Get documents about "Mission Statement Business
Description
Mission Statement Business document sample
Document Sample
4/14/2011 1:11 PM
The following is a DRAFT of the R&R Committee Mission Statement provided by Peter Laz on April 26, 2007, with the editorial
support of the committee:
The mission of the DRJ Editorial Advisory Board's (EAB) Rules & Regulations Committee is to:
Develop a repository of Business Continuity / Disaster Recovery regulations, statues and standards across various
industries and countries
Enable access to the repository for all Business Continuity / Disaster Recovery practitioners
Maintain the repository
The above mission statement was reviewed and approved during the R&R Committee during our meeting on Tuesday, May
1, 2007.
8ca8d980-05d0-4df4-a16c-4823341ac7e7.xls
R&R Mission Statement Page 1 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
2002 ACH Rules Book Regulation ACH (Federal
Reserve’s Automated
U.S.A. · Requires 6 year file retention on all ACH transactionsx Non-compliant fines
not more than
I http://www.fms.treas.
gov/ach/interim_2003.
August 4, 2007
Clearinghouse · An ACH transaction is a batch-processed, value-dated $10,000 or imprisoned pdf
Association) electronic funds transfer between originating and receiving not more than ten
financial institutions years, or both (Treasury Department
decision)
(order form)
6 CFR Part 29:
Procedures for
Regulation CFR (Code of Federal
Regulations)
U.S.A. · Continuity of operations for Critical Infrastructure W http://frwebgate.acces
s.gpo.gov/cgi-bin/get-
August 4, 2007
Handling Critical cfr.cgi
Infrastructure · Disclosure of critical information to the government
Information (Interim,
Feb 2004)
ANAO Better Practice
Guide: Business
Standard ANAO (Australian
National Audit Office)
Australia, · Presents a structured approach to business continuity
New management. The approach involves identifying preventative
W To be provided
August 4, 2007
Continuity Zealand treatments for continuity risks that can be routinely managed
Management- Keeping
the Wheels in Motion · Managers should have an ongoing focus on business
continuity
ANSI/ARMA 5-2003
Vital Records
Regulation ANSI (American
National Standards
U.S.A. Sets requirements for establishing a vital records program by:
- Identifying and protecting vital records
E Addresses the
development and
August 4, 2007
Programs Institute) / ARMA - Assessing and analyzing their vulnerability implementation of a
(Association of - Determining the impact of their loss on the organization vital records program
Records Managers and within the context of a
Administrators) formal records
management
program. Vital records
are defined as records
containing information
essential to the
survival of an
organization in the
event of a disaster.
AS/NZ 4390, Records
Management Standard
Standard Standards Association
of Australia
Australia, Establishes guidelines for records management
New
W To be provided
August 4, 2007
Zealand
AS/NZ 4444.2: 2000
Information Security
Standard Standards Association
of Australia
Australia, · It is intended for use by employees or managers who are
New implementing and maintaining information security in their
W To be provided
August 4, 2007
Standard, includes Zealand organization
business continuity
section. · States that organizations need to undertake a risk
assessment including business continuity planning
AS/NZS 4360;2004
DRAFT, Risk
Standard Standards Association
of Australia
Australia, Guidelines that assist with the development of an effective
New Risk Management and Business Continuity Plan
W To be provided
August 4, 2007
Management Zealand
Standard; Business
Continuity
Page 2 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
ASIS GDL BC 10 2004) Standard ASIS International U.S.A. · Tool to allow organizations to consider the factors and steps
necessary to prepare for a crisis (disaster or emergency) so
W http://www.asisonline.
org/guidelines/guideli
August 4, 2007
-DRAFT- Business that it can manage and survive the crisis and take appropriate nesbusinesscon.pdf
Continuity Guideline actions to ensure its continued viability
· Outlines a planning pr
Australia BCP Regulation Australia Financial
Markets Association
Australia Will be enforced by audit (once published) but recommended BCP, Vital records, DR
by audit at the moment. Requires need for BCP Site
E To be provided
August 4, 2007
documentation and testing at least annually, planning for
different scenarios.
Australian
Commonwealth
Regulation Australian
Government
Australia Establishing criminal penalties for officers and directors of
organizations that experience a major disaster and fail to have
E To be provided
August 4, 2007
Criminal Code a proper business continuity plan in place.
Banks Act (94/1990) Regs South
Africa
http://www.acts.co.za
/Banks/Index.htm
August 4, 2007
Basel II: New Basel
Capital Accord (April
Regulation Basel Internation Addresses Operational Risk and defines it as ―the risk of loss
al resulting from inadequate or failed internal processes, people
W http://www.federalres
erve.gov/boarddocs/pr
August 4, 2007
2003) and systems, or from external events.‖ ess/bcreg/2004/20040
626/attachment.pdf
BS7799-2; 2002,
Section 9, Business
Regulation BSI UK · Part 1 was the basis for ISO 7799 W http://www.itgoverna
nce.co.uk/files/ISMS
August 4, 2007
Continuity and · Part 2 has not been adopted by ISO but is accepted by %20Implementation
Disaster Recovery many other national standards %20and%20ITG%2
Planning 0Tools.pdf
Bulletin R-67 Regulation Federal Home Loan
Bank
U.S.A. Follows intent of BC 177 which required:
- Documented, exercised and maintained recovery plans are
E Comptroller of
Currency BC-177
August 4, 2007
required for all user environments and business functions (1983, 1987)
- Recovery Plans must be tested ―periodically‖ and results superceded by FFIEC
documented and Federal Home
- Plans reviewed annually b Loan Bank Bulletin R-
67 (1986) superceded
by FFIEC - Requires
banking institutions to
develop and maintain
Business Recovery
Plans.
Inter-Agency Policy
from Federal Financial
Business Continuity at
Bank of Japan.
Standard BOJ (Bank of Japan) Japan Consensus- This plan assumes an approach to aim at
operational continuity. Proper documentation.
