drj-rr

Document Sample
drj-rr Powered By Docstoc
					     Disaster Recovery Journal                                                                                                                         Rules and Regulations Committee                                                                                                                                                                              7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                          The following content was compiled by volunteers, and is as accurate as possible.
                                                                                          The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                   Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                                    Infrastructure Category




                                                                                                                                                                        Category (E, A, W,




                                                                                                                                                                                                                                                                                                                            Energy (including nuclear)
                                                                                                                                                                                                                                                                                                Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                      Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                                 Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                                    & Communications
                                                                                                                                                                                                                                                          Banking & Finance
                           Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                            Public Agencies
                                                                                                                                                                                                                                                                              Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                            Government &
                                                                                                                                                                                                                                                                                Healthcare




                                                                                                                                                                                                                                                                                                                                                         Industry



                                                                                                                                                                                                                                                                                                                                                                              & Water
                        Standard




                                                                    Country
                                                                                                                                                   Significant
                                            Governing                                                                                             Dates, Fines,
        Title                                 Body                                           Summary / Description                                  Penalties                                     Notes /Comments                  Link




                                                                                                                                                                                             I)
2010 ACH Rules Book        Reg            ACH (Federal             U.S.A.     ·       Requires 6 year file retention on all ACH transactionsx   Non-compliant fines                     I                           http://www.achrulesonline.org/
                                          Reserve‟s                                                                                             not more than $10,000
                                          Automated
                                          Clearinghouse
                                                                              ·       An ACH transaction is a batch-processed, value-dated
                                                                              electronic funds transfer between originating and receiving
                                                                                                                                                or imprisoned not
                                                                                                                                                more than ten years,
                                                                                                                                                                                                                                                          
                                          Association)                        financial institutions                                            or both

6 CFR Part 29:             Reg            CFR (Code of             U.S.A.     · Continuity of operations for Critical Infrastructure            None                                 W                              http://ecfr.gpoaccess.gov
Procedures for                            Federal                             · Disclosure of critical information to the government
Handling Critical
Infrastructure
                                          Regulations)
                                                                                                                                                                                                                                                                                                                                                                                                                        
Information (Aug
2009)
ANAO Better Practice        Std           ANAO (Australian       Australia, Produced following consultation with Australian Government         None                                  W                              http://www.continuitycentral.com/ne
Guide: Business                           National Audit        New Zealand and private sector entities. It „provides a refreshed version of a                                                                      ws04604.html
Continuity                                Office)                           previous ANAO Guide‟ which is „presented in a more user-
Management - Building                                                       friendly format, and includes contemporary practical advice,
resilience in public                                                        case studies and references as well as exploring issues within
sector entities. June                                                       the business continuity environment that have arisen since the
2009                                                                        previous ANAO publication‟.
                                                                                                                                                                                                                                                                                                                                                                                                                        
