Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Major Credit Card Companies by rlh40199

VIEWS: 23 PAGES: 25

Major Credit Card Companies document sample

More Info
									                                                                                                             11/14/2010 11:00 AM




 The following is a DRAFT of the R&R Committee Mission Statement provided by Peter Laz on April 26, 2007, with the
 editorial support of the committee:


 The mission of the DRJ Editorial Advisory Board's (EAB) Rules & Regulations Committee is to:

    Develop a repository of Business Continuity / Disaster Recovery regulations, statues and standards across various
    industries and countries

    Enable access to the repository for all Business Continuity / Disaster Recovery practitioners

    Maintain the repository



 The above mission statement was reviewed and approved during the R&R Committee during our meeting on Tuesday, May
 1, 2007.




627543b0-3d22-4fb6-a663-1d50225d8635.xls
R&R Mission Statement                                      Page 1 of 25
     Disaster Recovery Journal                                                                                                          Rules Regulations Committee                                                                                                                                                                                                     11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                        Infrastructure Category




                                                                                                                                                                                                                                                                                                                          Information Distribution
                                                                                                                                                                                                                                                                                                                             & Communications
                                                                                                                                                                                                              Banking & Finance




                                                                                                                                                                                                                                                                       Energy (including
                                                                                                                                                                      (E, A, W, I)




                                                                                                                                                                                                                                                                                                      Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                     Public Agencies
                                                                                                                                                                                                                                                    Transportation &
                                                                                                                                                                                                                                                                                                                                                                        DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                       Supply & Water
                          Regulation /




                                                                                                                                                                                                                                  Public Health &




                                                                                                                                                                                                                                                                                                                                                     Government &
                                                                                                                                                                       Category
                                                                     Country
                                                                                                                                                  Significant
                           Standard




                                                                                                                                                                                                                                    Healthcare


                                                                                                                                                                                                                                                        Shipping




                                                                                                                                                                                                                                                                                           Industry
                                                                                                                                                                                                                                                                           nuclear)
                                                                                                                                                                                          Notes
        Title                            Governing Body                                                  Summary                                 Dates, Fines,
                                                                                                                                                                                        /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                                   Penalties
                                                                                                                                                                                                                                                                                                                                                                            Confirmation

2002 ACH Rules Book     Regulation ACH (Federal
                                   Reserve’s Automated
                                                                    U.S.A.     ·       Requires 6 year file retention on all ACH transactionsx Non-compliant fines
                                                                                                                                               not more than
                                                                                                                                                                           I         http://www.fms.treas.
                                                                                                                                                                                     gov/ach/interim_2003.
                                                                                                                                                                                                                                                                                                                                                                           August 4, 2007

                                   Clearinghouse                               ·       An ACH transaction is a batch-processed, value-dated    $10,000 or                            pdf
                                   Association)                                electronic funds transfer between originating and receiving     imprisoned not more
                                                                               financial institutions                                          than ten years, or                    (Treasury Department
                                                                                                                                               both                                  decision)

                                                                                                                                                                                     (order form)



6 CFR Part 29:
Procedures for
                        Regulation CFR (Code of Federal
                                   Regulations)
                                                                    U.S.A.     · Continuity of operations for Critical Infrastructure                                     W          http://frwebgate.acces
                                                                                                                                                                                     s.gpo.gov/cgi-bin/get-
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Handling Critical                                                                                                                                                                    cfr.cgi
Infrastructure                                                                 · Disclosure of critical information to the government
Information (Interim,
Feb 2004)
ANAO Better Practice
Guide: Business
                        Standard         ANAO (Australian
                                         National Audit Office)
                                                                  Australia,
                                                                    New
                                                                               · Presents a structured approach to business continuity
                                                                               management. The approach involves identifying preventative
                                                                                                                                                                          W          To be provided
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Continuity                                                         Zealand     treatments for continuity risks that can be routinely managed
Management-
Keeping the Wheels                                                             · Managers should have an ongoing focus on business
in Motion                                                                      continuity
ANSI/ARMA 5-2003
Vital Records
                        Regulation          ANSI (American
                                          National Standards
                                                                    U.S.A.     Sets requirements for establishing a vital records program by:
                                                                               - Identifying and protecting vital records
                                                                                                                                                                           E         Addresses the
                                                                                                                                                                                     development and
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Programs                                   Institute) / ARMA                   - Assessing and analyzing their vulnerability                                                         implementation of a
                                            (Association of                    - Determining the impact of their loss on the organization                                            vital records program
                                          Records Managers                                                                                                                           within the context of
                                          and Administrators)                                                                                                                        a formal records
                                                                                                                                                                                     management
                                                                                                                                                                                     program. Vital
                                                                                                                                                                                     records are defined
                                                                                                                                                                                     as records containing
                                                                                                                                                                                     information essential
                                                                                                                                                                                     to the survival of an
                                                                                                                                                                                     organization in the
                                                                                                                                                                                     event of a disaster.


AS/NZ 4390, Records
Management Standard
                        Standard         Standards Association
                                         of Australia
                                                                  Australia,
                                                                    New
                                                                               Establishes guidelines for records management                                              W          To be provided
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

                                                                   Zealand

AS/NZ 4444.2: 2000
Information Security
                        Standard         Standards Association
                                         of Australia
                                                                  Australia,
                                                                    New
                                                                               · It is intended for use by employees or managers who are
                                                                               implementing and maintaining information security in their
                                                                                                                                                                          W          To be provided
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Standard, includes                                                 Zealand     organization
business continuity
section.                                                                       · States that organizations need to undertake a risk
                                                                               assessment including business continuity planning
AS/NZS 4360;2004
DRAFT, Risk
                        Standard         Standards Association
                                         of Australia
                                                                  Australia,
                                                                    New
                                                                               Guidelines that assist with the development of an effective
                                                                               Risk Management and Business Continuity Plan
                                                                                                                                                                          W          To be provided
                                                                                                                                                                                                                                                                                                                                                                     August 4, 2007

Management                                                         Zealand
Standard; Business
Continuity




                                                                                                                                                Page 2 of 25
     Disaster Recovery Journal                                                                                                       Rules Regulations Committee                                                                                                                                                                                                           11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                           Infrastructure Category




                                                                                                                                                                                                                                                                                                                             Information Distribution
                                                                                                                                                                                                                                                                                                                                & Communications
                                                                                                                                                                                                                 Banking & Finance




                                                                                                                                                                                                                                                                          Energy (including
                                                                                                                                                                        (E, A, W, I)




                                                                                                                                                                                                                                                                                                         Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                        Public Agencies
                                                                                                                                                                                                                                                       Transportation &
                                                                                                                                                                                                                                                                                                                                                                           DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                          Supply & Water
                           Regulation /




                                                                                                                                                                                                                                     Public Health &




                                                                                                                                                                                                                                                                                                                                                        Government &
                                                                                                                                                                         Category
                                                                   Country
                                                                                                                                                  Significant
                            Standard




                                                                                                                                                                                                                                       Healthcare


                                                                                                                                                                                                                                                           Shipping




                                                                                                                                                                                                                                                                                              Industry
                                                                                                                                                                                                                                                                              nuclear)
                                                                                                                                                                                            Notes
        Title                             Governing Body                                                Summary                                  Dates, Fines,
                                                                                                                                                                                          /Comments                                                                                                                                                                       Date of Last Review or
                                                                                                                                                   Penalties
                                                                                                                                                                                                                                                                                                                                                                               Confirmation

ASIS GDL BC 10 2004)     Standard         ASIS International      U.S.A.     · Tool to allow organizations to consider the factors and steps
                                                                             necessary to prepare for a crisis (disaster or emergency) so
                                                                                                                                                                            W          http://www.asisonline.
                                                                                                                                                                                       org/guidelines/guideli
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

-DRAFT- Business                                                             that it can manage and survive the crisis and take appropriate                                            nesbusinesscon.pdf
Continuity Guideline                                                         actions to ensure its continued viability

                                                                             · Outlines a planning pr
Australia BCP            Regulation Australia Financial
                                    Markets Association
                                                                 Australia   Will be enforced by audit (once published) but recommended
                                                                             by audit at the moment. Requires need for BCP
                                                                                                                                               BCP, Vital records, DR
                                                                                                                                               Site
                                                                                                                                                                             E         To be provided
                                                                                                                                                                                                                                                                                                                                                                              August 4, 2007

                                                                             documentation and testing at least annually, planning for
                                                                             different scenarios.
Australian
Commonwealth
                         Regulation Australian
                                    Government
                                                                 Australia   Establishing criminal penalties for officers and directors of
                                                                             organizations that experience a major disaster and fail to
                                                                                                                                                                             E         To be provided
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007

Criminal Code                                                                have a proper business continuity plan in place.
Banks Act (94/1990)         Regs                                  South
                                                                  Africa
                                                                                                                                                                                       http://www.acts.co.za
                                                                                                                                                                                       /Banks/Index.htm
                                                                                                                                                                                                                                                                                                                                                                              August 4, 2007


Basel II: New Basel
Capital Accord (April
                         Regulation Basel                       Internation Addresses Operational Risk and defines it as ―the risk of loss
                                                                     al     resulting from inadequate or failed internal processes, people
                                                                                                                                                                            W          http://www.federalres
                                                                                                                                                                                       erve.gov/boarddocs/pr
                                                                                                                                                                                                                                                                                                                                                                              August 4, 2007

2003)                                                                       and systems, or from external events.‖                                                                     ess/bcreg/2004/20040
                                                                                                                                                                                       626/attachment.pdf

BS7799-2; 2002,
Section 9, Business
                         Regulation BSI                             UK       · Part 1 was the basis for ISO 7799                                                            W          http://www.itgoverna
                                                                                                                                                                                       nce.co.uk/files/ISMS
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

Continuity and                                                               · Part 2 has not been adopted by ISO but is accepted by                                                   %20Implementation
Disaster Recovery                                                            many other national standards                                                                             %20and%20ITG%2
Planning                                                                                                                                                                               0Tools.pdf
Bulletin R-67            Regulation Federal Home Loan
                                    Bank
                                                                  U.S.A.     Follows intent of BC 177 which required:
                                                                             - Documented, exercised and maintained recovery plans are
                                                                                                                                                                             E         Comptroller of
                                                                                                                                                                                       Currency BC-177
                                                                                                                                                                                                                                                                                                                                                                              August 4, 2007

                                                                             required for all user environments and business functions                                                 (1983, 1987)
                                                                             - Recovery Plans must be tested ―periodically‖ and results                                                superceded by FFIEC
                                                                             documented                                                                                                and Federal Home
                                                                             - Plans reviewed annually b                                                                               Loan Bank Bulletin R-
                                                                                                                                                                                       67 (1986) superceded
                                                                                                                                                                                       by FFIEC - Requires
                                                                                                                                                                                       banking institutions to
                                                                                                                                                                                       develop and maintain
                                                                                                                                                                                       Business Recovery
                                                                                                                                                                                       Plans.
                                                                                                                                                                                       Inter-Agency Policy
                                                                                                                                                                                       from Federal Financial

Business Continuity at
Bank of Japan.
                         Standard         BOJ (Bank of Japan)     Japan      Consensus- This plan assumes an approach to aim at
                                                                             operational continuity. Proper documentation.
                                                                                                                                                                             E         To be provided
                                                                                                                                                                                                                                                                                                                                                                              August 4, 2007


                                                                             System / people recovery

                                                                             Corporate-wide testing at least annually

                                                                             Planning for different scenarios

                                                                             No clear guideline to follow




                                                                                                                                               Page 3 of 25
     Disaster Recovery Journal                                                                                                         Rules Regulations Committee                                                                                                                                                                                                         11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                           Infrastructure Category




                                                                                                                                                                                                                                                                                                                             Information Distribution
                                                                                                                                                                                                                                                                                                                                & Communications
                                                                                                                                                                                                                 Banking & Finance




                                                                                                                                                                                                                                                                          Energy (including
                                                                                                                                                                          (E, A, W, I)




                                                                                                                                                                                                                                                                                                         Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                        Public Agencies
                                                                                                                                                                                                                                                       Transportation &
                                                                                                                                                                                                                                                                                                                                                                           DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                          Supply & Water
                          Regulation /




                                                                                                                                                                                                                                     Public Health &




                                                                                                                                                                                                                                                                                                                                                        Government &
                                                                                                                                                                           Category
                                                                     Country
                                                                                                                                                   Significant
                           Standard




                                                                                                                                                                                                                                       Healthcare


                                                                                                                                                                                                                                                           Shipping




                                                                                                                                                                                                                                                                                              Industry
                                                                                                                                                                                                                                                                              nuclear)
                                                                                                                                                                                              Notes
        Title                            Governing Body                                                 Summary                                   Dates, Fines,
                                                                                                                                                                                            /Comments                                                                                                                                                                     Date of Last Review or
                                                                                                                                                    Penalties
                                                                                                                                                                                                                                                                                                                                                                               Confirmation

Business Continuity
Institute
                        Standard         BCI (Business
                                         Continuity Institute)
                                                                     UK        · In alignment with DRII ―Professional Practices‖                                              W          http://www.thebci.org
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007

―Good Practices‖                                                               · More specific
Business Continuity
Planning Committee
                        Standard         SIA (Securities
                                         Industry Association)
                                                                    U.S.A.     · Each firm should have in place a BC (Business Continuity)
                                                                               program
                                                                                                                                                                              W          http://www.imagingse
                                                                                                                                                                                         rvices.com/content.pa
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

Best Practice                                                                                                                                                                            ges/bestpractices.pdf
Guidelines (Aug 2002)                                                          · BC Policy Document

                                                                               · Executive and corporate group responsible for overseeing
                                                                               BC program

                                                                               · Business managers should review, implement, fund, and
                                                                               sign-off of BC plans

                                                                  Hong Kong · Recovery sets out the HKMA's latest supervisory policies
Business Continuity
Planning Supervisory
                        Regulation The Hong Kong
                                   Monetary Authority
                                                                            This Manual
                                                                            and practices, the minimum standards authorized institutions
                                                                                                                                                This manual takes a
                                                                                                                                                supervisory approach
                                                                                                                                                                                                                                                                                                                                                                              August 4, 2007

Policy Manual - TM-G-                                                       ("AIs") are expected to attain in order to satisfy the              where the HKMA’s
2                                                                           requirements of the Banking Ordinance and                           objective is to help
                                                                            recommendations on best practices tha                               ensure that
                                                                                                                                                Authorized
                                                                                                                                                Institutions ("AIs")
                                                                                                                                                have workable and
                                                                                                                                                well thought through
                                                                                                                                                BCPs to protect all the
                                                                                                                                                critical areas of their
                                                                                                                                                business and to cope
                                                                                                                                                with prolonged
                                                                                                                                                disruptio

California SB 1386-
Security of Non-
                        Regulation State of California              U.S.A.     Bill requires all agencies, persons or businesses that conduct
                                                                               business in California that owns or licenses computerized
                                                                                                                                                Effective July 1, 2003.        E         http://www.legalarch
                                                                                                                                                                                         iver.org/sb1386.htm
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007

Encrypted Customer                                                             data containing personal information to notify the owner or
Information (July 1,                                                           licensee of the information of any breach of security of the
2003)                                                                          data.