E To be provided
August 4, 2007
System / people recovery
Corporate-wide testing at least annually
Planning for different scenarios
No clear guideline to follow
Business Continuity
Institute
Standard BCI (Business
Continuity Institute)
UK · In alignment with DRII ―Professional Practices‖ W http://www.thebci.org
August 4, 2007
―Good Practices‖ · More specific
Page 3 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
Business Continuity
Planning Committee
Standard SIA (Securities
Industry Association)
U.S.A. · Each firm should have in place a BC (Business Continuity)
program
W http://www.imagingse
rvices.com/content.pa
August 4, 2007
Best Practice ges/bestpractices.pdf
Guidelines (Aug 2002) · BC Policy Document
· Executive and corporate group responsible for overseeing
BC program
· Business managers should review, implement, fund, and
sign-off of BC plans
Hong Kong · Recovery sets out the HKMA's latest supervisory policies
Business Continuity
Planning Supervisory
Regulation The Hong Kong
Monetary Authority
This Manual
and practices, the minimum standards authorized institutions
This manual takes a
supervisory approach
August 4, 2007
Policy Manual - TM-G- ("AIs") are expected to attain in order to satisfy the where the HKMA’s
2 requirements of the Banking Ordinance and recommendations objective is to help
on best practices tha ensure that Authorized
Institutions ("AIs")
have workable and
well thought through
BCPs to protect all the
critical areas of their
business and to cope
with prolonged
disruptio
California SB 1386-
Security of Non-
Regulation State of California U.S.A. Bill requires all agencies, persons or businesses that conduct Effective July 1, 2003.
business in California that owns or licenses computerized data
E http://www.legalarch
iver.org/sb1386.htm
August 4, 2007
Encrypted Customer containing personal information to notify the owner or
Information (July 1, licensee of the information of any breach of security of the
2003) data.
CAN/CSA-Z 731-03 Standard CSA (Canadian
Standards Association)
Canada Canada’s Emergency Preparedness and Response Standards W To be provided
August 4, 2007
CAN/CSA-Z 731-03 Standard CSA (Canadian
Standards Association)
Canada · Canada’s Emergency Preparedness and Response Standards W To be provided
August 4, 2007
China N/A China · There are extensive regulations and standards around
Information Protection within the People’s Republic of China
E To be provided
August 4, 2007
(PRC)
Circular to Licensed
Corporations -
Standard Securities and Futures Hong Kong The Securities and Futures Commission used the circular to
Commission of Hong remind licensed persons to take precautions against a
Suggestions were
given in the circular
To be provided
August 4, 2007
"Business continuity Kong reoccurrence of SARS or other serious communicable on procedure and
planning against diseases. The Commission was concerned of the potential policies to be
serious communicable disruption to intermediaries' opera reviewed, revised or
diseases" devised to ensure
business continuity or
prevent material
disruption to operation
in the event of staff
infection.
1/24/2003
Page 4 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
Civil Contingencies Bill
(Bill 53, Feb 2004)
Regulation British Law UK · Local arrangements for civil protection E To be provided
August 4, 2007
· Requires persons or bodies listed in the document to assess
the risk of an emergency and maintain plans for the purpose
of ensuring that if an emergency occurs that the persons or
bodies are able to continue to
COBIT-Control
Objectives for
Standard IT Governance
Institute Standards
U.S.A. Generally accepted information technology control objectives
for information technology.
E http://www.isaca.org/
Content/NavigationMe
August 4, 2007
information and nu/Members_and_Lea
related Technology Domains include: ders/COBIT6/Obtain_
(4.1) (May 2007) COBIT/CobiT4.1_Broc
Planning and Organization hure.pdf
Acquisition and Implementation
Delivery and Support
Monitoring and EvaluationAreas Reviewed for compliance
Computer Fraud and
Abuse Act
Regulation FTC (Federal Trade
Commission)
U.S.A. Makes it a federal offense to produce, buy, sell or transfer a
credit card or other access devices that are counterfeit,
E http://www.techfirm.c
om/cfaa.htm
August 4, 2007
forged, lost or stolen; or to produce, buy, sell, transfer or
process equipment used to produce such fraudulent access
devices.
It wa
Consumer Credit
Protection Act (CCPA)
Regulation U.S.A. · The purpose of this title to provide a basic framework
establishing the rights, liabilities, and responsibilities of
· Takes effect upon
the expiration of
I http://www.fdic.gov/r
egulations/laws/rules/
August 4, 2007
of 1992, Section 2001 participants in electronic fund transfer systems. The primary eighteen months from 6500-200.html
Title IX- Electronic objective of this title, however, is the provision of individual the date of its
Funds Transfer consumer enactment, except
that sections 909 and
911 take effect upon
the expiration of
ninety days after the
date of enactment
· Non-compliant fines
not more than
$10,000 or imprisone
COSO Enterprise Risk
Management
Standard COSO (Committee of
Sponsoring
U.S.A. Defines essential enterprise risk management components,
discusses key ERM principles and concepts, suggests a
E http://www.coso.org/P
ublications/ERM/COSO
August 4, 2007
Framework Organizations of the common ERM language, and provides clear direction and _ERM_ExecutiveSumm
(September 2004) Treadway guidance for enterprise risk management. ary.pdf
Commission)
Page 5 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
CTIA
Telecommunication
Standard CTIA U.S.A. · The CTIA (Cellular Telecommunications and Internet
Association) is working on plans to offer standard business
W This certification and
industry standard is in
August 4, 2007
Industry BCM standard continuity guidance to the communications industry. the planning phase.
and certification CTIA is currently (May
· IA CTIA BCM certification will be granted to organizations 2005) meeting with
that display a (soon to b industry leads to
discuss the feasibility
of the requirements
and verification
method.
DRAFT Information
Security Policy as
Standard Department of Public
Service and
South
Africa
Presents a suite of integrated solutions which, together, offer
the tools necessary to integrate information security best
http://www.dpsa.gov.z
a/documents/acts®
August 4, 2007
presented by the Administration practices. ulations/frameworks/e-
Department of Public commerce/POSITION
Service and Based in ISO 17799 and BS 7799. %20PAPER%20ON%2
Administration 0INFORMATION%20S
ECURITY1.pdf
DRI International Standard DRII (Disaster
Recovery Institute
Internation Professional practice letters include developing business
al continuity management strategies and other contingency
W http://www.drii.org
August 4, 2007
―Ten Professional International) planning
Practices for Business
Continuity Areas reviewed include:
Professionals‖
· Potential for data loss
· Vital records creation, storage and retention
Establishes the recovery
· Business and ITbasic responsibilities, rights and liabilities of
Electronic Fund
Transfer Act (EFTA)
Regulation OCC U.S.A.
consumers and financial institutions who use electronic fund
I http://www.ftc.gov/bc
p/conline/pubs/credit/
August 4, 2007
transfer services and of that offer these services. elbank.pdf
· BCP to meet ―reasonable standard of care‖
www.occ.treas.gov/ne
tbank/ebguide.htm
Fair Credit Reporting
Act
Regulation FTC (Federal Trade
Commission)
U.S.A. · Ensures credit information is accurate and up-to-date · Civil penalty of not
more than $2,500 per
I http://www.ftc.gov/os
/statutes/fcra.htm
August 4, 2007
· Designed to promote accuracy and ensure the privacy of the violation
information used in consumer reports
· State action of
damages of not more
than $1,000 for each
willful or negligent
violation
FDICIA –Federal
Deposit Insurance
Regulation FDIC (Federal Deposit
Insurance
U.S.A. Relevance ?
