regulatory Reporting · Mission Critical Systems
E
http://www.nasd.com/ web/groups/rules_reg s/documents/notice_t o_members/nasdw_00 3095.pdf
August 4, 2007
NASD Rule 3500: Emergency Preparedness Part 3520: Emergency Contact Information
Regulation NASD
U.S.A.
· Operational and Finan members to provide NASD with Rule 3520 requires NASD emergency contact information and to update any information upon the occurrence of a material change. The Rule requires members to designate two emergency contact persons that NASD may contact in the e
E
http://www.nasd.com/ web/groups/rules_reg s/documents/notice_t o_members/nasdw_00 3095.pdf (notice to members)
August 4, 2007
NFA Compliance Rule Regulation CFTC (Commodity 2-38: Business Futures Trading Continuity and Commission) Disaster Recovery Plan NFPA 111:Standard on Stored Electrical Energy Emergency and Standby Power Systems Standard NFPA
U.S.A.
Requires all National Futures Association members to establish and maintain a written business continuity and disaster recovery plan that outlines procedures to be followed in the event of an emergency or significant disruption. Guideline of a step-by-step approach to emergency planning, response and recovery for companies.
E
http://www.nfa.future s.org/printerFriendly.a sp?tag=2-38 http://www.nfpa.org/a boutthecodes/AboutTh eCodes.asp?DocNum= 111 (ordering information) http://www.nfpa.org/a ssets/files/PDF/111-05ROPDraft.pdf (report on proposals)
August 4, 2007
U.S.A.
W
August 4, 2007
Page 15 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
NFPA 232: Standard on Protection of Records
Standard
NFPA
U.S.A.
Standards for protection of business records, archives and records centers.
W
http://www.nfpa.org/a boutthecodes/AboutTh eCodes.asp?DocNum= 232 (ordering information)
Industry
NFPA Standard 1600 on Disaster/Emergency Management and Business Continuity Programs NIST SP 800-34 Contingency Planning Guide
Standard
NFPA (National Fire Protection Association
U.S.A.
Establishes minimum criteria for disaster management for the private and public sectors in the development of a program for effective disaster mitigation, preparedness, response and recovery. · Details the fundamental planning principles necessary for developing an effective contingency capability. · Contingency planning guidance includes preliminary planning, business impact analysis, alternative site selection and recovery strategies. · Members and member organizations must develop and maintain a written business continuity and contingency plan establishing procedure sot be followed in the event of an emergency or disruption. · Yearly review must be conducted of the business conti
W
http://www.nfpa.org/P DF/nfpa1600.pdf?src= nfpa
August 4, 2007
Standard
NIST (National Institute of Standards and Technology)
U.S.A.
E
http://csrc.nist.gov/pu blications/nistpubs/80 0-34/sp800-34.pdf
August 4, 2007
NYSE Rule 446: Business Continuity and Contingency Planning
Regulation NYSE (New York Stock Exchange)
U.S.A.
Possible Image and Reputation impacts for not complying with stock market regulations including, in extreme cases, potential de-listing.
E
http://rules.nyse.com/ NYSETools/ExchangeV iewer.asp?selectednod e=chp%5F1%5F5%5F 11%5F4&manual=%2 Fnyse%2Fnyse%5Frul es%2Fnyse%2Drules %2F http://www.occ.treas. gov/ftp/bulletin/200147.txt
August 4, 2007
OCC 2001-47: ThirdParty Relationships (November 1, 2001)
Regulation OCC
U.S.A.
Provides guidance to national banks on managing risks resulting from business relationships with third parties. It explains that third-party contracts should provide for: · Continuation of the business function in the event of problems with the third Information Technology Examination Handbook- Business Continuity Planning and supervision of Technology Service Providers Booklets The BCP Booklet describes the process for managing business continuity based on risk as the following:
E
August 4, 2007
OCC 2003-18: FFIEC (March 2003)
Regulation OCC
U.S.A.
E
http://www.occ.treas. gov/ftp/bulletin/200318.doc
August 4, 2007
OCC 97-23: Corporate Business Resumption and Contingency Planning (May 16, 1997) OCC 99-9: Infrastructure Threats from Cyber-Terrorists (March 5, 1999)
Regulation OCC
U.S.A.
· Business impact [NOTE: Rescinded—SEE 2003-18]
E
RESCINDED by OCC 2003-18
August 4, 2007
Regulation OCC
U.S.A.