CAN/CSA-Z 731-03        Standard         CSA (Canadian
                                         Standards Association)
                                                                   Canada      Canada’s Emergency Preparedness and Response Standards                                         W          To be provided
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007


CAN/CSA-Z 731-03        Standard         CSA (Canadian
                                         Standards Association)
                                                                   Canada      · Canada’s Emergency Preparedness and Response Standards                                       W          To be provided
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007


China                       N/A                                     China      · There are extensive regulations and standards around
                                                                               Information Protection within the People’s Republic of China
                                                                                                                                                                               E         To be provided
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007

                                                                               (PRC)




                                                                                                                                                Page 4 of 25
     Disaster Recovery Journal                                                                                                      Rules Regulations Committee                                                                                                                                                                                                       11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                      Infrastructure Category




                                                                                                                                                                                                                                                                                                                        Information Distribution
                                                                                                                                                                                                                                                                                                                           & Communications
                                                                                                                                                                                                            Banking & Finance




                                                                                                                                                                                                                                                                     Energy (including
                                                                                                                                                                     (E, A, W, I)




                                                                                                                                                                                                                                                                                                    Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                   Public Agencies
                                                                                                                                                                                                                                                  Transportation &
                                                                                                                                                                                                                                                                                                                                                                      DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                     Supply & Water
                         Regulation /




                                                                                                                                                                                                                                Public Health &




                                                                                                                                                                                                                                                                                                                                                   Government &
                                                                                                                                                                      Category
                                                                 Country
                                                                                                                                               Significant
                          Standard




                                                                                                                                                                                                                                  Healthcare


                                                                                                                                                                                                                                                      Shipping




                                                                                                                                                                                                                                                                                         Industry
                                                                                                                                                                                                                                                                         nuclear)
                                                                                                                                                                                         Notes
        Title                           Governing Body                                              Summary                                   Dates, Fines,
                                                                                                                                                                                       /Comments                                                                                                                                                                     Date of Last Review or
                                                                                                                                                Penalties
                                                                                                                                                                                                                                                                                                                                                                          Confirmation

Circular to Licensed
Corporations -
                       Standard         Securities and
                                        Futures Commission
                                                              Hong Kong The Securities and Futures Commission used the circular to
                                                                        remind licensed persons to take precautions against a
                                                                                                                                            Suggestions were
                                                                                                                                            given in the circular
                                                                                                                                                                                    To be provided
                                                                                                                                                                                                                                                                                                                                                                         August 4, 2007

"Business continuity                    of Hong Kong                    reoccurrence of SARS or other serious communicable                  on procedure and
planning against                                                        diseases. The Commission was concerned of the potential             policies to be
serious communicable                                                    disruption to intermediaries' opera                                 reviewed, revised or
diseases"                                                                                                                                   devised to ensure
                                                                                                                                            business continuity or
                                                                                                                                            prevent material
                                                                                                                                            disruption to
                                                                                                                                            operation in the event
                                                                                                                                            of staff infection.

                                                                                                                                            1/24/2003

Civil Contingencies
Bill
                       Regulation British Law                    UK        · Local arrangements for civil protection                                                      E         To be provided
                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

(Bill 53, Feb 2004)                                                        · Requires persons or bodies listed in the document to assess
                                                                           the risk of an emergency and maintain plans for the purpose
                                                                           of ensuring that if an emergency occurs that the persons or
                                                                           bodies are able to continue to
COBIT-Control
Objectives for
                       Standard         IT Governance
                                        Institute Standards
                                                                U.S.A.     Generally accepted information technology control objectives
                                                                           for information technology.
                                                                                                                                                                          E         http://www.isaca.org/
                                                                                                                                                                                    Content/NavigationMe
                                                                                                                                                                                                                                                                                                                                                                  August 4, 2007

information and                                                                                                                                                                     nu/Members_and_Lea
related Technology                                                         Domains include:                                                                                         ders/COBIT6/Obtain_
(4.1) (May 2007)                                                                                                                                                                    COBIT/CobiT4.1_Broc
                                                                             Planning and Organization                                                                              hure.pdf

                                                                             Acquisition and Implementation

                                                                             Delivery and Support

                                                                           Monitoring and EvaluationAreas Reviewed for compliance
Computer Fraud and
Abuse Act
                       Regulation FTC (Federal Trade
                                  Commission)
                                                                U.S.A.     Makes it a federal offense to produce, buy, sell or transfer a
                                                                           credit card or other access devices that are counterfeit,
                                                                                                                                                                          E         http://www.techfirm.c
                                                                                                                                                                                    om/cfaa.htm
                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

                                                                           forged, lost or stolen; or to produce, buy, sell, transfer or
                                                                           process equipment used to produce such fraudulent access
                                                                           devices.

                                                                           It wa




                                                                                                                                            Page 5 of 25
     Disaster Recovery Journal                                                                                                          Rules Regulations Committee                                                                                                                                                                                                        11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                           Infrastructure Category




                                                                                                                                                                                                                                                                                                                             Information Distribution
                                                                                                                                                                                                                                                                                                                                & Communications
                                                                                                                                                                                                                 Banking & Finance




                                                                                                                                                                                                                                                                          Energy (including
                                                                                                                                                                         (E, A, W, I)




                                                                                                                                                                                                                                                                                                         Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                        Public Agencies
                                                                                                                                                                                                                                                       Transportation &
                                                                                                                                                                                                                                                                                                                                                                           DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                          Supply & Water
                           Regulation /




                                                                                                                                                                                                                                     Public Health &




                                                                                                                                                                                                                                                                                                                                                        Government &
                                                                                                                                                                          Category
                                                                    Country
                                                                                                                                                    Significant
                            Standard




                                                                                                                                                                                                                                       Healthcare


                                                                                                                                                                                                                                                           Shipping




                                                                                                                                                                                                                                                                                              Industry
                                                                                                                                                                                                                                                                              nuclear)
                                                                                                                                                                                             Notes
        Title                             Governing Body                                                  Summary                                  Dates, Fines,
                                                                                                                                                                                           /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                                     Penalties
                                                                                                                                                                                                                                                                                                                                                                               Confirmation

Consumer Credit
Protection Act (CCPA)
                         Regulation                                U.S.A.     · The purpose of this title to provide a basic framework
                                                                              establishing the rights, liabilities, and responsibilities of
                                                                                                                                                 · Takes effect upon
                                                                                                                                                 the expiration of
                                                                                                                                                                              I         http://www.fdic.gov/r
                                                                                                                                                                                        egulations/laws/rules/
                                                                                                                                                                                                                                                                                                                                                                              August 4, 2007

of 1992, Section 2001                                                         participants in electronic fund transfer systems. The primary      eighteen months from                   6500-200.html
Title IX- Electronic                                                          objective of this title, however, is the provision of individual   the date of its
Funds Transfer                                                                consumer                                                           enactment, except
                                                                                                                                                 that sections 909 and
                                                                                                                                                 911 take effect upon
                                                                                                                                                 the expiration of
                                                                                                                                                 ninety days after the
                                                                                                                                                 date of enactment

                                                                                                                                                 · Non-compliant
                                                                                                                                                 fines not more than
                                                                                                                                                 $10,000 or imprisone


COSO Enterprise Risk
Management
                         Standard         COSO (Committee of
                                          Sponsoring
                                                                   U.S.A.     Defines essential enterprise risk management components,
                                                                              discusses key ERM principles and concepts, suggests a
                                                                                                                                                                              E         http://www.coso.org/P
                                                                                                                                                                                        ublications/ERM/COSO
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007

Framework                                 Organizations of the                common ERM language, and provides clear direction and                                                     _ERM_ExecutiveSumm
(September 2004)                          Treadway                            guidance for enterprise risk management.                                                                  ary.pdf
                                          Commission)
CTIA
Telecommunication
                         Standard         CTIA                     U.S.A.     · The CTIA (Cellular Telecommunications and Internet
                                                                              Association) is working on plans to offer standard business
                                                                                                                                                                             W          This certification and
                                                                                                                                                                                        industry standard is
                                                                                                                                                                                                                                                                                                                                                                              August 4, 2007

Industry BCM                                                                  continuity guidance to the communications industry.                                                       in the planning
standard and                                                                                                                                                                            phase. CTIA is
certification                                                                 · IA CTIA BCM certification will be granted to organizations                                              currently (May 2005)
                                                                              that display a (soon to b                                                                                 meeting with industry
                                                                                                                                                                                        leads to discuss the
                                                                                                                                                                                        feasibility of the
                                                                                                                                                                                        requirements and
                                                                                                                                                                                        verification method.

DRAFT Information
Security Policy as
                         Standard         Department of Public
                                          Service and
                                                                   South
                                                                   Africa
                                                                              Presents a suite of integrated solutions which, together, offer
                                                                              the tools necessary to integrate information security best
                                                                                                                                                                                        http://www.dpsa.gov.z
                                                                                                                                                                                        a/documents/acts&reg
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

presented by the                          Administration                      practices.                                                                                                ulations/frameworks/e
Department of Public                                                                                                                                                                    -
Service and                                                                   Based in ISO 17799 and BS 7799.                                                                           commerce/POSITION
Administration                                                                                                                                                                          %20PAPER%20ON%2
                                                                                                                                                                                        0INFORMATION%20S
                                                                                                                                                                                        ECURITY1.pdf
DRI International        Standard         DRII (Disaster
                                          Recovery Institute
                                                                 Internation Professional practice letters include developing business
                                                                      al     continuity management strategies and other contingency
                                                                                                                                                                             W          http://www.drii.org
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007

―Ten Professional                         International)                     planning
Practices for Business
Continuity                                                                    Areas reviewed include:
Professionals‖
                                                                              · Potential for data loss

                                                                              · Vital records creation, storage and retention

                                                                              · Business and IT recovery




                                                                                                                                                 Page 6 of 25
     Disaster Recovery Journal                                                                                                       Rules Regulations Committee                                                                                                                                                                                                            11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                            Infrastructure Category




                                                                                                                                                                                                                                                                                                                              Information Distribution
                                                                                                                                                                                                                                                                                                                                 & Communications
                                                                                                                                                                                                                  Banking & Finance




                                                                                                                                                                                                                                                                           Energy (including
                                                                                                                                                                        (E, A, W, I)




                                                                                                                                                                                                                                                                                                          Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                         Public Agencies
                                                                                                                                                                                                                                                        Transportation &
                                                                                                                                                                                                                                                                                                                                                                            DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                           Supply & Water
                           Regulation /




                                                                                                                                                                                                                                      Public Health &




                                                                                                                                                                                                                                                                                                                                                         Government &
                                                                                                                                                                         Category
                                                                Country
                                                                                                                                                  Significant
                            Standard




                                                                                                                                                                                                                                        Healthcare


                                                                                                                                                                                                                                                            Shipping




                                                                                                                                                                                                                                                                                               Industry
                                                                                                                                                                                                                                                                               nuclear)
                                                                                                                                                                                            Notes
        Title                             Governing Body                                            Summary                                      Dates, Fines,
                                                                                                                                                                                          /Comments                                                                                                                                                                        Date of Last Review or
                                                                                                                                                   Penalties
                                                                                                                                                                                                                                                                                                                                                                                Confirmation

Electronic Fund
Transfer Act (EFTA)
                         Regulation OCC                        U.S.A.     · Establishes the basic responsibilities, rights and liabilities
                                                                          of consumers and financial institutions who use electronic
                                                                                                                                                                             I         http://www.ftc.gov/bc
                                                                                                                                                                                       p/conline/pubs/credit/
                                                                                                                                                                                                                                                                                                                                                                               August 4, 2007

                                                                          fund transfer services and of that offer these services.                                                     elbank.pdf

                                                                          · BCP to meet ―reasonable standard of care‖
                                                                                                                                                                                       www.occ.treas.gov/ne
                                                                                                                                                                                       tbank/ebguide.htm
Fair Credit Reporting
Act
                         Regulation FTC (Federal Trade
                                    Commission)
                                                               U.S.A.     · Ensures credit information is accurate and up-to-date              · Civil penalty of not
                                                                                                                                               more than $2,500 per
                                                                                                                                                                             I         http://www.ftc.gov/os
                                                                                                                                                                                       /statutes/fcra.htm
                                                                                                                                                                                                                                                                                                                                                                               August 4, 2007