Requires at the beginning of the year that all FDIC-insured
E http://www.fdic.gov/r
egulations/laws/rules/
August 4, 2007
Corporation Corporation) depository institutions with total assets of $500 million or 8000-2400.html
Improvement Act of more certify that there is effective functioning of their internal
1991 controls systems.
Page 6 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
Federal Acquisition
Regulation; Electronic
Regulation SEC U.S.A. Addresses the collection of EFT information through the
contract process for vendors providing goods and services to
E http://www.fms.treas.
gov/eft/regulations/far
August 4, 2007
Funds Transfer Final the Federal Government eft.txt
Rule
FEMA 141: Disaster
Planning Guide for
Standard FEMA U.S.A. Designed to provide guidance for business and industry
officials to respond and recover from disasters.
W SEE ABOVE
August 4, 2007
Business and Industry
FEMA Emergency
Management Guide for
Standard FEMA (Federal
Emergency
U.S.A. A step-by-step approach to emergency planning, response and
recovery for companies of all sizes.
W http://www.fema.gov/
pdf/library/bizindst.pdf
August 4, 2007
Business and Industry Management Agency)
FFIEC BCP Handbook:
Business Continuity
Regulation FFIEC U.S.A. - Emphasizes that Business Continuity planning is about
maintaining, resuming and recovering the whole Business
Ineffective or
incomplete BC plans
E http://www.ffiec.gov/f
fiecinfobase/booklets/
August 4, 2007
Planning (May 2003) - planning should occur for a BCP may lead to qualified bcp/bus_continuity_pl
- Business Impact Analysis and Risk assessment are examination reports an.pdf
―IT Examination encouraged as the foundation of an effective BCP and loss of trust by
Handbook‖ - Testing regulators and
financial market
FFIEC FIL 67-97/82-96 Regulation FFIEC (Federal
Financial Institutions
U.S.A. Board of Directors is responsible for ensuring that a
comprehensive business resumption and contingency plan has
A http://www.ffiec.gov/f
fiecinfobase/booklets/
August 4, 2007
Examination Council) been implemented, to encompass distributed computing and bcp/bus_continuity_pl
external service bureaus. an.pdf
Areas Reviewed for Compliance:
IT Specific recovery document
FFIEC FIL-81-2005 -
Information
Standard FDIC (Federal Deposit
Insurance
Information Technology Risk Management Program (IT-RMP)
for conducting IT examinations of FDIC-supervised financial
http://www.fdic.gov/n
ews/news/financial/20
August 4, 2007
Technology Risk Corporation) institutions, and cover practices for: Risk assessment, 05/fil8105.pdf
Management Program Operations security and risk management, Audit and
(IT-RMP) for independent review, Disaster rec
conducting IT
examinations
FFIEC Policy SP-5 Regulation FFIEC U.S.A. Policy mandating corporate-wide contingency planning, Issued July 1989 E With the issuance of August 4, 2007
including the development of recovery alternatives for the new FFIEC
distributed processing and service bureau information Information
processing. Technology
Examination
Handbook, several
Supervisory Policies
(SP) found in
Chapter 25 of the
1996 Handbook
have been
rescinded, including
SP-5, Interagency
Policy on Contingency
Planning for Financial
Institutions
Page 7 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
Financial Institutions
Reform, Recovery,
Regulation U.S.A. Policy allows regulators/examiners to impose civil penalties for Tiers of penalties for
violations or non-compliance with regulations, laws, Individual and/or
I http://www.academon
.com/lib/essay/term-
August 4, 2007
and Enforcement Act- temporary agency orders or any breach of a written corporate after tax paper-11995.html
(FIRREA) of 1989; agreement between an agency and the institution. fines:
(P.L. 101-73 1989 HR (summary and
1278) · Tier 1: up to purchase information)
$5,000 per day
· Tier 2: up to
$25,000 per day
· Tier 3: up to
$1,000,000 per day
FISMA: Federal
Information Security
Regulation FTC U.S.A. Details requirements to E http://csrc.nist.gov/p
olicies/FISMA-
August 4, 2007
Management Act of - Assess Risk final.pdf
2002
- Determine levels of security necessary to protect such ? May apply to
information organizations and
institutions
- Periodically test and evaluate information security controls communicating with,
and techniques
performing work for,
on behalf of a
- Develop plans and procedures to ensure continuity of
federal agency
operati
Foreign Corrupt
Practices Act of 1977:
Regulation U.S.A. Policy states that Directors and Officers can be held liable for
―failure to enact standards of care‖ and should they fail to
Issued in 1977 I http://www.usdoj.gov/
criminal/fraud/fcpa/fc
August 4, 2007
(P.L. 95-213) document their assessment processing determining not to · Civil penalties can pastat.htm
develop a contingency plan. range from $5000 to
$100,000 for
individuals and from
$50,000 to $500,000
for business entities
· Criminal sanctions
may be imposed
against anyone who
knowingly violates the
statute: up to $2
million in fines for p
Page 8 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
FRB (Federal Reserve
Banks) SR 96-22
Regulation Board of Governors of
the Federal Reserve
U.S.A. Reviews and enforces the FFIEC’s Interagency Supervisory
Statement on Risk Management of Client/Server Systems SP-
E http://www.federalres
erve.gov/boarddocs/S
August 4, 2007
System 12. RLETTERS/1996/sr962
2.htm
· The statement addresses concerns for security and the
controls that should be associated with client/server
computing for the officer in charge of each federal reserve
bank, including:
· Management should ensure that systems and
operations are recoverable after an event causing disruption in
service.
· Management should determine that database
GAO Supplier
Requirements
Regulation GAO (Government
Accountability Office)
U.S.A. Requirements for federal agencies to include the requirement
for contingency plans in contracts with private sector
E Will apply to all
organizations
August 4, 2007
organizations providing data processing services providing suppliers or
services to GAO or
Federal Agencies
General Principles for
Technology Risk
Standard The Hong Kong
Monetary Authority
Hong Kong To provide AIs with guidance on general principles which AIs In section 2.6,
are expected to consider in managing technology-related risks policies, procedures or
August 4, 2007
Management V.1 - TM- service agreements of
G-1 between AIs and the
overseas offices (e.g.
parent banks,
subsidiaries, head
offices or other
regional offices of the
same banking group)
with regard to certain
IT controls or support
activities
Gramm-Leach-Bliley
Act of 1999, section
Regulation Public Law U.S.A. Guidelines in this section address standards for developing
and implementing administrative, technical and physical
Effective July 1, 2001 E http://banking.senate.