                                                                              ANAO states that business continuity management is an
                                                                              essential component of good public sector governance and is
                                                                              part of an entity‟s overall approach to effective risk
                                                                              management. It says that the guide will be a useful reference
                                                                              document for boards, chief executives and senior management
                                                                              in public sector entities.
ANSI/ARMA 5-2003           Reg              ANSI (American         U.S.A.     Addresses the development and implementation of a vital         None                                     E                            http://webstore.ansi.org/RecordDet
Vital Records                             National Standards                  records program within the context of a formal records                                                                                ail.aspx?sku=ANSI%2FARMA+5-
Programs                                   Institute) / ARMA                  management program. Vital records are defined as records                                                                              2003
                                            (Association of                   containing information essential to the survival of an
                                           Records Managers                   organization in the event of a disaster, since they document an
                                          and Administrators)                 organization's legal and financial position and preserve the                                                                                                                                                                                                                                                                              
                                                                              rights of employees, customers and stockholders. Specific
                                                                              procedures addressed include: vital records analysis and
                                                                              selection, records protection methods, and the overall
                                                                              administration of a vital records program.
AS/NZS 4360:2004 -          Std           Standards              Australia, Provides a generic guide for managing risk. It may be applied       None                                 W                              http://www.saiglobal.com/shop/Scri
Risk Management
Standard
                                          Association of
                                          Australia
                                                                New Zealand to a wide range of activities or operations of any public,
                                                                            private or community enterprise, or group.
                                                                                                                                                                                                                    pt/details.asp?docn=AS073375904                                                                                                                                                                     
                                                                                                                                                                                                                    1AT
AS/NZS 7799.2:2000          Std           Standards              Australia, This Standard is intended for use by managers and employees         None                                 W                              http://www.saiglobal.com/shop/scri
(Previously known as                      Association of        New Zealand who are responsible for initiating, implementing and                                                                                    pt/details.asp?docn=AS986176255
4444.2)                                   Australia                         maintaining information security within their organization and                                                                          535                                                                                                                                                                                                 
                                                                            it may be considered as a basis for developing organizational
                                                                            security standards.
AS/NZS 4360; 2004           Std           Standards              Australia, AS/NZS 4360 is a generic guide for risk management so that it       None                                 W                              http://www.noweco.com/risk/riske1
Risk Management                           Association of        New Zealand applies to all forms of organizations. Risk management" is                                                                              9.htm
Standard; Business                        Australia                         defined as 'the culture, processes and structures that are                                                                                                                                                                                                                                                                                  
Continuity                                                                  directed towards realizing potential opportunities whilst
                                                                            managing adverse effects.'
ASIS American               Std           ASIS                    U.S.A.    A comprehensive management systems approach for security,           None                                 W
National Standard                                                           preparedness, response, mitigation, business/operational
(2009)                                                                      continutity, and recovery for disruptive incidents resulting from
                                                                                                                                                                                                                    http://www.asisonline.org/guideline
                                                                                                                                                                                                                    s/ASIS_SPC.1-
                                                                                                                                                                                                                                                                                                                                                                                                                        
                                                                            an emergency, crisis or disaster.
                                                                                                                                                                                                                    2009_Item_No._1842.pdf
Business Continuity        Reg            Australia Financial     Australia   Follows ISIA Business Continuity Planning Guidelines. See         None                                   E                            www.icsa.bz/pdf/BCPGuidelines.pd
Planning Committee                        Markets Association                                                                                                                                                       f
Best Practice                                                                                                                                                                                                                                             
Guidelines (Aug 2002)

Australian                 Reg            Australian              Australia   Establishing criminal penalties for officers and directors of   None                                     E                            www.isrcl.org/Papers/2008/Hinchcli
Commonwealth
Criminal Code (1994)
                                          Government                          organizations that experience a major disaster and fail to have
                                                                              a proper business continuity plan in place.
                                                                                                                                                                                                                    ffe.pdf
                                                                                                                                                                                                                                                                                                                                                                                                                        

                                                                                                                                                                 Page 1 of 19
     Disaster Recovery Journal                                                                                                                         Rules and Regulations Committee                                                                                                                                                                                                                7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                            The following content was compiled by volunteers, and is as accurate as possible.
                                                                                            The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                     Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                                                                      Infrastructure Category




                                                                                                                                                                          Category (E, A, W,




                                                                                                                                                                                                                                                                                                                                                              Energy (including nuclear)
                                                                                                                                                                                                                                                                                                                                  Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                                                        Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                                                                   Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                                                                      & Communications
                                                                                                                                                                                                                                                                                            Banking & Finance
                            Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                                                              Public Agencies
                                                                                                                                                                                                                                                                                                                Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                                                              Government &
                                                                                                                                                                                                                                                                                                                  Healthcare




                                                                                                                                                                                                                                                                                                                                                                                           Industry



                                                                                                                                                                                                                                                                                                                                                                                                                & Water
                         Standard




                                                                     Country
                                                                                                                                                   Significant
                                             Governing                                                                                            Dates, Fines,
        Title                                  Body                                              Summary / Description                              Penalties                                                 Notes /Comments                                      Link




                                                                                                                                                                                               I)
Banks Act (94/1990)         Reg                                  Republic of To provide for the regulation and supervision of the business      None                                                                                               http://www.reservebank.co.za/inter
                                                                 South Africa of public companies taking deposits from the public; and to                                                                                                          net/Publication.nsf/LADV/7F7EEFA
                                                                              provide for matters connected therewith.                                                                                                                             D2993BB7B42257399004DEE8A/$              
                                                                                                                                                                                                                                                   File/Banks+Amendment+Act+2007.
                                                                                                                                                                                                                                                   pdf
Basel II: New Basel         Reg            Basel                 International Addresses Operational Risk and defines it as “the risk of loss   None                                   W                                                           http://www.federalreserve.gov/Gen
Capital Accord (July
16, 2009)
                                                                               resulting from inadequate or failed internal processes, people
                                                                               and systems, or from external events.”
                                                                                                                                                                                                                                                   eralInfo/basel2/
                                                                                                                                                                                                                                                                                            