                                                                          · Designed to promote accuracy and ensure the privacy of             violation
                                                                          the information used in consumer reports
                                                                                                                                               · State action of
                                                                                                                                               damages of not more
                                                                                                                                               than $1,000 for each
                                                                                                                                               willful or negligent
                                                                                                                                               violation
FDICIA –Federal
Deposit Insurance
                         Regulation FDIC (Federal Deposit
                                    Insurance
                                                               U.S.A.     Relevance ?
                                                                          Requires at the beginning of the year that all FDIC-insured
                                                                                                                                                                             E         http://www.fdic.gov/r
                                                                                                                                                                                       egulations/laws/rules/
                                                                                                                                                                                                                                                                                                                                                                               August 4, 2007

Corporation                         Corporation)                          depository institutions with total assets of $500 million or                                                 8000-2400.html
Improvement Act of                                                        more certify that there is effective functioning of their internal
1991                                                                      controls systems.
Federal Acquisition
Regulation; Electronic
                         Regulation SEC                        U.S.A.     Addresses the collection of EFT information through the
                                                                          contract process for vendors providing goods and services to
                                                                                                                                                                             E         http://www.fms.treas.
                                                                                                                                                                                       gov/eft/regulations/far
                                                                                                                                                                                                                                                                                                                                                                         August 4, 2007

Funds Transfer Final                                                      the Federal Government                                                                                       eft.txt
Rule
FEMA 141: Disaster
Planning Guide for
                         Standard         FEMA                 U.S.A.     Designed to provide guidance for business and industry
                                                                          officials to respond and recover from disasters.
                                                                                                                                                                            W          SEE ABOVE
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007

Business and Industry

FEMA Emergency
Management Guide
                         Standard         FEMA (Federal
                                          Emergency
                                                               U.S.A.     A step-by-step approach to emergency planning, response
                                                                          and recovery for companies of all sizes.
                                                                                                                                                                            W          http://www.fema.gov/
                                                                                                                                                                                       pdf/library/bizindst.pdf
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007

for Business and                          Management Agency)
Industry
FFIEC BCP Handbook:
Business Continuity
                         Regulation FFIEC                      U.S.A.     - Emphasizes that Business Continuity planning is about
                                                                          maintaining, resuming and recovering the whole Business
                                                                                                                                               Ineffective or
                                                                                                                                               incomplete BC plans
                                                                                                                                                                             E         http://www.ffiec.gov/f
                                                                                                                                                                                       fiecinfobase/booklets/
                                                                                                                                                                                                                                                                                                                                                                         August 4, 2007

Planning (May 2003)                                                       - planning should occur for a BCP                                    may lead to qualified                   bcp/bus_continuity_pl
                                                                          - Business Impact Analysis and Risk assessment are                   examination reports                     an.pdf
―IT Examination                                                           encouraged as the foundation of an effective BCP                     and loss of trust by
Handbook‖                                                                 - Testing                                                            regulators and
                                                                                                                                               financial market
FFIEC FIL 67-97/82-96 Regulation FFIEC (Federal
                                 Financial Institutions
                                                               U.S.A.     Board of Directors is responsible for ensuring that a
                                                                          comprehensive business resumption and contingency plan
                                                                                                                                                                            A          http://www.ffiec.gov/f
                                                                                                                                                                                       fiecinfobase/booklets/
                                                                                                                                                                                                                                                                                                                                                                               August 4, 2007

                                 Examination Council)                     has been implemented, to encompass distributed computing                                                     bcp/bus_continuity_pl
                                                                          and external service bureaus.                                                                                an.pdf

                                                                          Areas Reviewed for Compliance:

                                                                          IT Specific recovery document




                                                                                                                                               Page 7 of 25
     Disaster Recovery Journal                                                                                                        Rules Regulations Committee                                                                                                                                                                                                        11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                         Infrastructure Category




                                                                                                                                                                                                                                                                                                                           Information Distribution
                                                                                                                                                                                                                                                                                                                              & Communications
                                                                                                                                                                                                               Banking & Finance




                                                                                                                                                                                                                                                                        Energy (including
                                                                                                                                                                       (E, A, W, I)




                                                                                                                                                                                                                                                                                                       Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                      Public Agencies
                                                                                                                                                                                                                                                     Transportation &
                                                                                                                                                                                                                                                                                                                                                                         DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                        Supply & Water
                           Regulation /




                                                                                                                                                                                                                                   Public Health &




                                                                                                                                                                                                                                                                                                                                                      Government &
                                                                                                                                                                        Category
                                                                   Country
                                                                                                                                                 Significant
                            Standard




                                                                                                                                                                                                                                     Healthcare


                                                                                                                                                                                                                                                         Shipping




                                                                                                                                                                                                                                                                                            Industry
                                                                                                                                                                                                                                                                            nuclear)
                                                                                                                                                                                           Notes
        Title                             Governing Body                                               Summary                                  Dates, Fines,
                                                                                                                                                                                         /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                                  Penalties
                                                                                                                                                                                                                                                                                                                                                                             Confirmation

FFIEC FIL-81-2005 -
Information
                         Standard         FDIC (Federal Deposit
                                          Insurance
                                                                             Information Technology Risk Management Program (IT-RMP)
                                                                             for conducting IT examinations of FDIC-supervised financial
                                                                                                                                                                                      http://www.fdic.gov/n
                                                                                                                                                                                      ews/news/financial/20
                                                                                                                                                                                                                                                                                                                                                                            August 4, 2007

Technology Risk                           Corporation)                       institutions, and cover practices for: Risk assessment,                                                  05/fil8105.pdf
Management Program                                                           Operations security and risk management, Audit and
(IT-RMP) for                                                                 independent review, Disaster rec
conducting IT
examinations
FFIEC Policy SP-5        Regulation FFIEC                         U.S.A.     Policy mandating corporate-wide contingency planning,            Issued July 1989              E         With the issuance of                                                                                                                                                                   August 4, 2007
                                                                             including the development of recovery alternatives for                                                   the new FFIEC
                                                                             distributed processing and service bureau information                                                    Information
                                                                             processing.                                                                                              Technology
                                                                                                                                                                                      Examination
                                                                                                                                                                                      Handbook, several
                                                                                                                                                                                      Supervisory
                                                                                                                                                                                      Policies (SP) found
                                                                                                                                                                                      in Chapter 25 of
                                                                                                                                                                                      the 1996 Handbook
                                                                                                                                                                                      have been
                                                                                                                                                                                      rescinded,
                                                                                                                                                                                      including SP-5,
                                                                                                                                                                                      Interagency Policy on
                                                                                                                                                                                      Contingency Planning
                                                                                                                                                                                      for Financial
Financial Institutions
Reform, Recovery,
                         Regulation                               U.S.A.     Policy allows regulators/examiners to impose civil penalties
                                                                             for violations or non-compliance with regulations, laws,
                                                                                                                                              Tiers of penalties for
                                                                                                                                              Individual and/or
                                                                                                                                                                            I         http://www.academon
                                                                                                                                                                                      .com/lib/essay/term-
                                                                                                                                                                                                                                                                                                                                                                            August 4, 2007

and Enforcement Act-                                                         temporary agency orders or any breach of a written               corporate after tax                     paper-11995.html
(FIRREA) of 1989;                                                            agreement between an agency and the institution.                 fines:
(P.L. 101-73 1989 HR                                                                                                                                                                   (summary and
1278)                                                                                                                                         ·      Tier 1: up to                    purchase information)
                                                                                                                                              $5,000 per day

                                                                                                                                              ·      Tier 2: up to
                                                                                                                                              $25,000 per day

                                                                                                                                              ·      Tier 3: up to
                                                                                                                                              $1,000,000 per day
FISMA: Federal
Information Security
                         Regulation FTC                           U.S.A.     Details requirements to                                                                        E         http://csrc.nist.gov/p
                                                                                                                                                                                      olicies/FISMA-
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

Management Act of                                                            - Assess Risk                                                                                            final.pdf
2002
                                                                             - Determine levels of security necessary to protect such                                                 ? May apply to
                                                                             information                                                                                              organizations and
                                                                                                                                                                                      institutions
                                                                             - Periodically test and evaluate information security controls                                           communicating
                                                                             and techniques
                                                                                                                                                                                      with, performing
                                                                                                                                                                                      work for, on behalf
                                                                             - Develop plans and procedures to ensure continuity of
                                                                                                                                                                                      of a federal agency
                                                                             operati




                                                                                                                                              Page 8 of 25
     Disaster Recovery Journal                                                                                                       Rules Regulations Committee                                                                                                                                                                                                          11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                          Infrastructure Category




                                                                                                                                                                                                                                                                                                                            Information Distribution
                                                                                                                                                                                                                                                                                                                               & Communications
                                                                                                                                                                                                                Banking & Finance




                                                                                                                                                                                                                                                                         Energy (including
                                                                                                                                                                        (E, A, W, I)




                                                                                                                                                                                                                                                                                                        Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                       Public Agencies
                                                                                                                                                                                                                                                      Transportation &
                                                                                                                                                                                                                                                                                                                                                                          DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                         Supply & Water
                           Regulation /




                                                                                                                                                                                                                                    Public Health &




                                                                                                                                                                                                                                                                                                                                                       Government &
                                                                                                                                                                         Category
                                                                  Country
                                                                                                                                                  Significant
                            Standard




                                                                                                                                                                                                                                      Healthcare


                                                                                                                                                                                                                                                          Shipping




                                                                                                                                                                                                                                                                                             Industry
                                                                                                                                                                                                                                                                             nuclear)
                                                                                                                                                                                            Notes
        Title                             Governing Body                                              Summary                                    Dates, Fines,
                                                                                                                                                                                          /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                                   Penalties
                                                                                                                                                                                                                                                                                                                                                                              Confirmation

Foreign Corrupt
Practices Act of 1977:
                         Regulation                              U.S.A.     Policy states that Directors and Officers can be held liable for
                                                                            ―failure to enact standards of care‖ and should they fail to
                                                                                                                                               Issued in 1977                I         http://www.usdoj.gov/
                                                                                                                                                                                       criminal/fraud/fcpa/fc
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

(P.L. 95-213)                                                               document their assessment processing determining not to            · Civil penalties can                   pastat.htm
                                                                            develop a contingency plan.                                        range from $5000 to
                                                                                                                                               $100,000 for
                                                                                                                                               individuals and from
                                                                                                                                               $50,000 to $500,000
                                                                                                                                               for business entities

                                                                                                                                               · Criminal sanctions
                                                                                                                                               may be imposed
                                                                                                                                               against anyone who
                                                                                                                                               knowingly violates the
                                                                                                                                               statute: up to $2
                                                                                                                                               million in fines for p

FRB (Federal Reserve
Banks) SR 96-22
                         Regulation Board of Governors of
                                    the Federal Reserve
                                                                 U.S.A.     Reviews and enforces the FFIEC’s Interagency Supervisory
                                                                            Statement on Risk Management of Client/Server Systems SP-
                                                                                                                                                                             E         http://www.federalres
                                                                                                                                                                                       erve.gov/boarddocs/S
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

                                    System                                  12.                                                                                                        RLETTERS/1996/sr962
                                                                                                                                                                                       2.htm
                                                                            · The statement addresses concerns for security and the
                                                                            controls that should be associated with client/server
                                                                            computing for the officer in charge of each federal reserve
                                                                            bank, including:

                                                                            ·       Management should ensure that systems and
                                                                            operations are recoverable after an event causing disruption
                                                                            in service.
                                                                            ·       Management should determine that database
GAO Supplier
Requirements
                         Regulation GAO (Government
                                    Accountability Office)
                                                                 U.S.A.     Requirements for federal agencies to include the requirement
                                                                            for contingency plans in contracts with private sector
                                                                                                                                                                             E         Will apply to all
                                                                                                                                                                                       organizations
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

                                                                            organizations providing data processing services                                                           providing suppliers or
                                                                                                                                                                                       services to GAO or
                                                                                                                                                                                       Federal Agencies
General Principles for
Technology Risk
                         Standard         The Hong Kong
                                          Monetary Authority
                                                               Hong Kong To provide AIs with guidance on general principles which AIs In section 2.6,
                                                                         are expected to consider in managing technology-related risks policies, procedures
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

Management V.1 -                                                                                                                       or service agreements
TM-G-1                                                                                                                                 of between AIs and
                                                                                                                                       the overseas offices
                                                                                                                                       (e.g. parent banks,
                                                                                                                                       subsidiaries, head
                                                                                                                                       offices or other
                                                                                                                                       regional offices of the
                                                                                                                                       same banking group)
                                                                                                                                       with regard to certain
                                                                                                                                       IT controls or support
                                                                                                                                       activities




                                                                                                                                               Page 9 of 25
     Disaster Recovery Journal                                                                                                         Rules Regulations Committee                                                                                                                                                                                                           11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                             Infrastructure Category




                                                                                                                                                                                                                                                                                                                               Information Distribution
                                                                                                                                                                                                                                                                                                                                  & Communications
                                                                                                                                                                                                                   Banking & Finance




                                                                                                                                                                                                                                                                            Energy (including
                                                                                                                                                                           (E, A, W, I)




                                                                                                                                                                                                                                                                                                           Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                          Public Agencies
                                                                                                                                                                                                                                                         Transportation &
                                                                                                                                                                                                                                                                                                                                                                             DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                            Supply & Water
                          Regulation /




                                                                                                                                                                                                                                       Public Health &




                                                                                                                                                                                                                                                                                                                                                          Government &
                                                                                                                                                                            Category
                                                                    Country
                                                                                                                                                    Significant
                           Standard




                                                                                                                                                                                                                                         Healthcare


                                                                                                                                                                                                                                                             Shipping




                                                                                                                                                                                                                                                                                                Industry
                                                                                                                                                                                                                                                                                nuclear)
                                                                                                                                                                                               Notes
        Title                            Governing Body                                                Summary                                     Dates, Fines,
                                                                                                                                                                                             /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                                     Penalties
                                                                                                                                                                                                                                                                                                                                                                                 Confirmation

Gramm-Leach-Bliley
Act of 1999, section
                        Regulation Public Law                      U.S.A.     Guidelines in this section address standards for developing
                                                                              and implementing administrative, technical and physical
                                                                                                                                                 Effective July 1, 2001         E         http://banking.senate.
                                                                                                                                                                                          gov/conf/confrpt.htm
                                                                                                                                                                                                                                                                                                                                                                                August 4, 2007

501 (b): (P.L. 106-                                                           safeguards to protect the security, confidentiality and            Bank must report to
102 1999 S 900)                                                               integrity of customer information                                  the board annually.