gov/conf/confrpt.htm
August 4, 2007
501 (b): (P.L. 106-102 safeguards to protect the security, confidentiality and integrity Bank must report to
1999 S 900) of customer information the board annually.
The act includes record-retention requirements t
Guidance Note on the
Use of Internet for
Standard Office of the
Commissioner of
Hong Kong To better protect the insuring public and ensuring the healthy
development of the industry in the information technology
Point 11 address the
issue of security in
To be provided
August 4, 2007
Insurance Activities Insurance - The era. The scope of this Guidance Note covers the internet which service
(GN8) Government of the insurance activities of all service providers to the extent that providers are advised
Hong Kong Special such activit to take all practicable
Administrative Region steps to ensure a
number of items
including the integrity
of data stored in the
system hardware,
whilst in transit and as
displayed on the
website (a), a
Page 9 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
Guidelines on
Management of IT
Regulation BNM - Bank Malaysia Outlines minimum responsibilities and requirements for
planning and managing, as well as, establishing preventive
IT environment
including business
E To be provided
August 4, 2007
Environment Malaysia and detective measures that should be implemented by continuity
institutions to mitigate the risks pertaining to IT environment
Central Bank
HB 221: 2003,
Business Continuity
Standard Standards Association
of Australia
Australia, Sets out the principles and guidance that the Commission
New expects companies listed on the NZ Stock Exchange to follow
W To be provided
August 4, 2007
Management Zealand for Business Continuity Management and establishing a
Handbook Business Continuity Plan
HIPAA (Health
Insurance Portability
Regulation GAO U.S.A. - Proposed contingency plan in effect with data backup plan,
disaster recovery plan, emergency mode operation plan,
W http://aspe.hhs.gov/a
dmnsimp/pl104191.ht
August 4, 2007
and Accountability testing and revision procedures and Applications and data m
Act) Final Security Criticality Analysis.
Rule~ #7. (whole act)
Contingency Plan - Includes specific BCM points
(164.308(a)(7)(i))
- Applies to any organizat
HKMA Supervisory
Policy Manual, BCP
Regulation Hong Kong Monetary
Authority
Hong Kong Enforced by onsite examinations, requires need for BCP
documentation and testing at least annually, planning for
BCP organization &
governance structure
E To be provided
August 4, 2007
TM-G-2 V.1 02.12.02 different scenarios and prolong outages.
Approach to business
continuity planning
Documentation
DR site & vendor
management
HKMA Supervisory
Policy Manual, General
Regulation Hong Kong Monetary
Authority
Hong Kong Refers to TM-G-2 on BCP on the need to provide continuous
service.
Need to provide
alternative service
E
August 4, 2007
Principles for
Technology Risk
Management
TM-G-1 V.1 24.06.03
HKMA, Supervisory
Policy Manual,
Regulation Hong Kong Monetary
Authority
Hong Kong Refers to TM-G-2 on BCP on the need to provide continuous
and/or alternative services.
Need to provide
alternative service
E
August 4, 2007
Supervision of E-
Banking
TM-E-1 V.1 17.02.04
Homeland Security
Strategy for Critical
Standard FSSCC (Financial
Services Sector
U.S.A. Ensuring the resiliency of the nation to minimize the damage
and expedite the recovery from attacks that do occur.
W http://www.sifma.org
/services/business_
August 4, 2007
Infrastructure Coordinating Council continuity/pdf/Nation
Protection in Financial for Critical alStrategy.pdf
Services Sector (May Infrastructure
2004) Protection)
IDA By-law 17.19 -
Business Continuity
Regulation OSC (Ontario
Securities
Canada The purpose of the
proposed by-law is to require each IDA member to
E http://www.osc.gov.
on.ca/MarketRegula
August 4, 2007
Plan Commission) establish and maintain a business continuity plan, such that tion/SRO/ida/rr/srr-
Requirement the member can stay in business in the event of a ida_20050107_not-
significant business disruption and can meet obligations to pro-bylaw-17-19.pdf
its customers and other capital markets counterparts.
Page 10 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
India BCP Regulation 1. Reserve Bank of
India (RBI)
India Enforced by audit, requires need for BCP documentation and
testing at least annually.
BCP, DR Site E http://www.continuity
central.com/news02
August 4, 2007
2. Securities & 721.htm
Exchange Board of
India, (SEBI) http://www.expressc
3. National Stock omputeronline.com/
Exchange (NSE) 20030519/indnews3
4. Bombay Stock .shtml
Exchange (BSE)
Indonesia BCP Regulation Bank Indonesia
(Central Bank)
Indonesia Requires BCP documentation and testing at least annually with BCP RTGS, DR Site
focus on Bank Indonesia RTGS system. Requires Internal
E
August 4, 2007
Audit to conduct an audit at least annually and provide report
to Bank Indonesia.
Information
Technology Control
Standard Canadian Institute of
Chartered Accountants
Canada Crisis Management for Directors E http://www.cica.ca/
multimedia/Downloa
August 4, 2007
Guidelines d_Library/Standards
/CoCo/cris-eng-
txt.pdf
Interagency Paper for
Strengthening the
Regulation FRB (Federal Reserve
Bank)
U.S.A. During discussions about the lessons learned from September
11, industry participants and others agreed that three
For Market Utilities
and Core Clearing and
E http://www.sec.gov/n
ews/studies/34-
August 4, 2007
Resilience of US business continuity objectives have special importance for all Settlement Agencies, 47638.htm
Financial System (May OCC (Office of the financial firms and the U.S. financial system as a whole: goal to meet
2003; Implementation Comptroller of the objectives is end of
in 2007) Currency) 2004.
Rapid recovery and timely resumption of critical operations
SEC (Securities and following a wide-scale disruption; For Significant Role
Exchange Firms, the goal is no
Commission) Rapid recovery and timely resumption of critical operations later than 2006.
following the loss or inaccessibility of staff in at least one
major operating location; and
A high level of confidence, through ongoing use or robust
testing, that critical internal and external continuity
arrangements are effective and compatible.
IRS Procedure 91-59 Regulation IRS (Internal Revenue
Service)
U.S.A. · Legal requirements for computer records containing tax
information.
I IRS Ruling 98-25
supersedes this:
August 4, 2007
(Superseded IRS
Procedure 86-19) · Requires off-site protection and documentation of computer http://www.uiowa.edu
records maintaining tax information /~fusrmp/irsruling98-
25.html
ISO 9000 Standard ISO Internation ISO 9000:2000, Quality management systems - Fundamentals
al and vocabulary. covers the basics of what quality
W http://www.planning.
sungard.com/Knowl
August 4, 2007
management systems are and also contains the core language edgeNet/Reference
of the ISO 9000 series of standards. Desk/regulations.as
p
Purpose is to determine elements of quality control systems,
especially maintenance of records and verification standards. http://en.wikipedia.or
While business continuity planning is not required by statute, g/wiki/ISO_9000
vendors report that records retention and data availability are
issues with their customers, and that they are specifically
asked about their plans.