Bulletin R-67               Reg            Federal Home Loan        U.S.A.     N/A                                                              None                                     E          Rescinded 7/10/89.
                                           Bank
                                                                                                                                                                                                    Comptroller of Currency BC-177 (1983, 1987)                                             
                                                                                                                                                                                                    superceds Federal Home Loan Bank Bulletin R-
                                                                                                                                                                                                    67.
Business Continuity at       Std           BOJ (Bank of             Japan      Consensus- This plan assumes an approach to aim at               None                                     E                                                         http://www.boj.or.jp/en/type/release
Bank of Japan.                             Japan)                              operational continuity. Proper documentation.                                                                                                                       /zuiji/kako03/data/sai0309a.pdf

                                                                               System / people recovery

                                                                               Corporate-wide testing at least annually
                                                                                                                                                                                                                                                                                            
                                                                               Planning for different scenarios

Business Continuity          Std           BCI (Business              UK       No clear guideline to follow
                                                                               · In alignment with DRII “Professional Practices”                None                                   W                                                           http://www.thebci.org/gpg.htm
Institute
“Good Practices” 2008-
                                           Continuity
                                           Institute)                          · More specific
                                                                                                                                                                                                                                                                                                                                                                                                                                                          
2
Business Continuity          Std           ISIA (International   International · Each securities firm should have in place a BC (Business       None                                   W            Also see SIFMA                                 http://www.sifma.org/services/busin
Planning Committee                         Securities Industry                 Continuity) program                                                                                                                                                 ess_continuity/html/PandemicPrep
Best Practice                              Association)                                                                                                                                                                                            aredness.html
Guidelines (Aug 2002)                                                          · BC Policy Document

                                                                               · Executive and corporate group responsible for overseeing BC                                                                                                                                                
                                                                               program

                                                                               · Business managers should review, implement, fund, and
                                                                               sign-off of BC plans

Business Continuity         Reg            The Hong Kong         Hong Kong · Recovery sets out the HKMA's latest supervisory policies
                                                                           This Manual                                                          This manual takes a                                                                                http://www.info.gov.hk/hkma/eng/ba
Planning Supervisory                       Monetary Authority              and practices, the minimum standards authorized institutions         supervisory approach                                                                               nk/spma/attach/TM-G-2.pdf
Policy Manual - TM-G-                                                      ("AIs") are expected to attain in order to satisfy the               where the HKMA‟s
2                                                                          requirements of the Banking Ordinance and recommendations            objective is to help
                                                                           on best practices tha                                                ensure that Authorized
                                                                                                                                                Institutions ("AIs")
                                                                                                                                                have workable and
                                                                                                                                                well thought through                                                                                                                        
                                                                                                                                                BCPs to protect all the
                                                                                                                                                critical areas of their
                                                                                                                                                business and to cope
                                                                                                                                                with prolonged
                                                                                                                                                disruptio

California SB 1386 -        Reg            State of California      U.S.A.     Bill requires all agencies, persons or businesses that conduct  Effective July 1, 2003.                   E                                                         http://www.legalarchiver.org/sb1386.ht
Security of Non-                                                               business in California that owns or licenses computerized data                                                                                                      m
Encrypted Customer                                                             containing personal information to notify the owner or licensee                                                                                                                                                                                                                                                                                    
Information (July 1,                                                           of the information of any breach of security of the data.
2003)
CAN/CSA-Z 731-03             Std           CSA (Canadian           Canada      Canada‟s Emergency Preparedness and Response Standards                                                                                                              http://www.techstreet.com/standards/C
                                           Standards                                                                                                                                                                                               AN_CSA/Z731_03?product_id=1270242                                                                                                                                              
                                           Association)




                                                                                                                                                                   Page 2 of 19
     Disaster Recovery Journal                                                                                                                              Rules and Regulations Committee                                                                                                                                                                                   7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                             The following content was compiled by volunteers, and is as accurate as possible.
                                                                                             The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                      Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                                              Infrastructure Category