· Identifies and raises awareness of vulnerabilities and threats of cyber terrorism to the financial services industry, including ensuring that these threats are taken into account when preparing and testing a disaster recovery/business contingen · Exp
E
http://www.occ.treas. gov/ftp/bulletin/999.txt
August 4, 2007
Page 16 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
OSHA - Occupational Safety and Health Administration
Regulation OSHA (Occupational Safety and Health Administration)
U.S.A.
· Disaster preparedness · OSHA requires that all businesses with more than 10 employees have a written Emergency Contingency Plan (ECP). · For businesses with 10 or less a written plan is not mandated but recommended.
I
http://www.osha.gov/
Personal Data (Privacy) Ordinance
Standard
Office of the Privacy Hong Kong Commissioner for Personal Data - The Government of the Hong Kong Special Administrative Region
The purpose of the Ordinance is to protect the privacy interests of living individuals in relation to personal data. It also contributes to Hong Kong's continued economic wellbeing by safeguarding the free flow of personal data to Hong Kong from restrict
Base on the Data Protection Principles published, the relevant principles to BCM are Principle 2 - the personal data should be accurate, up-todate and kept no longer than necessary; Principle 4 appropriate security measures should be applied to persona W
http://www.pco.org.hk /english/ordinance/ord glance.html
Industry
August 4, 2007
Post 9-11 Crisis Communications, Best Practices for Crisis Planning, Prevention and Continuous Improvement (June 2002) Privacy Act of 1974 (SUSC552a)
Standard
Business Roundtable (The Southwestern Area Commerce & Industry Association of Connecticut)
U.S.A.
This document is a toolkit to enable companies to develop a crisis communications plan that includes crisis preparation, prevention, and continuous improvement
http://www.businessr oundtable.org/pdf/722 .pdf
August 4, 2007
Regulation
U.S.A.
Requires management to safeguard and to keep the information accurate and current to protect the individual.
I
http://www.usdoj.gov/ foia/privstat.htm
August 4, 2007
Page 17 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
Prudent Man Concept
Regulation Common Law
Internation · As per the Uniform Commercial Code, legal standard used al to determine whether appropriate action was taken in a particular situation. · Directors, senior management, officers and agents, when working for an organization, are considered to be in a posi
I
Uniform Commercial Code http://www.dodsonedgars.com/services.h tm Any company, regardless of its industry, is expected to exercise due-care to implement and maintain security mechanisms and practices that protect the company, its employees, customers, and partners., Due-Care can be compared to the "prudent man" concept. A prudent man is seen as responsible, careful, cautious, and practical. A company practicing due-care is seen in the same light by State and Federal Courts.
Negligence Liability
Public Finance Regulation Management Act, 1999- DRAFT Treasury Relations Publicly Available Standard BSI (British Standards Specification (PAS) 56Institute) Guide to Business Continuity Management
South Africa UK
Unable to find anything specific to BC or DR… ―availability of financial information‖ was included… · Describes establishment of a BCM practice and provides recommendations. · Provides BCM framework for anticipation and response to incidents. PAS56 is intended for the person responsible for managing and applying business continuity within the or E
http://www.acts.co.za /public_fin_man/index .htm
Industry
August 4, 2007
http://www.pas56.co m/
August 4, 2007
Page 18 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
Risk Management Standard, AIRMIC, ALARM, IRM; 2002
Standard
AIRMIC (Association of Insurance and Risk Managers) ALARM (National Forum for risk Management in the Public Sector
UK
Establishes guidelines for Risk Management including · Risk Assessment · Risk Reporting · Risk Treatment 9.4 The role of the Risk Management function should include the following: · (bullet 8) developing risk response processes, including contin Continuity Procedures for SA Reserve Bank and Business Participants
W
http://www.airmic.co m/
SAMOS and CLS Business Continuity Procedures- SA Reserve Bank
Standard
South African Reserve Bank National Payment System Department
South Africa
E
www.reservebank.c o.za/internet/Publica tion.nsf/LADV/8B8A 38FD0C1E5F50422 56FCE00308106/$F ile/CLSBCP_SARB. pdf
http://news.findlaw.co m/hdocs/docs/gwbush /sarbanesoxley072302 .pdf
Industry
August 4, 2007
Sarbanes-Oxley Act of 2002: (P.L. 107-204 2002 HR 3763) SECTION 404
Regulation PCAOB - Public Company Accounting Oversight Board
U.S.A.