Page 11 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
ISO 9001 Standard ISO Internation ISO 9001:2000 Quality management systems - Requirements
al is intended for use in any organization which designs,
W http://www.planning.
sungard.com/Knowl
August 4, 2007
develops, manufactures, installs and/or services any product edgeNet/Reference
or provides any form of service. It provides a number of Desk/regulations.as
requirements which an organization needs to fulfill if it is to p
achieve customer satisfaction through consistent products and
services which meet customer expectations. This is the only http://en.wikipedia.or
implementation for which third-party auditors may grant g/wiki/ISO_9000
certifications.
ISO 9002, Quality
assurance standard,
Standard ISO Internation
al
Addresses risk management and continuity planning issues for
compliance.
W http://en.wikipedia.or
g/wiki/ISO_9002
August 4, 2007
ISO 9004 Quality
management sysetms -
Standard ISO Internation
al
ISO 9004:2000 Quality management systems - Guidelines for
performance improvements. covers continual improvement.
W http://en.wikipedia.or
g/wiki/ISO_9004
August 4, 2007
Guidelines for This gives you advice on what you could do to enhance a
performance mature system. This standard very specifically states that it is
improvement not intended as a guide to implementation
ISO/IEC 17799:2000 Standard ISO (International
Organization for
Internation Focuses on
al
W http://en.wikipedia.or
g/wiki/ISO_17799
August 4, 2007
Standardization) · Business continuity management process
· Writing and implementing continuity plans
· Business continuity planning framework
· Business continuity and impact analysis
· Testing and maintaining BCPs
Areas reviewed include:
IT Security Guidelines -
G3
Standard Information
Technology Services
Hong Kong Introduces general concepts relating to Information
Technology Security and elaborates interpretations on the
In this document,
government bureau
http://www.ogcio.go
v.hk/eng/prodev/ese
August 4, 2007
Department - The Baseline IT Security Policy. It also provides readers some and departments are cpol.htm
Government of the guidelines and considerations in defining security suggested to consider
Hong Kong Special requirements. implementing a BCP
Administrative Region as part of business
planning.
4/1/2003
ITIL- IT Infrastructure
Library
Standard ITIL (IT Infrastructure
Library)
U.S.A. · Global standard in the area of service management.
Contains comprehensive publicly accessible specialist
W http://www.ogc.gov.u
k/index.asp?id=2261
August 4, 2007
documentation on the planning, provision and support of IT
services. Covers areas dealing with: (official webpage)
· Potential for data loss http://en.wikipedia.or
g/wiki/ITIL
· Vital records cre
Page 12 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
JCAHO Accreditation
Manual for Hospitals
U.S.A. Guidelines for information management established by JCAHO
Standard Label: IM.1.20 - The [organization] plans for the
E http://www.jointcom
mission.org/NR/rdon
August 4, 2007
(1997) continuity of its information management processes. lyres/E2B871E6-
E315-4B1D-A7FD-
5C5E655C8605/0/sii
_ahc_im_proposed_
revisions.pdf
King I Report - 1994
King II Report - 2002
Standard King Committee on
Corporate Governance
South
Africa
This is a standard for good corporate governance which most
companies in South Africa make reference to in their AFS and
W (Industry) Available to
order from the
August 4, 2007
try to adhere to. Institute of Directors
(IoD):
http://www.iodsa.co.z
a/king.asp
Korea BCP Regulation Foreign Financial
Supervisory
Korea Recovery of core business (Bank, Securities, Futures) within 3 BCP, DR Site
hours.
E http://www.fsc.go.kr/
eng/id/ck4.asp
August 4, 2007
Need for proper capacity planning
Appropriate access control to DR system
Regular and ad-hoc test requirement
Letter to Federally
Regulated Financial
Canada E
August 4, 2007
Institutions, Insurance
Companies, CBA etc.
Mar
2006
Major Hazard
Installation
Regulation Occupational Health &
Safety
South
Africa
Talks about emergency plans-""emergency plan" means a plan
in writing which, on the basis of identified potential incidents
http://www.labour.go
v.za/useful_docs/do
August 4, 2007
Regulations, 1993 at the installation, together with their consequences, describes c_display.jsp?id=10
how such incidents and their 091
consequences should be dealt with on-
Subject to the
provisions of
subregulation (3)
these regulations
shall apply to
employers, self-
employed persons
and users, who
have on their
premises, either
permanently or temp
Page 13 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
Management,
Supervision and
Standard Securities and Futures Hong Kong ―A licensed or registered person should have internal control
Commission of Hong procedures and financial and operational capabilities which
In section 36 under
operational risk: An Copies of the
August 4, 2007
Internal Control Kong can be reasonably expected to protect its operations, its effective business Guidelines are
Guidelines ("The clients and other licensed or registered persons from financial continuity plan available at the SFC.
Internal Control loss arisin appropriate to the size They can also be
Guidelines") of the firm is found on the SFC's
implemented to website at
ensure that the firm is http://www.hksfc.org.
protected from the hk.
risk of interruption to
its business continuity.
Key processes in this
area includ
Manila Bank BCP Regulation Bank of Central
Philippines (local
Philippines Enforced by audit, requires all banks to setup of a disaster
recovery facility.
DR Site E
August 4, 2007
central bank)
Manual for the
Development of
Regulation FISC (The Center for
Financial Industry
Japan Audit matter BCP development (DR
site/vital records, etc)
E
August 4, 2007
Contingency Plans in Information System) Appointment of BCP manager
Financial Institutions.
Japan FSA Implementation of policy & standard
Proper documentation
Regular review of plan
Corporate-wide testing at least annually
Planning for different scenarios
MAS Business
Continuity
reg MAS (Monetary
Authority of
Singapore 7 Guiding Principles on Senior Management responsibilities for International
BCM; embedding BCM into Business-as-usual activities,
E
August 4, 2007
Management Singapore) incorporating sound practices; testing BCP regularly,
Guidelines (June completely and meaningfully; developing recovery strategies
2003) and setting RTO for crit
MAS Consultation
Paper On Business
Regulation MAS (Monetary
Authority of
Singapore · Guidelines encourage adoption of BCP Practices by financial
institutions in Singapore.
E
August 4, 2007
Continuity Planning Singapore)
(BCP) Guidelines (10- · Guidelines help financial institutions to prepare to be aware
Jan-03) by establishing a comprehensive Business Continuity Plan.