                                                                                                                                                                               Category (E, A, W,




                                                                                                                                                                                                                                                                                                                                      Energy (including nuclear)
                                                                                                                                                                                                                                                                                                          Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                                Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                                           Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                                              & Communications
                                                                                                                                                                                                                                                                    Banking & Finance
                              Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                                      Public Agencies
                                                                                                                                                                                                                                                                                        Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                                      Government &
                                                                                                                                                                                                                                                                                          Healthcare




                                                                                                                                                                                                                                                                                                                                                                   Industry



                                                                                                                                                                                                                                                                                                                                                                                        & Water
                           Standard




                                                                      Country
                                                                                                                                                       Significant
                                               Governing                                                                                              Dates, Fines,
         Title                                   Body                                           Summary / Description                                   Penalties                                        Notes /Comments                   Link




                                                                                                                                                                                                    I)
China                         N/A                                    China   · There are extensive regulations and standards around                                                           E                            http://www.mondaq.com/article.asp?ar
                                                                             Information Protection within the People‟s Republic of China                                                                                  ticleid=75776                                                                                                                                                                  
                                                                             (PRC)
Circular to Licensed           Std           Securities and        Hong Kong The Securities and Futures Commission used the circular to             Suggestions were                                                       http://www.sfc.hk/sfcRegulatoryHandb
Corporations -                               Futures                         remind licensed persons to take precautions against a                  given in the circular on                                               ook/EN/displayFileServlet?docno=H289
"Business continuity                         Commission of                   reoccurrence of SARS or other serious communicable diseases.           procedure and policies
planning against                             Hong Kong                       The Commission was concerned of the potential disruption to            to be reviewed,
serious communicable                                                         intermediaries' opera                                                  revised or devised to
diseases"                                                                                                                                           ensure business
                                                                                                                                                    continuity or prevent                                                                                           
                                                                                                                                                    material disruption to
                                                                                                                                                    operation in the event
                                                                                                                                                    of staff infection.

                                                                                                                                                    1/24/2003

Civil Contingencies Bill      Reg            British Law              UK        · Local arrangements for civil protection                                                                     E                            http://www.publications.parliament.uk/
(Bill 53, Feb 2004)                                                                                                                                                                                                        pa/cm200304/cmbills/053/04053.iii-
                                                                                · Requires persons or bodies listed in the document to assess
                                                                                the risk of an emergency and maintain plans for the purpose of
                                                                                                                                                                                                                           iv.html
                                                                                                                                                                                                                                                                                                                                                                                                          
                                                                                ensuring that if an emergency occurs that the persons or
                                                                                bodies are able to continue to
COBIT-Control                  Std           IT Governance           U.S.A.     Generally accepted information technology control objectives                                                  E                            http://www.isaca.org/Content/Navigati
Objectives for                               Institute Standards                for information technology.                                                                                                                onMenu/Members_and_Leaders/COBIT
information and                                                                                                                                                                                                            6/Obtain_COBIT/CobiT4.1_Brochure.pd
related Technology                                                              Domains include:                                                                                                                           f
(4.1) (May 2007)
                                                                                  Planning and Organization
                                                                                                                                                                                                                                                                                                                                                                                                                                  
                                                                                  Acquisition and Implementation

                                                                                  Delivery and Support

                                                                                Monitoring and EvaluationAreas Reviewed for compliance
Computer Fraud and            Reg            FTC (Federal Trade      U.S.A.     Makes it a federal offense to produce, buy, sell or transfer a                                                E                            http://www.panix.com/~eck/comput
Abuse Act                                    Commission)                        credit card or other access devices that are counterfeit, forged,                                                                          er-fraud-act.html
                                                                                lost or stolen; or to produce, buy, sell, transfer or process
                                                                                equipment used to produce such fraudulent access devices.                                                                                                                                                                                                                                                                 
                                                                                It wa
Consumer Credit               Reg                                    U.S.A.     · The purpose of this title to provide a basic framework            · Takes effect upon                        I                           http://www.fdic.gov/regulations/laws/r
Protection Act (CCPA)                                                           establishing the rights, liabilities, and responsibilities of       the expiration of                                                      ules/6500-200.html
of 1992, Section 2001                                                           participants in electronic fund transfer systems. The primary       eighteen months from
Title IX- Electronic                                                            objective of this title, however, is the provision of individual    the date of its
Funds Transfer                                                                  consumer                                                            enactment, except that
                                                                                                                                                    sections 909 and 911
                                                                                                                                                    take effect upon the
                                                                                                                                                    expiration of ninety                                                                                            
                                                                                                                                                    days after the date of
                                                                                                                                                    enactment