                                                                              The act includes record-retention requirements t
Guidance Note on the
Use of Internet for
                        Standard         Office of the
                                         Commissioner of
                                                               Hong Kong      To better protect the insuring public and ensuring the healthy
                                                                              development of the industry in the information technology
                                                                                                                                                 Point 11 address the
                                                                                                                                                 issue of security in
                                                                                                                                                                                          To be provided
                                                                                                                                                                                                                                                                                                                                                                                August 4, 2007

Insurance Activities                     Insurance - The                      era. The scope of this Guidance Note covers the internet           which service
(GN8)                                    Government of the                    insurance activities of all service providers to the extent that   providers are advised
                                         Hong Kong Special                    such activit                                                       to take all practicable
                                         Administrative Region                                                                                   steps to ensure a
                                                                                                                                                 number of items
                                                                                                                                                 including the integrity
                                                                                                                                                 of data stored in the
                                                                                                                                                 system hardware,
                                                                                                                                                 whilst in transit and
                                                                                                                                                 as displayed on the
                                                                                                                                                 website (a), a

Guidelines on
Management of IT
                        Regulation BNM - Bank                     Malaysia    Outlines minimum responsibilities and requirements for
                                                                              planning and managing, as well as, establishing preventive
                                                                                                                                                 IT environment
                                                                                                                                                 including business
                                                                                                                                                                                E         To be provided
                                                                                                                                                                                                                                                                                                                                                                                August 4, 2007

Environment                              Malaysia                             and detective measures that should be implemented by               continuity
                                                                              institutions to mitigate the risks pertaining to IT environment
                                         Central Bank
HB 221: 2003,
Business Continuity
                        Standard         Standards Association
                                         of Australia
                                                                 Australia,
                                                                   New
                                                                              Sets out the principles and guidance that the Commission
                                                                              expects companies listed on the NZ Stock Exchange to follow
                                                                                                                                                                               W          To be provided
                                                                                                                                                                                                                                                                                                                                                                          August 4, 2007

Management                                                        Zealand     for Business Continuity Management and establishing a
Handbook                                                                      Business Continuity Plan
HIPAA (Health
Insurance Portability
                        Regulation GAO                             U.S.A.     - Proposed contingency plan in effect with data backup plan,
                                                                              disaster recovery plan, emergency mode operation plan,
                                                                                                                                                                               W          http://aspe.hhs.gov/a
                                                                                                                                                                                          dmnsimp/pl104191.ht
                                                                                                                                                                                                                                                                                                                                                                         August 4, 2007

and Accountability                                                            testing and revision procedures and Applications and data                                                   m
Act) Final Security                                                           Criticality Analysis.
Rule~ #7.                                                                                                                                                                                 (whole act)
Contingency Plan                                                              - Includes specific BCM points
(164.308(a)(7)(i))
                                                                 Hong Kong - Applies to any organizat
HKMA Supervisory
Policy Manual, BCP
                        Regulation Hong Kong Monetary
                                   Authority
                                                                           Enforced by onsite examinations, requires need for BCP
                                                                           documentation and testing at least annually, planning for
                                                                                                                                                 BCP organization &
                                                                                                                                                 governance structure
                                                                                                                                                                                E         To be provided
                                                                                                                                                                                                                                                                                                                                                                                August 4, 2007

TM-G-2 V.1 02.12.02                                                        different scenarios and prolong outages.
                                                                                                                                                 Approach to business
                                                                                                                                                 continuity planning

                                                                                                                                                 Documentation

                                                                                                                                                 DR site & vendor
                                                                                                                                                 management




                                                                                                                                                 Page 10 of 25
     Disaster Recovery Journal                                                                                                         Rules Regulations Committee                                                                                                                                                                                                    11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                      Infrastructure Category




                                                                                                                                                                                                                                                                                                                        Information Distribution
                                                                                                                                                                                                                                                                                                                           & Communications
                                                                                                                                                                                                            Banking & Finance




                                                                                                                                                                                                                                                                     Energy (including
                                                                                                                                                                     (E, A, W, I)




                                                                                                                                                                                                                                                                                                    Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                   Public Agencies
                                                                                                                                                                                                                                                  Transportation &
                                                                                                                                                                                                                                                                                                                                                                      DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                     Supply & Water
                            Regulation /




                                                                                                                                                                                                                                Public Health &




                                                                                                                                                                                                                                                                                                                                                   Government &
                                                                                                                                                                      Category
                                                                      Country
                                                                                                                                                  Significant
                             Standard




                                                                                                                                                                                                                                  Healthcare


                                                                                                                                                                                                                                                      Shipping




                                                                                                                                                                                                                                                                                         Industry
                                                                                                                                                                                                                                                                         nuclear)
                                                                                                                                                                                         Notes
        Title                              Governing Body                                               Summary                                  Dates, Fines,
                                                                                                                                                                                       /Comments                                                                                                                                                                     Date of Last Review or
                                                                                                                                                   Penalties
                                                                                                                                                                                                                                                                                                                                                                          Confirmation

HKMA Supervisory
Policy Manual,
                          Regulation Hong Kong Monetary
                                     Authority
                                                                   Hong Kong Refers to TM-G-2 on BCP on the need to provide continuous
                                                                             service.
                                                                                                                                               Need to provide
                                                                                                                                               alternative service
                                                                                                                                                                          E
                                                                                                                                                                                                                                                                                                                                                                         August 4, 2007

General Principles for
Technology Risk
Management
TM-G-1 V.1 24.06.03
HKMA, Supervisory
Policy Manual,
                          Regulation Hong Kong Monetary
                                     Authority
                                                                   Hong Kong Refers to TM-G-2 on BCP on the need to provide continuous
                                                                             and/or alternative services.
                                                                                                                                               Need to provide
                                                                                                                                               alternative service
                                                                                                                                                                          E
                                                                                                                                                                                                                                                                                                                                                                         August 4, 2007

Supervision of E-
Banking
TM-E-1 V.1 17.02.04
Homeland Security
Strategy for Critical
                          Standard   FSSCC (Financial
                                     Services Sector
                                                                     U.S.A.     Ensuring the resiliency of the nation to minimize the damage
                                                                                and expedite the recovery from attacks that do occur.
                                                                                                                                                                         W          http://www.sifma.org
                                                                                                                                                                                    /services/business_
                                                                                                                                                                                                                                                                                                                                                                  August 4, 2007

Infrastructure                       Coordinating Council                                                                                                                           continuity/pdf/Nation
Protection in Financial              for Critical                                                                                                                                   alStrategy.pdf
Services Sector (May                 Infrastructure
2004)                                Protection)
IDA By-law 17.19 -
Business Continuity
                          Regulation OSC (Ontario
                                     Securities
                                                                    Canada      The purpose of the
                                                                                proposed by-law is to require each IDA member to
                                                                                                                                                                          E         http://www.osc.gov.
                                                                                                                                                                                    on.ca/MarketRegula
                                                                                                                                                                                                                                                                                                                                                                         August 4, 2007

Plan                                 Commission)                                establish and maintain a business continuity plan, such that                                        tion/SRO/ida/rr/srr-
Requirement                                                                     the member can stay in business in the event of a                                                   ida_20050107_not-
                                                                                significant business disruption and can meet obligations to                                         pro-bylaw-17-19.pdf
                                                                                its customers and other capital markets counterparts.


India BCP                 Regulation 1. Reserve Bank of
                                     India (RBI)
                                                                     India      Enforced by audit, requires need for BCP documentation and
                                                                                testing at least annually.
                                                                                                                                               BCP, DR Site               E         http://www.continuity
                                                                                                                                                                                    central.com/news02
                                                                                                                                                                                                                                                                                                                                                                         August 4, 2007

                                     2. Securities &                                                                                                                                721.htm
                                     Exchange Board of
                                     India, (SEBI)                                                                                                                                  http://www.expressc
                                     3. National Stock                                                                                                                              omputeronline.com/
                                     Exchange (NSE)                                                                                                                                 20030519/indnews3
                                     4. Bombay Stock                                                                                                                                .shtml
                                     Exchange (BSE)


Indonesia BCP             Regulation Bank Indonesia
                                     (Central Bank)
                                                                   Indonesia Requires BCP documentation and testing at least annually
                                                                             with focus on Bank Indonesia RTGS system. Requires
                                                                                                                                               BCP RTGS, DR Site          E
                                                                                                                                                                                                                                                                                                                                                                         August 4, 2007

                                                                             Internal Audit to conduct an audit at least annually and
                                                                             provide report to Bank Indonesia.
Information
Technology Control
                          Standard         Canadian Institute of
                                           Chartered Accountants
                                                                    Canada Crisis Management for Directors                                                                E         http://www.cica.ca/
                                                                                                                                                                                    multimedia/Downloa
                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

Guidelines                                                                                                                                                                          d_Library/Standards
                                                                                                                                                                                    /CoCo/cris-eng-
                                                                                                                                                                                    txt.pdf




                                                                                                                                               Page 11 of 25
    Disaster Recovery Journal                                                                                                          Rules Regulations Committee                                                                                                                                                                                                        11/14/2010 11:00 AM
    Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                          Infrastructure Category




                                                                                                                                                                                                                                                                                                                            Information Distribution
                                                                                                                                                                                                                                                                                                                               & Communications
                                                                                                                                                                                                                Banking & Finance




                                                                                                                                                                                                                                                                         Energy (including
                                                                                                                                                                        (E, A, W, I)




                                                                                                                                                                                                                                                                                                        Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                       Public Agencies
                                                                                                                                                                                                                                                      Transportation &
                                                                                                                                                                                                                                                                                                                                                                          DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                         Supply & Water
                          Regulation /




                                                                                                                                                                                                                                    Public Health &




                                                                                                                                                                                                                                                                                                                                                       Government &
                                                                                                                                                                         Category
                                                                  Country
                                                                                                                                                   Significant
                           Standard




                                                                                                                                                                                                                                      Healthcare


                                                                                                                                                                                                                                                          Shipping




                                                                                                                                                                                                                                                                                             Industry
                                                                                                                                                                                                                                                                             nuclear)
                                                                                                                                                                                            Notes
        Title                            Governing Body                                                Summary                                    Dates, Fines,
                                                                                                                                                                                          /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                                    Penalties
                                                                                                                                                                                                                                                                                                                                                                              Confirmation

Interagency Paper for
Strengthening the
                        Regulation FRB (Federal Reserve
                                   Bank)
                                                                 U.S.A.      During discussions about the lessons learned from September
                                                                             11, industry participants and others agreed that three
                                                                                                                                                For Market Utilities
                                                                                                                                                and Core Clearing
                                                                                                                                                                             E         http://www.sec.gov/n
                                                                                                                                                                                       ews/studies/34-
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

Resilience of US                                                             business continuity objectives have special importance for all     and Settlement                         47638.htm
Financial System                         OCC (Office of the                  financial firms and the U.S. financial system as a whole:          Agencies, goal to
(May 2003;                               Comptroller of the                                                                                     meet objectives is
Implementation in                        Currency)                                                                                              end of 2004.
2007)                                                                        Rapid recovery and timely resumption of critical operations
                                         SEC (Securities and                 following a wide-scale disruption;                                 For Significant Role
                                         Exchange                                                                                               Firms, the goal is no
                                         Commission)                         Rapid recovery and timely resumption of critical operations        later than 2006.
                                                                             following the loss or inaccessibility of staff in at least one
                                                                             major operating location; and

                                                                             A high level of confidence, through ongoing use or robust
                                                                             testing, that critical internal and external continuity
                                                                             arrangements are effective and compatible.
IRS Procedure 91-59     Regulation IRS (Internal
                                   Revenue Service)
                                                                 U.S.A.      · Legal requirements for computer records containing tax
                                                                             information.
                                                                                                                                                                             I         IRS Ruling 98-25
                                                                                                                                                                                       supersedes this:
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

(Superseded IRS
Procedure 86-19)                                                             · Requires off-site protection and documentation of computer                                              http://www.uiowa.edu
                                                                             records maintaining tax information                                                                       /~fusrmp/irsruling98-
                                                                                                                                                                                       25.html
ISO 9000                Standard         ISO                   Internation ISO 9000:2000, Quality management systems -
                                                                    al     Fundamentals and vocabulary. covers the basics of what
                                                                                                                                                                            W          http://www.planning.
                                                                                                                                                                                       sungard.com/Knowl
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

                                                                           quality management systems are and also contains the core                                                   edgeNet/Reference
                                                                           language of the ISO 9000 series of standards.                                                               Desk/regulations.as
                                                                                                                                                                                       p
                                                                             Purpose is to determine elements of quality control systems,
                                                                             especially maintenance of records and verification standards.                                             http://en.wikipedia.or
                                                                             While business continuity planning is not required by statute,                                            g/wiki/ISO_9000
                                                                             vendors report that records retention and data availability are
                                                                             issues with their customers, and that they are specifically
                                                                             asked about their plans.