MAS Guidelines on
Outsourcing - Section
Standard MAS (Monetary
Authority of
Singapore Guidelines on ensuring BC preparedness is not compromised International
by outsourcing; taking steps to evaluate and satisfy itself that Issued October 2007
E http://www.mas.gov.s
g/legislation_guideline
August 4, 2007
6.6 BCM (Oct 2004) Singapore) interdependency risk arising from the outsourcing Updated July 1 2005 s/risk_mgt/Guidelines
arrangement can be adequately mitigated; and assurance on _on_Risk_Managemen
the functionality and ef t_Practices.html
Page 14 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
Ministry for Provincial
& Local Government
Regulation South
Africa
Proposed national disaster management framework. To be provided
August 4, 2007
Disaster Management Provides for: http://disaster.co.za/d
Act, 2002 ocs/DisasterManagem
· An integrated and coordinated disaster management policy entAct572002.doc
that focuses on preventing and reducing the risk of disasters,
mitigating the severity of disasters, emergency preparedness,
rapid member must create and maintain a written business
NASD Rule 108 (Sept
9, 02) and SR-NASD-
Regulation NASD (North
American Securities
U.S.A. · Each
continuity plan identifying procedures relating to an
E http://www.sec.gov/ru
les/sro/nasd2002108/
August 4, 2007
2002-112 (March 10, Dealers Association)/ emergency or significant business disruption. nasd2002108typea.ht
03) m
SEC · Must update its plan in the event of any material change to
(Release No. 34- the member's operations, structur
48503; File No. SR-
NASD-2002-108)
NASD Rule 3500:
Emergency
Regulation NASD U.S.A. Requires a Business Continuity Plan addressing: E http://www.nasd.com/
web/groups/rules_reg
August 4, 2007
Preparedness Part · Alternate communications between customers, firm and s/documents/notice_t
3510: Business employees o_members/nasdw_00
continuity Plans 3095.pdf
· Business constituent, bank and counter party impact
· Regulatory Reporting
· Mission Critical Systems
· Operational and Finan members to provide NASD with
NASD Rule 3500:
Emergency
Regulation NASD U.S.A. Rule 3520 requires NASD
emergency contact information and to update any
E http://www.nasd.com/
web/groups/rules_reg
August 4, 2007
Preparedness Part information upon the occurrence of a material change. The s/documents/notice_t
3520: Emergency Rule requires members to designate two emergency contact o_members/nasdw_00
Contact Information persons that NASD may contact in the e 3095.pdf
(notice to members)
NFA Compliance Rule
2-38: Business
Regulation CFTC (Commodity
Futures Trading
U.S.A. Requires all National Futures Association members to
establish and maintain a written business continuity and
E http://www.nfa.future
s.org/printerFriendly.a
August 4, 2007
Continuity and Commission) disaster recovery plan that outlines procedures to be followed sp?tag=2-38
Disaster Recovery Plan in the event of an emergency or significant disruption.
NFPA 111:Standard on
Stored Electrical
Standard NFPA U.S.A. Guideline of a step-by-step approach to emergency planning,
response and recovery for companies.
W http://www.nfpa.org/a
boutthecodes/AboutTh
August 4, 2007
Energy Emergency eCodes.asp?DocNum=
and Standby Power 111
Systems
(ordering information)
http://www.nfpa.org/a
ssets/files/PDF/111-05-
ROPDraft.pdf
(report on proposals)
Page 15 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
NFPA 232: Standard
on Protection of
Standard NFPA U.S.A. Standards for protection of business records, archives and
records centers.
W http://www.nfpa.org/a
boutthecodes/AboutTh
August 4, 2007
Records eCodes.asp?DocNum=
232
(ordering information)
NFPA Standard 1600
on
Standard NFPA (National Fire
Protection Association
U.S.A. Establishes minimum criteria for disaster management for the
private and public sectors in the development of a program for
W http://www.nfpa.org/P
DF/nfpa1600.pdf?src=
August 4, 2007
Disaster/Emergency effective disaster mitigation, preparedness, response and nfpa
Management and recovery.
Business Continuity
Programs
NIST SP 800-34
Contingency Planning
Standard NIST (National
Institute of Standards
U.S.A. · Details the fundamental planning principles necessary for
developing an effective contingency capability.
E http://csrc.nist.gov/pu
blications/nistpubs/80
August 4, 2007
Guide and Technology) 0-34/sp800-34.pdf
· Contingency planning guidance includes preliminary
planning, business impact analysis, alternative site selection
and recovery strategies.
NYSE Rule 446:
Business Continuity
Regulation NYSE (New York Stock
Exchange)
U.S.A. · Members and member organizations must develop and
maintain a written business continuity and contingency plan
Possible Image and
Reputation impacts for
E http://rules.nyse.com/
NYSETools/ExchangeV
August 4, 2007
and Contingency establishing procedure sot be followed in the event of an not complying with iewer.asp?selectednod
Planning emergency or disruption. stock market e=chp%5F1%5F5%5F
regulations including, 11%5F4&manual=%2
· Yearly review must be conducted of the business conti in extreme cases, Fnyse%2Fnyse%5Frul
potential de-listing. es%2Fnyse%2Drules
%2F
OCC 2001-47: Third-
Party Relationships
Regulation OCC U.S.A. Provides guidance to national banks on managing risks
resulting from business relationships with third parties. It
E http://www.occ.treas.
gov/ftp/bulletin/2001-
August 4, 2007
(November 1, 2001) explains that third-party contracts should provide for: 47.txt
· Continuation of the business function in the event of
problems with the third
OCC 2003-18: FFIEC
(March 2003)
Regulation OCC U.S.A. Information Technology Examination Handbook- Business
Continuity Planning and supervision of Technology Service
E http://www.occ.treas.
gov/ftp/bulletin/2003-
August 4, 2007
Providers Booklets 18.doc
The BCP Booklet describes the process for managing business
continuity based on risk as the following:
· Business impact
OCC 97-23: Corporate Regulation OCC U.S.A. [NOTE: Rescinded—SEE 2003-18] E RESCINDED by OCC August 4, 2007
Business Resumption 2003-18
and Contingency
Planning (May 16,
1997)
OCC 99-9:
Infrastructure Threats
Regulation OCC U.S.A. · Identifies and raises awareness of vulnerabilities and
threats of cyber terrorism to the financial services industry,
E http://www.occ.treas.
gov/ftp/bulletin/99-
August 4, 2007
from Cyber-Terrorists including ensuring that these threats are taken into account 9.txt
(March 5, 1999) when preparing and testing a disaster recovery/business
contingen
· Exp
Page 16 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
OSHA - Occupational
Safety and Health
Regulation OSHA (Occupational
Safety and Health
U.S.A. · Disaster preparedness I http://www.osha.gov/
August 4, 2007
Administration Administration) · OSHA requires that all businesses with more than 10
employees have a written Emergency Contingency Plan (ECP).
· For businesses with 10 or less a written plan is not
mandated but recommended.