                                                                                                                                                    · Non-compliant fines
                                                                                                                                                    not more than $10,000
                                                                                                                                                    or imprisone

COSO Enterprise Risk           Std           COSO (Committee         U.S.A.     Defines essential enterprise risk management components,                                                      E                            http://www.coso.org/Publications/ERM/
Management                                   of Sponsoring                      discusses key ERM principles and concepts, suggests a                                                                                      COSO_ERM_ExecutiveSummary.pdf
Framework
(September 2004)
                                             Organizations of
                                             the Treadway
                                                                                common ERM language, and provides clear direction and
                                                                                guidance for enterprise risk management.
                                                                                                                                                                                                                                                                                                                                                                                                          
                                             Commission)



                                                                                                                                                                        Page 3 of 19
     Disaster Recovery Journal                                                                                                                            Rules and Regulations Committee                                                                                                                                                                                                                    7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                           The following content was compiled by volunteers, and is as accurate as possible.
                                                                                           The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                    Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                                                                             Infrastructure Category




                                                                                                                                                                           Category (E, A, W,




                                                                                                                                                                                                                                                                                                                                                                     Energy (including nuclear)
                                                                                                                                                                                                                                                                                                                                         Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                                                               Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                                                                          Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                                                                             & Communications
                                                                                                                                                                                                                                                                                                   Banking & Finance
                            Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                                                                     Public Agencies
                                                                                                                                                                                                                                                                                                                       Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                                                                     Government &
                                                                                                                                                                                                                                                                                                                         Healthcare




                                                                                                                                                                                                                                                                                                                                                                                                  Industry



                                                                                                                                                                                                                                                                                                                                                                                                                       & Water
                         Standard




                                                                    Country
                                                                                                                                                      Significant
                                             Governing                                                                                               Dates, Fines,
        Title                                  Body                                           Summary / Description                                    Penalties                                                Notes /Comments                                           Link




                                                                                                                                                                                                I)
CTIA                         Std           CTIA                    U.S.A.     · The CTIA (Cellular Telecommunications and Internet                                                      W            This certification and industry standard is in the
Telecommunication                                                             Association) is working on plans to offer standard business                                                            planning phase. CTIA is currently (May 2005)
Industry BCM standard                                                         continuity guidance to the communications industry.                                                                    meeting with industry leads to discuss the
and certification                                                                                                                                                                                    feasibility of the requirements and verification                                                                                                                                                                                          
                                                                              · IA CTIA BCM certification will be granted to organizations                                                           method.
                                                                              that display a (soon to b
DRAFT Information            Std           Department of        South Africa Presents a suite of integrated solutions which, together, offer                                                                                                              http://www.dpsa.gov.za/documents/act
Security Policy as                         Public Service and                the tools necessary to integrate information security best                                                                                                                   s&regulations/frameworks/e-
presented by the
Department of Public
                                           Administration                    practices.                                                                                                                                                                   commerce/POSITION%20PAPER%20O
                                                                                                                                                                                                                                                          N%20INFORMATION%20SECURITY1.p
                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
Service and                                                                   Based in ISO 17799 and BS 7799.                                                                                                                                             df
Administration
DRI International            Std           DRII (Disaster       International Professional practice letters include developing business                                                 W                                                                 http://www.drii.org
                                           Recovery Institute                 continuity management strategies and other contingency
“Ten Professional                          International)                     planning
Practices for Business
Continuity                                                                    Areas reviewed include:
Professionals”                                                                                                                                                                                                                                                                                                                                                                                                                           
                                                                              · Potential for data loss

                                                                              · Vital records creation, storage and retention

Electronic Fund             Reg            OCC                     U.S.A.     · Business and ITbasic responsibilities, rights and liabilities of
                                                                              · Establishes the recovery                                                                                   I                                                              http://www.ftc.gov/bcp/conline/pubs
Transfer Act (EFTA)                                                           consumers and financial institutions who use electronic fund                                                                                                                /credit/elbank.pdf
                                                                              transfer services and of that offer these services.
                                                                                                                                                                                                                                                                                                   