ISO 9001                Standard         ISO                   Internation ISO 9001:2000 Quality management systems - Requirements
                                                                    al     is intended for use in any organization which designs,
                                                                                                                                                                            W          http://www.planning.
                                                                                                                                                                                       sungard.com/Knowl
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

                                                                           develops, manufactures, installs and/or services any product                                                edgeNet/Reference
                                                                           or provides any form of service. It provides a number of                                                    Desk/regulations.as
                                                                           requirements which an organization needs to fulfill if it is to                                             p
                                                                           achieve customer satisfaction through consistent products
                                                                           and services which meet customer expectations. This is the                                                  http://en.wikipedia.or
                                                                           only implementation for which third-party auditors may grant                                                g/wiki/ISO_9000
                                                                           certifications.
ISO 9002, Quality
assurance standard,
                        Standard         ISO                   Internation
                                                                    al
                                                                             Addresses risk management and continuity planning issues
                                                                             for compliance.
                                                                                                                                                                            W          http://en.wikipedia.or
                                                                                                                                                                                       g/wiki/ISO_9002
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

ISO 9004 Quality
management sysetms
                        Standard         ISO                   Internation
                                                                    al
                                                                             ISO 9004:2000 Quality management systems - Guidelines for
                                                                             performance improvements. covers continual improvement.
                                                                                                                                                                            W          http://en.wikipedia.or
                                                                                                                                                                                       g/wiki/ISO_9004
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

- Guidelines for                                                             This gives you advice on what you could do to enhance a
performance                                                                  mature system. This standard very specifically states that it is
improvement                                                                  not intended as a guide to implementation




                                                                                                                                                Page 12 of 25
     Disaster Recovery Journal                                                                                                         Rules Regulations Committee                                                                                                                                                                                                       11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                         Infrastructure Category




                                                                                                                                                                                                                                                                                                                           Information Distribution
                                                                                                                                                                                                                                                                                                                              & Communications
                                                                                                                                                                                                               Banking & Finance




                                                                                                                                                                                                                                                                        Energy (including
                                                                                                                                                                       (E, A, W, I)




                                                                                                                                                                                                                                                                                                       Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                      Public Agencies
                                                                                                                                                                                                                                                     Transportation &
                                                                                                                                                                                                                                                                                                                                                                         DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                        Supply & Water
                          Regulation /




                                                                                                                                                                                                                                   Public Health &




                                                                                                                                                                                                                                                                                                                                                      Government &
                                                                                                                                                                        Category
                                                                      Country
                                                                                                                                                  Significant
                           Standard




                                                                                                                                                                                                                                     Healthcare


                                                                                                                                                                                                                                                         Shipping




                                                                                                                                                                                                                                                                                            Industry
                                                                                                                                                                                                                                                                            nuclear)
                                                                                                                                                                                           Notes
        Title                            Governing Body                                                     Summary                              Dates, Fines,
                                                                                                                                                                                         /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                                   Penalties
                                                                                                                                                                                                                                                                                                                                                                             Confirmation

ISO/IEC 17799:2000       Standard        ISO (International
                                         Organization for
                                                                   Internation Focuses on
                                                                        al
                                                                                                                                                                           W          http://en.wikipedia.or
                                                                                                                                                                                      g/wiki/ISO_17799
                                                                                                                                                                                                                                                                                                                                                                            August 4, 2007

                                         Standardization)                      · Business continuity management process

                                                                                · Writing and implementing continuity plans

                                                                                · Business continuity planning framework

                                                                                · Business continuity and impact analysis

                                                                                · Testing and maintaining BCPs

                                                                                Areas reviewed include:

IT Security Guidelines
- G3
                         Standard        Information
                                         Technology Services
                                                               Hong Kong        Introduces general concepts relating to Information
                                                                                Technology Security and elaborates interpretations on the
                                                                                                                                               In this document,
                                                                                                                                               government bureau
                                                                                                                                                                                      http://www.ogcio.go
                                                                                                                                                                                      v.hk/eng/prodev/ese
                                                                                                                                                                                                                                                                                                                                                                            August 4, 2007

                                         Department - The                       Baseline IT Security Policy. It also provides readers some     and departments are                    cpol.htm
                                         Government of the                      guidelines and considerations in defining security             suggested to consider
                                         Hong Kong Special                      requirements.                                                  implementing a BCP
                                         Administrative Region                                                                                 as part of business
                                                                                                                                               planning.

                                                                                                                                               4/1/2003

ITIL- IT
Infrastructure Library
                         Standard        ITIL (IT
                                         Infrastructure Library)
                                                                     U.S.A.     · Global standard in the area of service management.
                                                                                Contains comprehensive publicly accessible specialist
                                                                                                                                                                           W          http://www.ogc.gov.u
                                                                                                                                                                                      k/index.asp?id=2261
                                                                                                                                                                                                                                                                                                                                                                     August 4, 2007

                                                                                documentation on the planning, provision and support of IT
                                                                                services. Covers areas dealing with:                                                                  (official webpage)

                                                                                · Potential for data loss                                                                             http://en.wikipedia.or
                                                                                                                                                                                      g/wiki/ITIL
                                                                                · Vital records cre
JCAHO Accreditation
Manual for Hospitals
                                                                     U.S.A.     Guidelines for information management established by
                                                                                JCAHO
                                                                                                                                                                            E         http://www.jointcom
                                                                                                                                                                                      mission.org/NR/rdon
                                                                                                                                                                                                                                                                                                                                                                            August 4, 2007

(1997)                                                                          Standard Label: IM.1.20 - The [organization] plans for the                                            lyres/E2B871E6-
                                                                                continuity of its information management processes.                                                   E315-4B1D-A7FD-
                                                                                                                                                                                      5C5E655C8605/0/sii
                                                                                                                                                                                      _ahc_im_proposed_
                                                                                                                                                                                      revisions.pdf

King I Report - 1994
King II Report - 2002
                         Standard        King Committee on
                                         Corporate Governance
                                                                     South
                                                                     Africa
                                                                                This is a standard for good corporate governance which most
                                                                                companies in South Africa make reference to in their AFS and
                                                                                                                                                                           W          (Industry) Available
                                                                                                                                                                                      to order from the
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

                                                                                try to adhere to.                                                                                     Institute of Directors
                                                                                                                                                                                      (IoD):
                                                                                                                                                                                      http://www.iodsa.co.z
                                                                                                                                                                                      a/king.asp




                                                                                                                                               Page 13 of 25
    Disaster Recovery Journal                                                                                                    Rules Regulations Committee                                                                                                                                                                                                       11/14/2010 11:00 AM
    Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                   Infrastructure Category




                                                                                                                                                                                                                                                                                                                     Information Distribution
                                                                                                                                                                                                                                                                                                                        & Communications
                                                                                                                                                                                                         Banking & Finance




                                                                                                                                                                                                                                                                  Energy (including
                                                                                                                                                                  (E, A, W, I)




                                                                                                                                                                                                                                                                                                 Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                Public Agencies
                                                                                                                                                                                                                                               Transportation &
                                                                                                                                                                                                                                                                                                                                                                   DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                  Supply & Water
                        Regulation /




                                                                                                                                                                                                                             Public Health &




                                                                                                                                                                                                                                                                                                                                                Government &
                                                                                                                                                                   Category
                                                               Country
                                                                                                                                           Significant
                         Standard




                                                                                                                                                                                                                               Healthcare


                                                                                                                                                                                                                                                   Shipping




                                                                                                                                                                                                                                                                                      Industry
                                                                                                                                                                                                                                                                      nuclear)
                                                                                                                                                                                      Notes
        Title                          Governing Body                                             Summary                                 Dates, Fines,
                                                                                                                                                                                    /Comments                                                                                                                                                                     Date of Last Review or
                                                                                                                                            Penalties
                                                                                                                                                                                                                                                                                                                                                                       Confirmation

Korea BCP             Regulation Foreign Financial
                                 Supervisory
                                                              Korea      Recovery of core business (Bank, Securities, Futures) within 3 BCP, DR Site
                                                                         hours.
                                                                                                                                                                       E         http://www.fsc.go.kr/
                                                                                                                                                                                 eng/id/ck4.asp
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007


                                                                         Need for proper capacity planning

                                                                         Appropriate access control to DR system

                                                                         Regular and ad-hoc test requirement
Letter to Federally
Regulated Financial
                                                             Canada                                                                                                    E
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

Institutions,
Insurance
Companies, CBA etc.
Mar
2006
Major Hazard
Installation
                      Regulation Occupational Health
                                 & Safety
                                                              South
                                                              Africa
                                                                         Talks about emergency plans-""emergency plan" means a
                                                                         plan in writing which, on the basis of identified potential
                                                                                                                                                                                 http://www.labour.go
                                                                                                                                                                                 v.za/useful_docs/do
                                                                                                                                                                                                                                                                                                                                                                August 4, 2007

Regulations, 1993                                                        incidents                                                                                               c_display.jsp?id=10
                                                                         at the installation, together with their consequences,                                                  091
                                                                         describes how such incidents and their
                                                                         consequences should be dealt with on-                                                                   Subject to the
                                                                                                                                                                                 provisions of
                                                                                                                                                                                 subregulation (3)
                                                                                                                                                                                 these regulations
                                                                                                                                                                                 shall apply to
                                                                                                                                                                                 employers, self-
                                                                                                                                                                                 employed persons
                                                                                                                                                                                 and users, who
                                                                                                                                                                                 have on their
                                                                                                                                                                                 premises, either
                                                                                                                                                                                 permanently or temp

Management,
Supervision and
                      Standard         Securities and
                                       Futures Commission
                                                            Hong Kong ―A licensed or registered person should have internal control
                                                                      procedures and financial and operational capabilities which
                                                                                                                                        In section 36 under
                                                                                                                                        operational risk: An                     Copies of the
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

Internal Control                       of Hong Kong                   can be reasonably expected to protect its operations, its         effective business                       Guidelines are
Guidelines ("The                                                      clients and other licensed or registered persons from financial   continuity plan                          available at the SFC.
Internal Control                                                      loss arisin                                                       appropriate to the                       They can also be
Guidelines")                                                                                                                            size of the firm is                      found on the SFC's
                                                                                                                                        implemented to                           website at
                                                                                                                                        ensure that the firm                     http://www.hksfc.org.
                                                                                                                                        is protected from the                    hk.
                                                                                                                                        risk of interruption to
                                                                                                                                        its business
                                                                                                                                        continuity. Key
                                                                                                                                        processes in this area
Manila Bank BCP       Regulation Bank of Central
                                 Philippines (local
                                                            Philippines Enforced by audit, requires all banks to setup of a disaster
                                                                        recovery facility.
                                                                                                                                        DR Site                        E
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

                                 central bank)




                                                                                                                                        Page 14 of 25
     Disaster Recovery Journal                                                                                                     Rules Regulations Committee                                                                                                                                                                                                            11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                          Infrastructure Category




                                                                                                                                                                                                                                                                                                                            Information Distribution
                                                                                                                                                                                                                                                                                                                               & Communications
                                                                                                                                                                                                                Banking & Finance




                                                                                                                                                                                                                                                                         Energy (including
                                                                                                                                                                       (E, A, W, I)




                                                                                                                                                                                                                                                                                                        Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                       Public Agencies
                                                                                                                                                                                                                                                      Transportation &
                                                                                                                                                                                                                                                                                                                                                                          DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                         Supply & Water
                            Regulation /




                                                                                                                                                                                                                                    Public Health &




                                                                                                                                                                                                                                                                                                                                                       Government &
                                                                                                                                                                        Category
                                                                Country
                                                                                                                                               Significant
                             Standard




                                                                                                                                                                                                                                      Healthcare


                                                                                                                                                                                                                                                          Shipping




                                                                                                                                                                                                                                                                                             Industry
                                                                                                                                                                                                                                                                             nuclear)
                                                                                                                                                                                           Notes
         Title                             Governing Body                                          Summary                                    Dates, Fines,
                                                                                                                                                                                         /Comments                                                                                                                                                                       Date of Last Review or
                                                                                                                                                Penalties
                                                                                                                                                                                                                                                                                                                                                                              Confirmation

Manual for the
Development of
                          Regulation FISC (The Center for
                                     Financial Industry
                                                               Japan      Audit matter                                                      BCP development (DR
                                                                                                                                            site/vital records, etc)
                                                                                                                                                                            E
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

Contingency Plans in                 Information System)                  Appointment of BCP manager
Financial Institutions.
Japan FSA                                                                 Implementation of policy & standard

                                                                          Proper documentation

                                                                          Regular review of plan

                                                                          Corporate-wide testing at least annually

                                                                          Planning for different scenarios

MAS Business
Continuity
                              reg          MAS (Monetary
                                           Authority of
                                                             Singapore 7 Guiding Principles on Senior Management responsibilities
                                                                       for BCM; embedding BCM into Business-as-usual activities,
                                                                                                                                            International                   E
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

Management                                 Singapore)                  incorporating sound practices; testing BCP regularly,
Guidelines (June                                                       completely and meaningfully; developing recovery strategies
2003)                                                                  and setting RTO for crit
MAS Consultation
Paper On Business
                          Regulation MAS (Monetary
                                     Authority of
                                                             Singapore · Guidelines encourage adoption of BCP Practices by financial
                                                                       institutions in Singapore.
                                                                                                                                                                            E
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

Continuity Planning                  Singapore)
(BCP) Guidelines (10-                                                     · Guidelines help financial institutions to prepare to be aware
Jan-03)                                                                   by establishing a comprehensive Business Continuity Plan.