Personal Data
(Privacy) Ordinance
Standard Office of the Privacy
Commissioner for
Hong Kong The purpose of the Ordinance is to protect the privacy
interests of living individuals in relation to personal data. It
Base on the Data
Protection Principles
http://www.pco.org.hk
/english/ordinance/ord
August 4, 2007
Personal Data - The also contributes to Hong Kong's continued economic well- published, the relevant glance.html
Government of the being by safeguarding the free flow of personal data to Hong principles to BCM are
Hong Kong Special Kong from restrict Principle 2 - the
Administrative Region personal data should
be accurate, up-to-
date and kept no
longer than necessary;
Principle 4 -
appropriate security
measures should be
applied to persona
Post 9-11 Crisis
Communications, Best
Standard Business Roundtable
(The Southwestern
U.S.A. This document is a toolkit to enable companies to develop a
crisis communications plan that includes crisis preparation,
W http://www.businessr
oundtable.org/pdf/722
August 4, 2007
Practices for Crisis Area Commerce & prevention, and continuous improvement .pdf
Planning, Prevention Industry Association
and Continuous of Connecticut)
Improvement (June
2002)
Privacy Act of 1974
(SUSC552a)
Regulation U.S.A. Requires management to safeguard and to keep the
information accurate and current to protect the individual.
I http://www.usdoj.gov/
foia/privstat.htm
August 4, 2007
Page 17 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
Prudent Man Concept Regulation Common Law Internation · As per the Uniform Commercial Code, legal standard used
al to determine whether appropriate action was taken in a
I Uniform Commercial
Code
August 4, 2007
particular situation.
http://www.dodson-
· Directors, senior management, officers and agents, when edgars.com/services.h
working for an organization, are considered to be in a posi tm
Any company,
regardless of its
industry, is expected
to exercise due-care to
implement and
maintain security
mechanisms and
practices that protect
the company, its
Negligence Liability employees,
customers, and
partners., Due-Care
can be compared to
the "prudent man"
concept. A prudent
man is seen as
responsible, careful,
cautious, and
practical. A company
practicing due-care is
seen in the same light
by State and Federal
Courts.
Public Finance Regulation South Unable to find anything specific to BC or DR… ―availability of http://www.acts.co.za August 4, 2007
Management Act, Africa financial information‖ was included… /public_fin_man/index
1999- DRAFT Treasury .htm
Relations
Publicly Available
Specification (PAS) 56-
Standard BSI (British Standards
Institute)
UK · Describes establishment of a BCM practice and provides
recommendations.
E http://www.pas56.co
m/
August 4, 2007
Guide to Business
Continuity · Provides BCM framework for anticipation and response to
Management incidents.
PAS56 is intended for the person responsible for managing
and applying business continuity within the or
Page 18 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
Risk Management
Standard, AIRMIC,
Standard AIRMIC (Association
of Insurance and Risk
UK Establishes guidelines for Risk Management including W http://www.airmic.co
m/
August 4, 2007
ALARM, IRM; 2002 Managers) · Risk Assessment
ALARM (National · Risk Reporting
Forum for risk
Management in the · Risk Treatment
Public Sector
9.4 The role of the Risk Management function should include
the following:
· (bullet 8) developing risk response processes, including
contin Continuity Procedures for SA Reserve Bank and
SAMOS and CLS
Business Continuity
Standard South African Reserve
Bank
South
Africa
Business
Participants
E www.reservebank.c
o.za/internet/Publica
August 4, 2007
Procedures- SA tion.nsf/LADV/8B8A
Reserve Bank National Payment 38FD0C1E5F50422
System Department 56FCE00308106/$F
ile/CLSBCP_SARB.
pdf
Sarbanes-Oxley Act of
2002: (P.L. 107-204
Regulation PCAOB - Public
Company Accounting
U.S.A. · Auditors are increasing scrutiny of all areas of internal
control, including security and business continuity controls
Non-complying
organizations may
E http://news.findlaw.co
m/hdocs/docs/gwbush
August 4, 2007
2002 HR 3763) - Oversight Board receive qualified /sarbanesoxley072302
SECTION 404 · Potential for data loss (ability to identify and rebuild lost opinions on their .pdf
transactions and source documentation) internal controls from
their external auditors.
· Vital records creation,
Sarbanes-Oxley Act of
2002: SECTION 409
Regulation PCAOB - Public
Company Accounting
U.S.A. · Issuers must disclose information on material changes in
financial condition on a regular basis
· If IT processing
disruption results in
E http://news.findlaw.co
m/hdocs/docs/gwbush
August 4, 2007
Oversight Board lost data, officers and /sarbanesoxley072302
Areas assessed include: external auditors may .pdf
not be able to sign off
· Potential for data loss (ability to identify and rebuild lost on quarterly or annual
transactions and source documentation) SOX disclosure and
internal control
· Vital records creatio operating
effectiveness
certifications/opinion.
Page 19 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
Statement on Auditing
Standards (SAS) 70
Standard American Institute of
Certified Public
U.S.A. SAS 70 is a widely recognized auditing standard
developed by the American Institute of Certified
Effective 1993 http://www.sas70.com
/ August 4, 2007
audit reports Accountants (AICPA). Public Accountants (AICPA). A service auditor's
examination performed in accordance with SAS No.
70 ("SAS 70 Audit") is widely recognized, because it
represents that a service organization has been
through an in-depth audit of their control objectives
and control activities, which often include controls
over information technology and related processes.
Service organizations receive significant value from
having a SAS 70 engagement performed. A Service
Auditor's Report with an unqualified opinion that is
issued by an Independent Accounting Firm
differentiates the service organization from its peers
by demonstrating the establishment of effectively
designed control objectives and control activities. A
Service Auditor's Report also helps a service
organization build trust with its user organizations
(i.e. customers).
SEC 38-a : Investment
Company Act of 1940
SEC U.S.A. E http://www.law.uc.ed
u/CCL/InvCoAct/sec38
August 4, 2007
.html
SEC Act of 1934: (15
U.S.C.A 78A)
Regulation SEC U.S.A. Without a current Service Auditor's Report, a service
organization may have to entertain multiple audit
E http://www.sec.gov/
about/laws/sea34.pd
August 4, 2007
requests from its customers and their respective f
Rule 17a-4 auditors. Multiple visits from user auditors can place
a strain on the service organization's resources. A http://www.sec.gov/
Service Auditor's Report ensures that all user about/laws.shtml#se
organizations and their auditors have access to the cexact1934
same information and in many cases this will satisfy
(summary
the user auditor's requirements.
information)
Securities and
Exchange Act,
Regulation SEC U.S.A. · Policy addresses criminal liability of Directors and officers
for failure to: Protect computerized information; Document
Potential fines
imposed include
E http://www.law.uc.ed
u/CCL/34Act/sec32.ht
August 4, 2007
Sections 32(a) and (b) process used to assess risks of information loss; exercise personal fines up to ml
―duty of care‖ $10,000 and corporate
fines up to
· Burden of proof lies with the Directors and Officers $1,000,000.