                                                                              · BCP to meet “reasonable standard of care”                                                                                                                                 www.occ.treas.gov/netbank/ebguid
                                                                                                                                                                                                                                                          e.htm
Fair Credit Reporting       Reg            FTC (Federal Trade      U.S.A.     · Ensures credit information is accurate and up-to-date      · Civil penalty of not                          I                                                              http://www.ftc.gov/os/statutes/fcra.ht
Act                                        Commission)                                                                                     more than $2,500 per                                                                                           m
                                                                              · Designed to promote accuracy and ensure the privacy of the violation
                                                                              information used in consumer reports
                                                                                                                                           · State action of                                                                                                                                       
                                                                                                                                           damages of not more
                                                                                                                                           than $1,000 for each
                                                                                                                                           willful or negligent
FDICIA –Federal             Reg            FDIC (Federal           U.S.A.     Requires at the beginning of the year that all FDIC-insured  violation                                      E                                                               http://www.fdic.gov/regulations/laws/r
Deposit Insurance                          Deposit Insurance                  depository institutions with total assets of $500 million or more                                                                                                           ules/8000-2400.html
Corporation                                Corporation)                       certify that there is effective functioning of their internal                                                                                                                                                        
Improvement Act of                                                            controls systems.
1991
Federal Acquisition         Reg            SEC                     U.S.A.     Addresses the collection of EFT information through the                                                     E                                                               http://www.fms.treas.gov/eft/regulatio
Regulation; Electronic
Funds Transfer Final
                                                                              contract process for vendors providing goods and services to
                                                                              the Federal Government
                                                                                                                                                                                                                                                          ns/fareft.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                         
Rule
FEMA 141: Disaster           Std           FEMA                    U.S.A.     Designed to provide guidance for business and industry                                                    W            SEE ABOVE
Planning Guide for
Business and Industry
                                                                              officials to respond and recover from disasters.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
FEMA Emergency               Std           FEMA (Federal           U.S.A.     A step-by-step approach to emergency planning, response and                                               W            http://www.fema.gov/pdf/library/bizindst.pd http://www.fema.gov/business/
Management Guide for
Business and Industry
                                           Emergency
                                           Management
                                                                              recovery for companies of all sizes. FEMA 141/October 1993                                                             f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
                                           Agency)
FFIEC BCP Handbook:         Reg            FFIEC                   U.S.A.     - Emphasizes that Business Continuity planning is about              Ineffective or                         E          http://www.ffiec.gov/ffiecinfobase/booklets/ http://www.ffiec.gov/ffiecinfobase/b
Business Continuity                                                           maintaining, resuming and recovering the whole Business              incomplete BC plans                               bcp/bus_continuity_plan.pdf                  ooklets/bcp/bcp_00.html
Planning (May 2003)                                                           - planning should occur for a BCP                                    may lead to qualified
                                                                              - Business Impact Analysis and Risk assessment are                   examination reports                                                                                                                                                                                                                                                                   
“IT Examination                                                               encouraged as the foundation of an effective BCP                     and loss of trust by
Handbook”                                                                     - Testing                                                            regulators and
                                                                                                                                                   financial market



                                                                                                                                                                      Page 4 of 19
     Disaster Recovery Journal                                                                                                                         Rules and Regulations Committee                                                                                                                                                                                                                 7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                       The following content was compiled by volunteers, and is as accurate as possible.
                                                                                       The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                                                                       Infrastructure Category




                                                                                                                                                                        Category (E, A, W,




                                                                                                                                                                                                                                                                                                                                                               Energy (including nuclear)
                                                                                                                                                                                                                                                                                                                                   Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                                                         Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                                                                    Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                                                                       & Communications
                                                                                                                                                                                                                                                                                             Banking & Finance
                            Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                                                               Public Agencies
                                                                                                                                                                                                                                                                                                                 Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                                                               Government &
                                                                                                                                                                                                                                                                                                                   Healthcare




                                                                                                                                                                                                                                                                                                                                                                                            Industry



                                                                                                                                                                                                                                                                                                                                                                                                                 & Water
                         Standard




                                                                Country
                                                                                                                                                  Significant
                                             Governing                                                                                           Dates, Fines,
        Title                                  Body                                       Summary / Description                                    Penalties                                                 Notes /Comments                                        Link