· Auditors are increasing scrutiny of all areas of internal control, including security and business continuity controls · Potential for data loss (ability to identify and rebuild lost transactions and source documentation) · Vital records creation,
Non-complying organizations may receive qualified opinions on their internal controls from their external auditors. · If IT processing disruption results in lost data, officers and external auditors may not be able to sign off on quarterly or annual SOX disclosure and internal control operating effectiveness certifications/opinion.
E
August 4, 2007
Sarbanes-Oxley Act of 2002: SECTION 409
Regulation PCAOB - Public Company Accounting Oversight Board
U.S.A.
· Issuers must disclose information on material changes in financial condition on a regular basis Areas assessed include: · Potential for data loss (ability to identify and rebuild lost transactions and source documentation) · Vital records creatio
E
http://news.findlaw.co m/hdocs/docs/gwbush /sarbanesoxley072302 .pdf
August 4, 2007
Page 19 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Effective 1993
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
Statement on Auditing Standards (SAS) 70 audit reports
Standard
American Institute of Certified Public Accountants (AICPA).
U.S.A.
SAS 70 is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A service auditor's examination performed in accordance with SAS No. 70 ("SAS 70 Audit") is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. Service organizations receive significant value from having a SAS 70 engagement performed. A Service Auditor's Report with an unqualified opinion that is issued by an Independent Accounting Firm differentiates the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities. A Service Auditor's Report also helps a service organization build trust with its user organizations (i.e. customers).
http://www.sas70.com /
SEC 38-a : Investment Company Act of 1940 SEC Act of 1934: (15 U.S.C.A 78A) Rule 17a-4
SEC
U.S.A.
E
http://www.law.uc.ed u/CCL/InvCoAct/sec38 .html
Industry
August 4, 2007
Regulation SEC
U.S.A.
Without a current Service Auditor's Report, a service organization may have to entertain multiple audit requests from its customers and their respective auditors. Multiple visits from user auditors can place a strain on the service organization's resources. A Service Auditor's Report ensures that all user organizations and their auditors have access to the same information and in many cases this will satisfy the user auditor's requirements.
· Policy addresses criminal liability of Directors and officers for failure to: Protect computerized information; Document process used to assess risks of information loss; exercise ―duty of care‖ · Burden of proof lies with the Directors and Officers Potential fines imposed include personal fines up to $10,000 and corporate fines up to $1,000,000.
E
http://www.sec.gov/ about/laws/sea34.pd f http://www.sec.gov/ about/laws.shtml#se cexact1934 (summary information)
August 4, 2007
Securities and Exchange Act, Sections 32(a) and (b)
Regulation SEC
U.S.A.
E
http://www.law.uc.ed u/CCL/34Act/sec32.ht ml
August 4, 2007
Page 20 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
Supervision of Technology Service Providers Booklets (May 2003)
Standard
FFIEC
U.S.A.
BUSINESS CONTINUITY PLANNING, SUPERVISION OF TECHNOLOGY SERVICE PROVIDER GUIDANCE RELEASED BY FEDERAL FINANCIAL REGULATORS The Business Continuity Planning Booklet provides guidance and examination procedures to assist examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. Examiners should focus on: · Management of Technology- the planning and overseeing of technological resources and services and ensuring they support the strategic goals and objectives of the financial institution or technology service providers.
W
http://www.ffiec.gov/p ress/pr052003.htm
Telecommunications Act of 1996
Regulation FCC - Federal Communications Commission
U.S.A.
· Int The act was intended to promote competition in the telecommunications industry. Section 256 gives the FCC the right to oversee that telecommunications networks “seamlessly and transparently transmit and receive information between and across telecommunications networks.” The FCC’s Network Reliability and Interoperability Council provides best practices for business continuity and disaster recovery in the telecommunications industry. (www.nric.org)
www.fcc.gov/teleco m.html
Industry
August 4, 2007
Terrorism- Real Threats, Real Costs, Joint solutions (June 2003)
Standard
Business Roundtable
U.S.A.
The Roundtable examines the unique nature of the terrorist threat, as well as the strengths and weaknesses of both government and business in addressing that threat. It then recommends various tools and procedures for government to use when regulating and outline the difficulty of allocating the costs of security.
W
http://www.abanet.or g/adminlaw/conferenc e/2003/NewFrontier/N ewfrontierprogram.ht ml
August 4, 2007
Page 21 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
BCP, Vital records, DR Site
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
Thailand BCP
Regulation Governing Body will be Bank of Thailand / Securities and Exchange Commission, Thailand.