Page 20 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
Supervision of
Technology Service
Standard FFIEC U.S.A. BUSINESS CONTINUITY PLANNING, SUPERVISION OF
TECHNOLOGY SERVICE PROVIDER GUIDANCE RELEASED BY
W http://www.ffiec.gov/p
ress/pr052003.htm
August 4, 2007
Providers Booklets FEDERAL FINANCIAL REGULATORS
(May 2003)
The Business Continuity Planning Booklet provides guidance
and examination procedures to assist examiners in evaluating
financial institution and service provider risk management
processes to ensure the availability of critical financial
services.
Examiners should focus on:
· Management of Technology- the planning and overseeing of
technological resources and services and ensuring they
support the strategic goals and objectives of the financial
institution or technology service providers.
· Int
Telecommunications
Act of 1996
Regulation FCC - Federal
Communications
U.S.A. The act was intended to promote competition in the
telecommunications industry. Section 256 gives the FCC the
www.fcc.gov/teleco
m.html
August 4, 2007
Commission right to oversee that telecommunications networks
“seamlessly and transparently transmit and receive
information between and across telecommunications
networks.”
The FCC’s Network Reliability and Interoperability Council
provides best practices for business continuity and disaster
recovery in the telecommunications industry. (www.nric.org)
Terrorism- Real
Threats, Real Costs,
Standard Business Roundtable U.S.A. The Roundtable examines the unique nature of the
terrorist threat, as well as the strengths and
W http://www.abanet.or
g/adminlaw/conferenc
August 4, 2007
Joint solutions (June weaknesses of both government and business in e/2003/NewFrontier/N
2003) ewfrontierprogram.ht
addressing that threat. It then recommends various
ml
tools and procedures for government to use when
regulating and outline the difficulty of allocating the
costs of security.
Page 21 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
Thailand BCP Regulation Governing Body will
be Bank of Thailand /
Thailand The FCC’s Network Reliability and Interoperability Council
provides best practices for business continuity and disaster
BCP, Vital records, DR
Site
E Unofficial Translation
by the courtesy of The
August 4, 2007
Securities and recovery in the telecommunications industry. (www.nric.org) Foreign Banks'
Exchange Association
Commission, Thailand. This translation is for
the convenience of
those unfamiliar with
the Thai language.
Please refer to the
Thai text for the
official version:
www.bot.or.th/fipcs/D
ocuments/FPG/2550/E
ngPDF/25500011.pdf
The Promotion of
Access to Information
Regulation Parliament of the
Repulblic of South
South
Africa
ACT - To give effect to the constitutional right of access to any
information held by the State and any information that is held
www.info.gov.za/gaz
ette/acts/2000/a2-
August 4, 2007
Act (#2 of 2000) Africa by another person and that is required for the exercise or 00.pdf
protection of any rights; and to provide for matters connected
ther
Turnbull Report
(September 1999)
Regulation Institute of Chartered
Accountants in
UK Internal Control-Guidance for Director on the Combined Code Those companies
found in violation
E www.icaew.co.uk/in
dex.cfm?route=1209
August 4, 2007
England and Wales · States that anyone listed on the London Stock Exchange could be de-listed 07
must have BCP from the London Stock
Exchange.
· Requires companies to report whether the board has
reviewed the system of ―internal
USA Patriot Act of
2001: (P.L. 107-56
Regulation DHS U.S.A. · The act includes requirements for records retention for
compliance with section 326 on Customer Identification
· Within 6 months
after the date of
E http://www.epic.org/p
rivacy/terrorism/hr316
August 4, 2007
2001 HR 3162) Programs. enactment of this act, 2.html
the secretary and
other appropriate
government agencies
shall submit a report
to Congress.
· Imposes stiff prison
terms for those who
violate computer
security or use
computers in criminal
or terrorist acts
Page 22 of 24
Disaster Recovery Journal Rules Regulations Committee 4/14/2011 1:11 PM
Editorial Advisory Board
The followig content was compiled by volunteers, and is as accurate as possible.
The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructure Category
Information Distribution
Banking & Finance
& Communications
Energy (including
Agriculture, Food
(E, A, W, I)
Transportation &
Public Agencies
Regulation /
DRJ EAB R&R Use:
Supply & Water
Public Health &
Government &
Category
Country
Significant
Standard
Healthcare
Shipping
nuclear)
Industry
Notes
Title Governing Body Summary Dates, Fines,
/Comments Date of Last Review or
Penalties
Confirmation
Various OCC
Comptroller's
Standard Office of the
Comptroller
U.S.A. The OCC Comptroller Handbooks are issued to provide
guidance for examiners. Several of these handbooks discuss
www.occ.treas.gov/
handbook/S&S.htm
August 4, 2007
Handbooks business continuity planning and provide guidance for
examiners. Listed below are some of the OCC handbooks that
discuss BCP:
* Asset Management
* Asset Securitization
* Community Bank Fiduciary Activities Supervision
* Community Bank Supervision
* Custody Services
* Emerging Market Country Products and Trading Activities
* Federal Branches and Agencies Supervision
* Insurance Activities
* Internal and External Audits
* Internal Controls
* Internet Banking
* Investment Management Services
* Large Bank Supervision
* Liquidity
* Merchant Processing
* Risk Management of Financial Derivatives
VISA CISP (Cardholder
Information Security
Standard VISA, endorsed by
AMEX, Diners,
U.S.A. Required compliance standards for major credit card
companies for regular security assessments and reporting.
Failure to comply can
result in:
E http://www.usa.visa.
com/merchants/risk
August 4, 2007
Program) Discover, JCB _management/cisp_
· Fines of $50,000 for overview.html?it=l2|/
first violation, merchants/risk_man
$100,000 for the agement/cisp.html|
second violation. Overview#anchor_2
· Restrictions on
merchant
· Permanent
prohibition of
participation in Visa
Enforced (E) Most frequently enforced for compliance purposes
Ambiguous (A) Further clarification regarding strong ties with Business Continuity need to happen
Watch List (W) Participating members should be looking for the presence of this item within the coming months/years
Invocation @ Incident (I) Likely to be invoked or brought to bear as a result of an ―incident‖ occurring involving your organization
Page 23 of 24
4/14/2011 1:11 PM
Homework Assigned by Rows
Acromtn Country Definition
BSE India Bombay Stock Exchange
DHS U.S.A. Department of Homeland Security (USA)
FRB U.S.A. Federal Reserve Bank
FSSCC U.S.A. Financial Services Sector Coordinating Council for Critical Infrastructure Protection
NSE India National Stock Exchange
OCC U.S.A. Office of the Comptroller of the Currency
RBI India Reserve Bank of India
SEBI India Securities & Exchange Board of India
SEC U.S.A. Securities and Exchange Commission
8ca8d980-05d0-4df4-a16c-4823341ac7e7.xls
R&R Acronyms Page 24 of 24
Related docs
Other docs by ubh13578
Mishkin and Serletis the Economics of Money, Banking and Financial Markets, Canadian Edition - PDF
Views: 342 | Downloads: 0