MAS Guidelines on
Outsourcing - Section
                          Standard         MAS (Monetary
                                           Authority of
                                                             Singapore Guidelines on ensuring BC preparedness is not compromised International
                                                                       by outsourcing; taking steps to evaluate and satisfy itself that Issued October 2007
                                                                                                                                                                            E         http://www.mas.gov.s
                                                                                                                                                                                      g/legislation_guideline
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

6.6 BCM (Oct 2004)                         Singapore)                  interdependency risk arising from the outsourcing                Updated July 1 2005                           s/risk_mgt/Guidelines
                                                                       arrangement can be adequately mitigated; and assurance on                                                      _on_Risk_Managemen
                                                                       the functionality and ef                                                                                       t_Practices.html

Ministry for Provincial
& Local Government
                          Regulation                          South
                                                              Africa
                                                                          Proposed national disaster management framework.                                                            To be provided
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

Disaster Management                                                       Provides for:                                                                                               http://disaster.co.za/d
Act, 2002                                                                                                                                                                             ocs/DisasterManagem
                                                                          · An integrated and coordinated disaster management policy                                                  entAct572002.doc
                                                                          that focuses on preventing and reducing the risk of disasters,
                                                                          mitigating the severity of disasters, emergency preparedness,
                                                                          rapid member must create and maintain a written business
NASD Rule 108 (Sept
9, 02) and SR-NASD-
                          Regulation NASD (North
                                     American Securities
                                                              U.S.A.      · Each
                                                                          continuity plan identifying procedures relating to an
                                                                                                                                                                            E         http://www.sec.gov/ru
                                                                                                                                                                                      les/sro/nasd2002108/
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

2002-112 (March 10,                  Dealers Association)/                emergency or significant business disruption.                                                               nasd2002108typea.ht
03)                                                                                                                                                                                   m
                                           SEC                            · Must update its plan in the event of any material change to
(Release No. 34-                                                          the member's operations, structur
48503; File No. SR-
NASD-2002-108)




                                                                                                                                            Page 15 of 25
     Disaster Recovery Journal                                                                                                    Rules Regulations Committee                                                                                                                                                                                                      11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                   Infrastructure Category




                                                                                                                                                                                                                                                                                                                     Information Distribution
                                                                                                                                                                                                                                                                                                                        & Communications
                                                                                                                                                                                                         Banking & Finance




                                                                                                                                                                                                                                                                  Energy (including
                                                                                                                                                                (E, A, W, I)




                                                                                                                                                                                                                                                                                                 Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                Public Agencies
                                                                                                                                                                                                                                               Transportation &
                                                                                                                                                                                                                                                                                                                                                                   DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                  Supply & Water
                        Regulation /




                                                                                                                                                                                                                             Public Health &




                                                                                                                                                                                                                                                                                                                                                Government &
                                                                                                                                                                 Category
                                                                 Country
                                                                                                                                              Significant
                         Standard




                                                                                                                                                                                                                               Healthcare


                                                                                                                                                                                                                                                   Shipping




                                                                                                                                                                                                                                                                                      Industry
                                                                                                                                                                                                                                                                      nuclear)
                                                                                                                                                                                    Notes
        Title                          Governing Body                                               Summary                                  Dates, Fines,
                                                                                                                                                                                  /Comments                                                                                                                                                                       Date of Last Review or
                                                                                                                                               Penalties
                                                                                                                                                                                                                                                                                                                                                                       Confirmation

NASD Rule 3500:
Emergency
                       Regulation NASD                          U.S.A.     Requires a Business Continuity Plan addressing:                                           E         http://www.nasd.com/
                                                                                                                                                                               web/groups/rules_reg
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

Preparedness Part                                                          · Alternate communications between customers, firm and                                              s/documents/notice_t
3510: Business                                                             employees                                                                                           o_members/nasdw_00
continuity Plans                                                                                                                                                               3095.pdf
                                                                           · Business constituent, bank and counter party impact

                                                                           · Regulatory Reporting

                                                                           · Mission Critical Systems

                                                                           · Operational and Finan members to provide NASD with
NASD Rule 3500:
Emergency
                       Regulation NASD                          U.S.A.     Rule 3520 requires NASD
                                                                           emergency contact information and to update any
                                                                                                                                                                     E         http://www.nasd.com/
                                                                                                                                                                               web/groups/rules_reg
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

Preparedness Part                                                          information upon the occurrence of a material change. The                                           s/documents/notice_t
3520: Emergency                                                            Rule requires members to designate two emergency contact                                            o_members/nasdw_00
Contact Information                                                        persons that NASD may contact in the e                                                              3095.pdf

                                                                                                                                                                               (notice to members)


NFA Compliance Rule
2-38: Business
                       Regulation CFTC (Commodity
                                  Futures Trading
                                                                U.S.A.     Requires all National Futures Association members to
                                                                           establish and maintain a written business continuity and
                                                                                                                                                                     E         http://www.nfa.future
                                                                                                                                                                               s.org/printerFriendly.a
                                                                                                                                                                                                                                                                                                                                                                      August 4, 2007

Continuity and                    Commission)                              disaster recovery plan that outlines procedures to be followed                                      sp?tag=2-38
Disaster Recovery Plan                                                     in the event of an emergency or significant disruption.

NFPA 111:Standard
on Stored Electrical
                       Standard        NFPA                     U.S.A.     Guideline of a step-by-step approach to emergency planning,
                                                                           response and recovery for companies.
                                                                                                                                                                    W          http://www.nfpa.org/a
                                                                                                                                                                               boutthecodes/AboutTh
                                                                                                                                                                                                                                                                                                                                                               August 4, 2007

Energy Emergency                                                                                                                                                               eCodes.asp?DocNum=
and Standby Power                                                                                                                                                              111
Systems
                                                                                                                                                                               (ordering information)

                                                                                                                                                                               http://www.nfpa.org/a
                                                                                                                                                                               ssets/files/PDF/111-
                                                                                                                                                                               05-ROPDraft.pdf

                                                                                                                                                                               (report on proposals)

NFPA 232: Standard
on Protection of
                       Standard        NFPA                     U.S.A.     Standards for protection of business records, archives and
                                                                           records centers.
                                                                                                                                                                    W          http://www.nfpa.org/a
                                                                                                                                                                               boutthecodes/AboutTh
                                                                                                                                                                                                                                                                                                                                                               August 4, 2007

Records                                                                                                                                                                        eCodes.asp?DocNum=
                                                                                                                                                                               232

                                                                                                                                                                               (ordering information)
NFPA Standard 1600
on
                       Standard        NFPA (National Fire
                                       Protection Association
                                                                U.S.A.     Establishes minimum criteria for disaster management for the
                                                                           private and public sectors in the development of a program
                                                                                                                                                                    W          http://www.nfpa.org/P
                                                                                                                                                                               DF/nfpa1600.pdf?src=
                                                                                                                                                                                                                                                                                                                                                               August 4, 2007

Disaster/Emergency                                                         for effective disaster mitigation, preparedness, response and                                       nfpa
Management and                                                             recovery.
Business Continuity
Programs




                                                                                                                                            Page 16 of 25
     Disaster Recovery Journal                                                                                                         Rules Regulations Committee                                                                                                                                                                                                         11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                           Infrastructure Category




                                                                                                                                                                                                                                                                                                                             Information Distribution
                                                                                                                                                                                                                                                                                                                                & Communications
                                                                                                                                                                                                                 Banking & Finance




                                                                                                                                                                                                                                                                          Energy (including
                                                                                                                                                                        (E, A, W, I)




                                                                                                                                                                                                                                                                                                         Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                        Public Agencies
                                                                                                                                                                                                                                                       Transportation &
                                                                                                                                                                                                                                                                                                                                                                           DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                          Supply & Water
                           Regulation /




                                                                                                                                                                                                                                     Public Health &




                                                                                                                                                                                                                                                                                                                                                        Government &
                                                                                                                                                                         Category
                                                                    Country
                                                                                                                                                  Significant
                            Standard




                                                                                                                                                                                                                                       Healthcare


                                                                                                                                                                                                                                                           Shipping




                                                                                                                                                                                                                                                                                              Industry
                                                                                                                                                                                                                                                                              nuclear)
                                                                                                                                                                                            Notes
        Title                             Governing Body                                                Summary                                  Dates, Fines,
                                                                                                                                                                                          /Comments                                                                                                                                                                       Date of Last Review or
                                                                                                                                                   Penalties
                                                                                                                                                                                                                                                                                                                                                                               Confirmation

NIST SP 800-34
Contingency Planning
                         Standard         NIST (National
                                          Institute of Standards
                                                                   U.S.A.     · Details the fundamental planning principles necessary for
                                                                              developing an effective contingency capability.
                                                                                                                                                                             E         http://csrc.nist.gov/pu
                                                                                                                                                                                       blications/nistpubs/80
                                                                                                                                                                                                                                                                                                                                                                              August 4, 2007

Guide                                     and Technology)                                                                                                                              0-34/sp800-34.pdf
                                                                              · Contingency planning guidance includes preliminary
                                                                              planning, business impact analysis, alternative site selection
                                                                              and recovery strategies.
NYSE Rule 446:
Business Continuity
                         Regulation NYSE (New York
                                    Stock Exchange)
                                                                   U.S.A.     · Members and member organizations must develop and
                                                                              maintain a written business continuity and contingency plan
                                                                                                                                               Possible Image and
                                                                                                                                               Reputation impacts
                                                                                                                                                                             E         http://rules.nyse.com/
                                                                                                                                                                                       NYSETools/ExchangeV
                                                                                                                                                                                                                                                                                                                                                                              August 4, 2007

and Contingency                                                               establishing procedure sot be followed in the event of an        for not complying                       iewer.asp?selectednod
Planning                                                                      emergency or disruption.                                         with stock market                       e=chp%5F1%5F5%5F
                                                                                                                                               regulations including,                  11%5F4&manual=%2
                                                                              · Yearly review must be conducted of the business conti          in extreme cases,                       Fnyse%2Fnyse%5Frul
                                                                                                                                               potential de-listing.                   es%2Fnyse%2Drules
                                                                                                                                                                                       %2F
OCC 2001-47: Third-
Party Relationships
                         Regulation OCC                            U.S.A.     Provides guidance to national banks on managing risks
                                                                              resulting from business relationships with third parties. It
                                                                                                                                                                             E         http://www.occ.treas.
                                                                                                                                                                                       gov/ftp/bulletin/2001-
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

(November 1, 2001)                                                            explains that third-party contracts should provide for:                                                  47.txt

                                                                              · Continuation of the business function in the event of
                                                                              problems with the third
OCC 2003-18: FFIEC
(March 2003)
                         Regulation OCC                            U.S.A.     Information Technology Examination Handbook- Business
                                                                              Continuity Planning and supervision of Technology Service
                                                                                                                                                                             E         http://www.occ.treas.
                                                                                                                                                                                       gov/ftp/bulletin/2003-
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

                                                                              Providers Booklets                                                                                       18.doc

                                                                              The BCP Booklet describes the process for managing business
                                                                              continuity based on risk as the following:


OCC 97-23: Corporate     Regulation OCC                            U.S.A.     · Business impact
                                                                              [NOTE: Rescinded—SEE 2003-18]                                                                  E         RESCINDED by                                                                                                                                                                            August 4, 2007
Business Resumption                                                                                                                                                                    OCC 2003-18
and Contingency
Planning (May 16,
1997)
OCC 99-9:
Infrastructure Threats
                         Regulation OCC                            U.S.A.     · Identifies and raises awareness of vulnerabilities and
                                                                              threats of cyber terrorism to the financial services industry,
                                                                                                                                                                             E         http://www.occ.treas.
                                                                                                                                                                                       gov/ftp/bulletin/99-
                                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

from Cyber-Terrorists                                                         including ensuring that these threats are taken into account                                             9.txt
(March 5, 1999)                                                               when preparing and testing a disaster recovery/business
                                                                              contingen

                                                                              · Exp
OSHA - Occupational
Safety and Health
                         Regulation OSHA (Occupational
                                    Safety and Health
                                                                   U.S.A.     · Disaster preparedness                                                                        I         http://www.osha.gov/
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007

Administration                      Administration)                           · OSHA requires that all businesses with more than 10
                                                                              employees have a written Emergency Contingency Plan (ECP).

                                                                              · For businesses with 10 or less a written plan is not
                                                                              mandated but recommended.




                                                                                                                                               Page 17 of 25
    Disaster Recovery Journal                                                                                                     Rules Regulations Committee                                                                                                                                                                                                          11/14/2010 11:00 AM
    Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                       Infrastructure Category




                                                                                                                                                                                                                                                                                                                         Information Distribution
                                                                                                                                                                                                                                                                                                                            & Communications
                                                                                                                                                                                                             Banking & Finance




                                                                                                                                                                                                                                                                      Energy (including
                                                                                                                                                                     (E, A, W, I)




                                                                                                                                                                                                                                                                                                     Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                    Public Agencies
                                                                                                                                                                                                                                                   Transportation &
                                                                                                                                                                                                                                                                                                                                                                       DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                      Supply & Water
                        Regulation /




                                                                                                                                                                                                                                 Public Health &




                                                                                                                                                                                                                                                                                                                                                    Government &
                                                                                                                                                                      Category
                                                               Country
                                                                                                                                               Significant
                         Standard




                                                                                                                                                                                                                                   Healthcare


                                                                                                                                                                                                                                                       Shipping




                                                                                                                                                                                                                                                                                          Industry
                                                                                                                                                                                                                                                                          nuclear)
                                                                                                                                                                                         Notes
        Title                          Governing Body                                              Summary                                    Dates, Fines,
                                                                                                                                                                                       /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                                Penalties
                                                                                                                                                                                                                                                                                                                                                                           Confirmation

Personal Data
(Privacy) Ordinance
                      Standard         Office of the Privacy
                                       Commissioner for
                                                             Hong Kong   The purpose of the Ordinance is to protect the privacy
                                                                         interests of living individuals in relation to personal data. It
                                                                                                                                            Base on the Data
                                                                                                                                            Protection Principles
                                                                                                                                                                                    http://www.pco.org.hk
                                                                                                                                                                                    /english/ordinance/ord
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

                                       Personal Data - The               also contributes to Hong Kong's continued economic well-           published, the                          glance.html
                                       Government of the                 being by safeguarding the free flow of personal data to Hong       relevant principles to
                                       Hong Kong Special                 Kong from restrict                                                 BCM are Principle 2 -
                                       Administrative Region                                                                                the personal data
                                                                                                                                            should be accurate,
                                                                                                                                            up-to-date and kept
                                                                                                                                            no longer than
                                                                                                                                            necessary; Principle 4
                                                                                                                                            - appropriate security
                                                                                                                                            measures should be
                                                                                                                                            applied to persona