Thailand
The FCC’s Network Reliability and Interoperability Council provides best practices for business continuity and disaster recovery in the telecommunications industry. (www.nric.org)
E
Unofficial Translation by the courtesy of The Foreign Banks' Association This translation is for the convenience of those unfamiliar with the Thai language. Please refer to the Thai text for the official version: www.bot.or.th/fipcs/D ocuments/FPG/2550/E ngPDF/25500011.pdf
The Promotion of Access to Information Act (#2 of 2000) Turnbull Report (September 1999)
Regulation Parliament of the Repulblic of South Africa Regulation Institute of Chartered Accountants in England and Wales
South Africa
UK
ACT - To give effect to the constitutional right of access to any information held by the State and any information that is held by another person and that is required for the exercise or protection of any rights; and to provide for matters connected ther Internal Control-Guidance for Director on the Combined Code Those companies found in violation · States that anyone listed on the London Stock Exchange could be de-listed must have BCP from the London Stock Exchange. · Requires companies to report whether the board has reviewed the system of ―internal · The act includes requirements for records retention for compliance with section 326 on Customer Identification Programs. · Within 6 months after the date of enactment of this act, the secretary and other appropriate government agencies shall submit a report to Congress. · Imposes stiff prison terms for those who violate computer security or use computers in criminal or terrorist acts
www.info.gov.za/gaz ette/acts/2000/a200.pdf
E
Industry
August 4, 2007
www.icaew.co.uk/in dex.cfm?route=1209 07
August 4, 2007
USA Patriot Act of 2001: (P.L. 107-56 2001 HR 3162)
Regulation DHS
U.S.A.
E
http://www.epic.org/p rivacy/terrorism/hr316 2.html
August 4, 2007
Page 22 of 24
�Disaster Recovery Journal Editorial Advisory Board
Rules Regulations Committee
4/7/2009 2:47 PM
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution & Communications Banking & Finance Energy (including nuclear) Agriculture, Food Supply & Water
Category (E, A, W, I)
Transportation & Shipping
Government & Public Agencies
Regulation / Standard
Title
Governing Body
Summary
Significant Dates, Fines, Penalties
Public Health & Healthcare
Country
DRJ EAB R&R Use: Date of Last Review or Confirmation
August 4, 2007
Notes /Comments
Various OCC Comptroller's Handbooks
Standard
Office of the Comptroller
U.S.A.
The OCC Comptroller Handbooks are issued to provide guidance for examiners. Several of these handbooks discuss business continuity planning and provide guidance for examiners. Listed below are some of the OCC handbooks that discuss BCP: * Asset Management * Asset Securitization * Community Bank Fiduciary Activities Supervision * Community Bank Supervision * Custody Services * Emerging Market Country Products and Trading Activities * Federal Branches and Agencies Supervision * Insurance Activities * Internal and External Audits * Internal Controls * Internet Banking * Investment Management Services * Large Bank Supervision * Liquidity * Merchant Processing * Risk Management of Financial Derivatives Required compliance standards for major credit card companies for regular security assessments and reporting.
www.occ.treas.gov/ handbook/S&S.htm
VISA CISP (Cardholder Information Security Program)
Standard
VISA, endorsed by AMEX, Diners, Discover, JCB
U.S.A.
Failure to comply can result in: · Fines of $50,000 for first violation, $100,000 for the second violation. · Restrictions on merchant · Permanent prohibition of participation in Visa
E
http://www.usa.visa. com/merchants/risk _management/cisp_ overview.html?it=l2|/ merchants/risk_man agement/cisp.html| Overview#anchor_2
Industry
August 4, 2007
Enforced (E) Most frequently enforced for compliance purposes
Ambiguous (A) Further clarification regarding strong ties with Business Continuity need to happen Watch List (W) Participating members should be looking for the presence of this item within the coming months/years Invocation @ Incident (I) Likely to be invoked or brought to bear as a result of an ―incident‖ occurring involving your organization
Page 23 of 24
�4/7/2009 2:47 PM
Homework Assigned by Rows
Acromtn
Country
Definition
BSE DHS FRB FSSCC NSE OCC RBI SEBI SEC
India U.S.A. U.S.A. U.S.A. India U.S.A. India India U.S.A.
Bombay Stock Exchange Department of Homeland Security (USA) Federal Reserve Bank Financial Services Sector Coordinating Council for Critical Infrastructure Protection National Stock Exchange Office of the Comptroller of the Currency Reserve Bank of India Securities & Exchange Board of India Securities and Exchange Commission
aff8479a-ed27-4d5c-94f4-9cd815763018.xls R&R Acronyms
Page 24 of 24