                                                                                                                                                                                             I)
FFIEC FIL 67-97/82-96       Reg            FFIEC (Federal      U.S.A.     Board of Directors is responsible for ensuring that a                                                        A                                                           http://www.ffiec.gov/ffiecinfobase/book
                                           Financial                      comprehensive business resumption and contingency plan has                                                                                                               lets/bcp/bus_continuity_plan.pdf
                                           Institutions                   been implemented, to encompass distributed computing and
                                           Examination
                                           Council)
                                                                          external service bureaus.                                                                                                                                                                                          
                                                                          Areas Reviewed for Compliance:

                                                                          IT Specific recovery document
FFIEC FIL-81-2005 -          Std           FDIC (Federal       U.S.A.     Information Technology Risk Management Program (IT-RMP)                                                                                                                  http://www.fdic.gov/news/news/financi
Information                                Deposit Insurance              for conducting IT examinations of FDIC-supervised financial                                                                                                              al/2005/fil8105.pdf
Technology Risk                            Corporation)                   institutions, and cover practices for: Risk assessment,
Management Program                                                        Operations security and risk management, Audit and                                                                                                                                                                 
(IT-RMP) for                                                              independent review, Disaster rec
conducting IT
examinations
FFIEC                        Std           FFIEC (Federal      U.S.A.     Risk Mangement of Outsourced Technology Services. Financial                                                                                                              http://www.ffiec.gov/exam/InfoBase/d
                                           Financial                      institutions increasingly rely on services provided by other                                                                                                             ocuments/02-ffi-
                                           Institutions                   entities to support an array of technology-related functions.                                                                                                            risk_mang_outsourced_tech_services-
                                           Examination                    While outsourcing to affiliated or nonaffiliated entities can help                                                                                                       001128.pdf
                                           Council)                       financial institutions manage costs, obtain necessary expertise,
                                                                          expand customer product offerings, and improve services, it                                                                                                                                                        
                                                                          also introduces risks that financial institutions should address.
                                                                          This guidance covers four elements of a risk management
                                                                          process: risk assessment, selection of service providers,
                                                                          contract review, and monitoring of service providers

FFIEC Policy SP-5           Reg            FFIEC               U.S.A.     Policy mandating corporate-wide contingency planning,                Issued July 1989                        E          With the issuance of the new FFIEC
                                                                          including the development of recovery alternatives for                                                                  Information Technology Examination
                                                                          distributed processing and service bureau information                                                                   Handbook, several Supervisory Policies (SP)
                                                                          processing.                                                                                                             found in Chapter 25 of the 1996 Handbook
                                                                                                                                                                                                  have been rescinded, including SP-5,
                                                                                                                                                                                                  Interagency Policy on Contingency Planning for
                                                                                                                                                                                                  Financial Institutions
Financial Institutions      Reg                                U.S.A.     Policy allows regulators/examiners to impose civil penalties for     Tiers of penalties for                   I                                                          http://www.academon.com/lib/essay/te
Reform, Recovery, and                                                     violations or non-compliance with regulations, laws, temporary       Individual and/or                                                                                   rm-paper-11995.html
Enforcement Act-                                                          agency orders or any breach of a written agreement between           corporate after tax
(FIRREA) of 1989;                                                         an agency and the institution.                                       fines:                                                                                              (summary and purchase information)
(P.L. 101-73 1989 HR
1278)                                                                                                                                          ·      Tier 1: up to
                                                                                                                                               $5,000 per day                                                                                                                                
                                                                                                                                               ·      Tier 2: up to
                                                                                                                                               $25,000 per day

                                                                                                                                               ·      Tier 3: up to
                                                                                                                                               $1,000,000 per day
FISMA: Federal              Reg            FTC                 U.S.A.     Details requirements to                                                                                      E                                                           http://csrc.nist.gov/policies/FISMA-
Information Security                                                                                                                                                                                                                               final.pdf
Management Act of                                                         - Assess Risk
2002                                                                                                                                                                                                                                               ? May apply to organizations and
                                                                          - Determine levels of security necessary to protect such                                                                                                                 institutions communicating with,
                                                                          information                                                                                                                                                              performing work for, on behalf of a                                                                                                                                             
                                                                                                                                                                                                                                                   federal agency
                                                                          - Periodically test and evaluate information security controls
                                                                          and techniques