Post 9-11 Crisis
Communications,
                      Standard         Business Roundtable
                                       (The Southwestern
                                                              U.S.A.     This document is a toolkit to enable companies to develop a
                                                                         crisis communications plan that includes crisis preparation,
                                                                                                                                                                         W          http://www.businessr
                                                                                                                                                                                    oundtable.org/pdf/722
                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

Best Practices for                     Area Commerce &                   prevention, and continuous improvement                                                                     .pdf
Crisis Planning,                       Industry Association
Prevention and                         of Connecticut)
Continuous
Improvement (June
2002)
Privacy Act of 1974
(SUSC552a)
                      Regulation                              U.S.A.     Requires management to safeguard and to keep the
                                                                         information accurate and current to protect the individual.
                                                                                                                                                                          I         http://www.usdoj.gov/
                                                                                                                                                                                    foia/privstat.htm
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007




                                                                                                                                            Page 18 of 25
    Disaster Recovery Journal                                                                                                       Rules Regulations Committee                                                                                                                                                                                                     11/14/2010 11:00 AM
    Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                    Infrastructure Category




                                                                                                                                                                                                                                                                                                                      Information Distribution
                                                                                                                                                                                                                                                                                                                         & Communications
                                                                                                                                                                                                          Banking & Finance




                                                                                                                                                                                                                                                                   Energy (including
                                                                                                                                                                  (E, A, W, I)




                                                                                                                                                                                                                                                                                                  Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                 Public Agencies
                                                                                                                                                                                                                                                Transportation &
                                                                                                                                                                                                                                                                                                                                                                    DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                   Supply & Water
                         Regulation /




                                                                                                                                                                                                                              Public Health &




                                                                                                                                                                                                                                                                                                                                                 Government &
                                                                                                                                                                   Category
                                                                  Country
                                                                                                                                               Significant
                          Standard




                                                                                                                                                                                                                                Healthcare


                                                                                                                                                                                                                                                    Shipping




                                                                                                                                                                                                                                                                                       Industry
                                                                                                                                                                                                                                                                       nuclear)
                                                                                                                                                                                      Notes
       Title                            Governing Body                                               Summary                                  Dates, Fines,
                                                                                                                                                                                    /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                                Penalties
                                                                                                                                                                                                                                                                                                                                                                        Confirmation

Prudent Man Concept    Regulation Common Law                   Internation · As per the Uniform Commercial Code, legal standard used
                                                                    al     to determine whether appropriate action was taken in a
                                                                                                                                                                       I         Uniform Commercial
                                                                                                                                                                                 Code
                                                                                                                                                                                                                                                                                                                                                                 August 4, 2007

                                                                           particular situation.
                                                                                                                                                                                 http://www.dodson-
                                                                            · Directors, senior management, officers and agents, when                                            edgars.com/services.h
                                                                            working for an organization, are considered to be in a posi                                          tm

                                                                                                                                                                                 Any company,
                                                                                                                                                                                 regardless of its
                                                                                                                                                                                 industry, is expected
                                                                                                                                                                                 to exercise due-care
                                                                                                                                                                                 to implement and
                                                                                                                                                                                 maintain security
                                                                                                                                                                                 mechanisms and
                                                                                                                                                                                 practices that protect
                                                                                                                                                                                 the company, its
                                        Negligence Liability                                                                                                                     employees,
                                                                                                                                                                                 customers, and
                                                                                                                                                                                 partners., Due-Care
                                                                                                                                                                                 can be compared to
                                                                                                                                                                                 the "prudent man"
                                                                                                                                                                                 concept. A prudent
                                                                                                                                                                                 man is seen as
                                                                                                                                                                                 responsible, careful,
                                                                                                                                                                                 cautious, and
                                                                                                                                                                                 practical. A company
                                                                                                                                                                                 practicing due-care is
                                                                                                                                                                                 seen in the same light
                                                                                                                                                                                 by State and Federal
                                                                                                                                                                                 Courts.




Public Finance          Regulation                               South      Unable to find anything specific to BC or DR… ―availability of                                       http://www.acts.co.za                                                                                                                                                                  August 4, 2007
Management Act,                                                  Africa     financial information‖ was included…                                                                 /public_fin_man/index
1999- DRAFT                                                                                                                                                                      .htm
Treasury Relations
Publicly Available
Specification (PAS) 56-
                         Standard BSI (British Standards
                                   Institute)
                                                                  UK        · Describes establishment of a BCM practice and provides
                                                                            recommendations.
                                                                                                                                                                       E         http://www.pas56.co
                                                                                                                                                                                 m/
                                                                                                                                                                                                                                                                                                                                                                August 4, 2007

 Guide to Business
Continuity                                                                  ·    Provides BCM framework for anticipation and response to
Management                                                                  incidents.

                                                                            PAS56 is intended for the person responsible for managing
                                                                            and applying business continuity within the or




                                                                                                                                             Page 19 of 25
    Disaster Recovery Journal                                                                                                          Rules Regulations Committee                                                                                                                                                                                                         11/14/2010 11:00 AM
    Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                           Infrastructure Category




                                                                                                                                                                                                                                                                                                                             Information Distribution
                                                                                                                                                                                                                                                                                                                                & Communications
                                                                                                                                                                                                                 Banking & Finance




                                                                                                                                                                                                                                                                          Energy (including
                                                                                                                                                                         (E, A, W, I)




                                                                                                                                                                                                                                                                                                         Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                        Public Agencies
                                                                                                                                                                                                                                                       Transportation &
                                                                                                                                                                                                                                                                                                                                                                           DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                          Supply & Water
                          Regulation /




                                                                                                                                                                                                                                     Public Health &




                                                                                                                                                                                                                                                                                                                                                        Government &
                                                                                                                                                                          Category
                                                                  Country
                                                                                                                                                 Significant
                           Standard




                                                                                                                                                                                                                                       Healthcare


                                                                                                                                                                                                                                                           Shipping




                                                                                                                                                                                                                                                                                              Industry
                                                                                                                                                                                                                                                                              nuclear)
                                                                                                                                                                                             Notes
        Title                            Governing Body                                                 Summary                                 Dates, Fines,
                                                                                                                                                                                           /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                                  Penalties
                                                                                                                                                                                                                                                                                                                                                                               Confirmation

Risk Management
Standard, AIRMIC,
                        Standard         AIRMIC (Association
                                         of Insurance and Risk
                                                                  UK        Establishes guidelines for Risk Management including                                             W          http://www.airmic.co
                                                                                                                                                                                        m/
                                                                                                                                                                                                                                                                                                                                                                        August 4, 2007

ALARM, IRM; 2002                         Managers)                          · Risk Assessment

                                         ALARM (National                    · Risk Reporting
                                         Forum for risk
                                         Management in the                  · Risk Treatment
                                         Public Sector
                                                                            9.4 The role of the Risk Management function should include
                                                                            the following:
                                                                            · (bullet 8) developing risk response processes, including
                                                                            contin Continuity Procedures for SA Reserve Bank and
SAMOS and CLS
Business Continuity
                        Standard         South African Reserve
                                         Bank
                                                                 South
                                                                 Africa
                                                                            Business
                                                                            Participants
                                                                                                                                                                              E         www.reservebank.c
                                                                                                                                                                                        o.za/internet/Publica
                                                                                                                                                                                                                                                                                                                                                                              August 4, 2007

Procedures- SA                                                                                                                                                                          tion.nsf/LADV/8B8A
Reserve Bank                             National Payment                                                                                                                               38FD0C1E5F50422
                                         System Department                                                                                                                              56FCE00308106/$F
                                                                                                                                                                                        ile/CLSBCP_SARB.
                                                                                                                                                                                        pdf
Sarbanes-Oxley Act of
2002: (P.L. 107-204
                        Regulation PCAOB - Public
                                   Company Accounting
                                                                 U.S.A.     · Auditors are increasing scrutiny of all areas of internal
                                                                            control, including security and business continuity controls
                                                                                                                                              Non-complying
                                                                                                                                              organizations may
                                                                                                                                                                              E         http://news.findlaw.co
                                                                                                                                                                                        m/hdocs/docs/gwbush
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

2002 HR 3763) -                    Oversight Board                                                                                            receive qualified                         /sarbanesoxley072302
SECTION 404                                                                 · Potential for data loss (ability to identify and rebuild lost   opinions on their                         .pdf
                                                                            transactions and source documentation)                            internal controls from
                                                                                                                                              their external auditors.
                                                                            · Vital records creation,
Sarbanes-Oxley Act of
2002: SECTION 409
                        Regulation PCAOB - Public
                                   Company Accounting
                                                                 U.S.A.     · Issuers must disclose information on material changes in
                                                                            financial condition on a regular basis
                                                                                                                                              · If IT processing
                                                                                                                                              disruption results in
                                                                                                                                                                              E         http://news.findlaw.co
                                                                                                                                                                                        m/hdocs/docs/gwbush
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

                                   Oversight Board                                                                                            lost data, officers and                   /sarbanesoxley072302
                                                                            Areas assessed include:                                           external auditors may                     .pdf
                                                                                                                                              not be able to sign off
                                                                            · Potential for data loss (ability to identify and rebuild lost   on quarterly or
                                                                            transactions and source documentation)                            annual SOX
                                                                                                                                              disclosure and
                                                                            · Vital records creatio                                           internal control
                                                                                                                                              operating
                                                                                                                                              effectiveness
                                                                                                                                              certifications/opinion.




                                                                                                                                              Page 20 of 25
     Disaster Recovery Journal                                                                                                         Rules Regulations Committee                                                                                                                                                                                                     11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                       Infrastructure Category




                                                                                                                                                                                                                                                                                                                         Information Distribution
                                                                                                                                                                                                                                                                                                                            & Communications
                                                                                                                                                                                                             Banking & Finance




                                                                                                                                                                                                                                                                      Energy (including
                                                                                                                                                                       (E, A, W, I)




                                                                                                                                                                                                                                                                                                     Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                    Public Agencies
                                                                                                                                                                                                                                                   Transportation &
                                                                                                                                                                                                                                                                                                                                                                       DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                      Supply & Water
                           Regulation /




                                                                                                                                                                                                                                 Public Health &




                                                                                                                                                                                                                                                                                                                                                    Government &
                                                                                                                                                                        Category
                                                                   Country
                                                                                                                                                  Significant
                            Standard




                                                                                                                                                                                                                                   Healthcare


                                                                                                                                                                                                                                                       Shipping




                                                                                                                                                                                                                                                                                          Industry
                                                                                                                                                                                                                                                                          nuclear)
                                                                                                                                                                                           Notes
        Title                             Governing Body                                               Summary                                   Dates, Fines,
                                                                                                                                                                                         /Comments                                                                                                                                                                    Date of Last Review or
                                                                                                                                                   Penalties
                                                                                                                                                                                                                                                                                                                                                                           Confirmation

Statement on
Auditing Standards
                         Standard         American Institute of
                                          Certified Public
                                                                  U.S.A.     SAS 70 is a widely recognized auditing standard
                                                                             developed by the American Institute of Certified
                                                                                                                                               Effective 1993                         http://www.sas70.com
                                                                                                                                                                                      /                                                                                                                                                                             August 4, 2007

(SAS) 70 audit reports                    Accountants (AICPA).               Public Accountants (AICPA). A service auditor's
                                                                             examination performed in accordance with SAS No.
                                                                             70 ("SAS 70 Audit") is widely recognized, because it
                                                                             represents that a service organization has been
                                                                             through an in-depth audit of their control objectives
                                                                             and control activities, which often include controls
                                                                             over information technology and related processes.

                                                                             Service organizations receive significant value from
                                                                             having a SAS 70 engagement performed. A Service
                                                                             Auditor's Report with an unqualified opinion that is
                                                                             issued by an Independent Accounting Firm
                                                                             differentiates the service organization from its peers
                                                                             by demonstrating the establishment of effectively
                                                                             designed control objectives and control activities. A
                                                                             Service Auditor's Report also helps a service
                                                                             organization build trust with its user organizations
                                                                             (i.e. customers).
SEC 38-a :
Investment Company
                                          SEC                     U.S.A.                                                                                                    E         http://www.law.uc.ed
                                                                                                                                                                                      u/CCL/InvCoAct/sec38
                                                                                                                                                                                                                                                                                                                                                                          August 4, 2007

Act of 1940                                                                                                                                                                           .html

SEC Act of 1934: (15
U.S.C.A 78A)
                         Regulation SEC                           U.S.A.     Without a current Service Auditor's Report, a service
                                                                             organization may have to entertain multiple audit
                                                                                                                                                                            E         http://www.sec.gov/
                                                                                                                                                                                      about/laws/sea34.pd
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

                                                                             requests from its customers and their respective                                                         f
Rule 17a-4                                                                   auditors. Multiple visits from user auditors can
                                                                             place a strain on the service organization's                                                             http://www.sec.gov/
                                                                             resources. A Service Auditor's Report ensures that                                                       about/laws.shtml#se
                                                                             all user organizations and their auditors have access                                                    cexact1934
                                                                             to the same information and in many cases this will
                                                                                                                                                                                      (summary
                                                                             satisfy the user auditor's requirements.
                                                                                                                                                                                      information)
Securities and
Exchange Act,
                         Regulation SEC                           U.S.A.     · Policy addresses criminal liability of Directors and officers
                                                                             for failure to: Protect computerized information; Document
                                                                                                                                               Potential fines
                                                                                                                                               imposed include
                                                                                                                                                                            E         http://www.law.uc.ed
                                                                                                                                                                                      u/CCL/34Act/sec32.ht
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Sections 32(a) and (b)                                                       process used to assess risks of information loss; exercise        personal fines up to                   ml
                                                                             ―duty of care‖                                                    $10,000 and
                                                                                                                                               corporate fines up to
                                                                             · Burden of proof lies with the Directors and Officers            $1,000,000.




                                                                                                                                               Page 21 of 25
     Disaster Recovery Journal                                                                                                   Rules Regulations Committee                                                                                                                                                                                                     11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                 Infrastructure Category




                                                                                                                                                                                                                                                                                                                   Information Distribution
                                                                                                                                                                                                                                                                                                                      & Communications
                                                                                                                                                                                                       Banking & Finance




                                                                                                                                                                                                                                                                Energy (including
                                                                                                                                                               (E, A, W, I)




                                                                                                                                                                                                                                                                                               Agriculture, Food




                                                                                                                                                                                                                                                                                                                                              Public Agencies
                                                                                                                                                                                                                                             Transportation &
                                                                                                                                                                                                                                                                                                                                                                 DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                Supply & Water
                          Regulation /




                                                                                                                                                                                                                           Public Health &




                                                                                                                                                                                                                                                                                                                                              Government &
                                                                                                                                                                Category
                                                                Country
                                                                                                                                           Significant
                           Standard




                                                                                                                                                                                                                             Healthcare


                                                                                                                                                                                                                                                 Shipping




                                                                                                                                                                                                                                                                                    Industry
                                                                                                                                                                                                                                                                    nuclear)
                                                                                                                                                                                   Notes
        Title                            Governing Body                                           Summary                                 Dates, Fines,
                                                                                                                                                                                 /Comments                                                                                                                                                                      Date of Last Review or
                                                                                                                                            Penalties
                                                                                                                                                                                                                                                                                                                                                                     Confirmation

Supervision of
Technology Service
                        Standard         FFIEC                 U.S.A.     BUSINESS CONTINUITY PLANNING, SUPERVISION OF
                                                                          TECHNOLOGY SERVICE PROVIDER GUIDANCE RELEASED BY
                                                                                                                                                                   W          http://www.ffiec.gov/p
                                                                                                                                                                              ress/pr052003.htm
                                                                                                                                                                                                                                                                                                                                                                    August 4, 2007

Providers Booklets                                                        FEDERAL FINANCIAL REGULATORS
(May 2003)
                                                                          The Business Continuity Planning Booklet provides guidance
                                                                          and examination procedures to assist examiners in evaluating
                                                                          financial institution and service provider risk management
                                                                          processes to ensure the availability of critical financial
                                                                          services.

                                                                          Examiners should focus on:

                                                                          · Management of Technology- the planning and overseeing
                                                                          of technological resources and services and ensuring they
                                                                          support the strategic goals and objectives of the financial
                                                                          institution or technology service providers.

                                                                          · Int
Telecommunications
Act of 1996
                        Regulation FCC - Federal
                                   Communications
                                                               U.S.A.     The act was intended to promote competition in the
                                                                          telecommunications industry. Section 256 gives the FCC the
                                                                                                                                                                              www.fcc.gov/teleco
                                                                                                                                                                              m.html
                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

                                   Commission                             right to oversee that telecommunications networks
                                                                          “seamlessly and transparently transmit and receive
                                                                          information between and across telecommunications
                                                                          networks.”

                                                                          The FCC’s Network Reliability and Interoperability Council
                                                                          provides best practices for business continuity and disaster
                                                                          recovery in the telecommunications industry. (www.nric.org)



Terrorism- Real
Threats, Real Costs,
                        Standard         Business Roundtable   U.S.A.     The Roundtable examines the unique nature of the
                                                                          terrorist threat, as well as the strengths and
                                                                                                                                                                   W          http://www.abanet.or
                                                                                                                                                                              g/adminlaw/conferenc
                                                                                                                                                                                                                                                                                                                                                             August 4, 2007

Joint solutions (June                                                     weaknesses of both government and business in                                                       e/2003/NewFrontier/N
2003)                                                                                                                                                                         ewfrontierprogram.ht
                                                                          addressing that threat. It then recommends various
                                                                                                                                                                              ml
                                                                          tools and procedures for government to use when
                                                                          regulating and outline the difficulty of allocating the
                                                                          costs of security.




                                                                                                                                         Page 22 of 25
    Disaster Recovery Journal                                                                                                  Rules Regulations Committee                                                                                                                                                                                                          11/14/2010 11:00 AM
    Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                    Infrastructure Category




                                                                                                                                                                                                                                                                                                                      Information Distribution
                                                                                                                                                                                                                                                                                                                         & Communications
                                                                                                                                                                                                          Banking & Finance




                                                                                                                                                                                                                                                                   Energy (including
                                                                                                                                                                 (E, A, W, I)




                                                                                                                                                                                                                                                                                                  Agriculture, Food




                                                                                                                                                                                                                                                                                                                                                 Public Agencies
                                                                                                                                                                                                                                                Transportation &
                                                                                                                                                                                                                                                                                                                                                                    DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                                   Supply & Water
                          Regulation /




                                                                                                                                                                                                                              Public Health &




                                                                                                                                                                                                                                                                                                                                                 Government &
                                                                                                                                                                  Category
                                                              Country
                                                                                                                                           Significant
                           Standard




                                                                                                                                                                                                                                Healthcare


                                                                                                                                                                                                                                                    Shipping




                                                                                                                                                                                                                                                                                       Industry
                                                                                                                                                                                                                                                                       nuclear)
                                                                                                                                                                                     Notes
        Title                            Governing Body                                         Summary                                   Dates, Fines,
                                                                                                                                                                                   /Comments                                                                                                                                                                       Date of Last Review or
                                                                                                                                            Penalties
                                                                                                                                                                                                                                                                                                                                                                        Confirmation

Thailand BCP            Regulation Governing Body will
                                   be Bank of Thailand /
                                                            Thailand    The FCC’s Network Reliability and Interoperability Council
                                                                        provides best practices for business continuity and disaster
                                                                                                                                        BCP, Vital records, DR
                                                                                                                                        Site
                                                                                                                                                                      E         Unofficial Translation
                                                                                                                                                                                by the courtesy of
                                                                                                                                                                                                                                                                                                                                                                       August 4, 2007

                                   Securities and                       recovery in the telecommunications industry. (www.nric.org)                                             The Foreign Banks'
                                   Exchange                                                                                                                                     Association
                                   Commission, Thailand.                                                                                                                        This translation is for
                                                                                                                                                                                the convenience of
                                                                                                                                                                                those unfamiliar with
                                                                                                                                                                                the Thai language.
                                                                                                                                                                                Please refer to the
                                                                                                                                                                                Thai text for the
                                                                                                                                                                                official version:

                                                                                                                                                                                www.bot.or.th/fipcs/D
                                                                                                                                                                                ocuments/FPG/2550/E
                                                                                                                                                                                ngPDF/25500011.pdf




The Promotion of
Access to Information
                        Regulation Parliament of the
                                   Repulblic of South
                                                            South
                                                            Africa
                                                                        ACT - To give effect to the constitutional right of access to
                                                                        any information held by the State and any information that is
                                                                                                                                                                                www.info.gov.za/gaz
                                                                                                                                                                                ette/acts/2000/a2-
                                                                                                                                                                                                                                                                                                                                                                 August 4, 2007

Act (#2 of 2000)                   Africa                               held by another person and that is required for the exercise                                            00.pdf
                                                                        or protection of any rights; and to provide for matters
                                                                        connected ther
Turnbull Report
(September 1999)
                        Regulation Institute of Chartered
                                   Accountants in
                                                              UK        Internal Control-Guidance for Director on the Combined Code     Those companies
                                                                                                                                        found in violation
                                                                                                                                                                      E         www.icaew.co.uk/in
                                                                                                                                                                                dex.cfm?route=1209
                                                                                                                                                                                                                                                                                                                                                                 August 4, 2007

                                   England and Wales                    · States that anyone listed on the London Stock Exchange        could be de-listed                      07
                                                                        must have BCP                                                   from the London
                                                                                                                                        Stock Exchange.
                                                                        · Requires companies to report whether the board has
                                                                        reviewed the system of ―internal
USA Patriot Act of
2001: (P.L. 107-56
                        Regulation DHS                       U.S.A.     · The act includes requirements for records retention for
                                                                        compliance with section 326 on Customer Identification
                                                                                                                                        · Within 6 months
                                                                                                                                        after the date of
                                                                                                                                                                      E         http://www.epic.org/p
                                                                                                                                                                                rivacy/terrorism/hr316
                                                                                                                                                                                                                                                                                                                                                                 August 4, 2007

2001 HR 3162)                                                           Programs.                                                       enactment of this act,                  2.html
                                                                                                                                        the secretary and
                                                                                                                                        other appropriate
                                                                                                                                        government agencies
                                                                                                                                        shall submit a report
                                                                                                                                        to Congress.

                                                                                                                                        · Imposes stiff prison
                                                                                                                                        terms for those who
                                                                                                                                        violate computer
                                                                                                                                        security or use
                                                                                                                                        computers in criminal
                                                                                                                                        or terrorist acts




                                                                                                                                        Page 23 of 25
     Disaster Recovery Journal                                                                                                 Rules Regulations Committee                                                                                                                                                                                                      11/14/2010 11:00 AM
     Editorial Advisory Board




The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                                                                                                                Infrastructure Category




                                                                                                                                                                                                                                                                                                                  Information Distribution
                                                                                                                                                                                                                                                                                                                     & Communications
                                                                                                                                                                                                      Banking & Finance




                                                                                                                                                                                                                                                               Energy (including
                                                                                                                                                               (E, A, W, I)




                                                                                                                                                                                                                                                                                              Agriculture, Food




                                                                                                                                                                                                                                                                                                                                             Public Agencies
                                                                                                                                                                                                                                            Transportation &
                                                                                                                                                                                                                                                                                                                                                                DRJ EAB R&R Use:




                                                                                                                                                                                                                                                                                               Supply & Water
                          Regulation /




                                                                                                                                                                                                                          Public Health &




                                                                                                                                                                                                                                                                                                                                             Government &
                                                                                                                                                                Category
                                                                Country
                                                                                                                                          Significant
                           Standard




                                                                                                                                                                                                                            Healthcare


                                                                                                                                                                                                                                                Shipping




                                                                                                                                                                                                                                                                                   Industry
                                                                                                                                                                                                                                                                   nuclear)
                                                                                                                                                                                   Notes
        Title                            Governing Body                                           Summary                                Dates, Fines,
                                                                                                                                                                                 /Comments                                                                                                                                                                     Date of Last Review or
                                                                                                                                           Penalties
                                                                                                                                                                                                                                                                                                                                                                    Confirmation

Various OCC
Comptroller's
                         Standard        Office of the
                                         Comptroller
                                                              U.S.A.      The OCC Comptroller Handbooks are issued to provide
                                                                          guidance for examiners. Several of these handbooks discuss
                                                                                                                                                                              www.occ.treas.gov/
                                                                                                                                                                              handbook/S&S.htm
                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

Handbooks                                                                 business continuity planning and provide guidance for
                                                                          examiners. Listed below are some of the OCC handbooks that
                                                                          discuss BCP:

                                                                          * Asset Management
                                                                          * Asset Securitization
                                                                          * Community Bank Fiduciary Activities Supervision
                                                                          * Community Bank Supervision
                                                                          * Custody Services
                                                                          * Emerging Market Country Products and Trading Activities
                                                                          * Federal Branches and Agencies Supervision
                                                                          * Insurance Activities
                                                                          * Internal and External Audits
                                                                          * Internal Controls
                                                                          * Internet Banking
                                                                          * Investment Management Services
                                                                          * Large Bank Supervision
                                                                          * Liquidity
                                                                          * Merchant Processing
                                                                          * Risk Management standards for major credit card
                                                                          Required compliance of Financial Derivatives
VISA CISP
(Cardholder
                         Standard        VISA, endorsed by
                                         AMEX, Diners,
                                                              U.S.A.
                                                                          companies for regular security assessments and reporting.
                                                                                                                                       Failure to comply can
                                                                                                                                       result in:
                                                                                                                                                                    E         http://www.usa.visa.
                                                                                                                                                                              com/merchants/risk
                                                                                                                                                                                                                                                                                                                                                                   August 4, 2007

Information Security                     Discover, JCB                                                                                                                        _management/cisp_
Program)                                                                                                                               · Fines of $50,000                     overview.html?it=l2|/
                                                                                                                                       for first violation,                   merchants/risk_man
                                                                                                                                       $100,000 for the                       agement/cisp.html|
                                                                                                                                       second violation.                      Overview#anchor_2
                                                                                                                                       · Restrictions on
                                                                                                                                       merchant

                                                                                                                                       · Permanent
                                                                                                                                       prohibition of
                                                                                                                                       participation in Visa


Enforced (E) Most frequently enforced for compliance purposes
Ambiguous (A) Further clarification regarding strong ties with Business Continuity need to happen
Watch List (W) Participating members should be looking for the presence of this item within the coming months/years
Invocation @ Incident (I) Likely to be invoked or brought to bear as a result of an ―incident‖ occurring involving your organization




                                                                                                                                       Page 24 of 25
                                                                                                                                                                               11/14/2010 11:00 AM




                                                                                                                                                   Homework Assigned by Rows


   Acromtn                   Country       Definition


   BSE                          India      Bombay Stock Exchange
   DHS                         U.S.A.      Department of Homeland Security (USA)
   FRB                         U.S.A.      Federal Reserve Bank
   FSSCC                       U.S.A.      Financial Services Sector Coordinating Council for Critical Infrastructure Protection
   NSE                          India      National Stock Exchange
   OCC                         U.S.A.      Office of the Comptroller of the Currency
   RBI                          India      Reserve Bank of India
   SEBI                         India      Securities & Exchange Board of India
   SEC                         U.S.A.      Securities and Exchange Commission




627543b0-3d22-4fb6-a663-1d50225d8635.xls
R&R Acronyms                                                                                                                       Page 25 of 25

								
To top