                                                                          - Develop plans and procedures to ensure continuity of operati
SR 00-4                                    Federal Reserve                Outsourcing of Information and Transaction Processing Cross                                                                                                              http://www.ffiec.gov/ffiecinfobase/re
(SUP)2/29/2000                                                            Reference: SR letter 97-35                                                                                                                                               sources/management/frb-sr-00-4-
                                                                                                                                                                                                                                                   outsourc_info_transaction_process
                                                                                                                                                                                                                                                   .pdf



                                                                                                                                                                   Page 5 of 19
     Disaster Recovery Journal                                                                                                                         Rules and Regulations Committee                                                                                                                                                                                                             7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                          The following content was compiled by volunteers, and is as accurate as possible.
                                                                                          The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                   Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                                                                   Infrastructure Category




                                                                                                                                                                         Category (E, A, W,




                                                                                                                                                                                                                                                                                                                                                           Energy (including nuclear)
                                                                                                                                                                                                                                                                                                                               Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                                                     Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                                                                Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                                                                   & Communications
                                                                                                                                                                                                                                                                                         Banking & Finance
                            Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                                                           Public Agencies
                                                                                                                                                                                                                                                                                                             Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                                                           Government &
                                                                                                                                                                                                                                                                                                               Healthcare




                                                                                                                                                                                                                                                                                                                                                                                        Industry



                                                                                                                                                                                                                                                                                                                                                                                                             & Water
                         Standard




                                                                   Country
                                                                                                                                                   Significant
                                             Governing                                                                                            Dates, Fines,
        Title                                  Body                                          Summary / Description                                  Penalties                                                 Notes /Comments                                  Link




                                                                                                                                                                                              I)
Foreign Corrupt             Reg            US Dept of Justice     U.S.A.     Policy states that Directors and Officers can be held liable for   Issued in 1977                           I                                                     http://www.justice.gov/criminal/frau
Practices Act of 1977:                                                       “failure to enact standards of care” and should they fail to                                                                                                      d/docs/statute.html
(P.L. 95-213) Section                                                        document their assessment processing determining not to            · Civil penalties can
13 (b) (2).                                                                  develop a contingency plan.                                        range from $5000 to
                                                                                                                                                $100,000 for
                                                                                                                                                individuals and from
                                                                                                                                                $50,000 to $500,000
                                                                                                                                                for business entities
                                                                                                                                                                                                                                                                                                                                                                                                                               
                                                                                                                                                · Criminal sanctions
                                                                                                                                                may be imposed
                                                                                                                                                against anyone who
                                                                                                                                                knowingly violates the
                                                                                                                                                statute: up to $2
                                                                                                                                                million in fines for p

FRB (Federal Reserve        Reg            Board of Governors     U.S.A.     Reviews and enforces the FFIEC‟s Interagency Supervisory                                                   E                                                      http://www.federalreserve.gov/boarddo
Banks) SR 96-22                            of the Federal                    Statement on Risk Management of Client/Server Systems SP-                                                                                                         cs/SRLETTERS/1996/sr9622.htm
                                           Reserve System                    12.

                                                                             · The statement addresses concerns for security and the
                                                                             controls that should be associated with client/server computing
                                                                             for the officer in charge of each federal reserve bank,                                                                                                                                                     
                                                                             including:

                                                                             ·        Management should ensure that systems and
                                                                             operations are recoverable after an event causing disruption in
                                                                             service.
                                                                             ·        Management should determine that database
GAO Supplier                Reg            GAO (Government        U.S.A.     Requirements for federal agencies to include the requirement                                               E          Will apply to all organizations providing
Requirements                               Accountability
                                           Office)
                                                                             for contingency plans in contracts with private sector
                                                                             organizations providing data processing services
                                                                                                                                                                                                   suppliers or services to GAO or Federal
                                                                                                                                                                                                   Agencies
                                                                                                                                                                                                                                                                                                                                                                                                                                                       
General Principles for       Std           The Hong Kong        Hong Kong To provide AIs with guidance on general principles which AIs In section 2.6,                                                                                         http://www.info.gov.hk/hkma/eng/ba
Technology Risk                            Monetary Authority             are expected to consider in managing technology-related risks policies, procedures or                                                                                nk/spma/attach/TM-G-1.pdf
Management V.1 - TM-                                                                                                                    service agreements of
G-1                                                                                                                                     between AIs and the
                                                                                                                                        overseas offices (e.g.
                                                                                                                                        parent banks,
                                                                                                                                        subsidiaries, head
                                                                                                                                        offices or other
                                                                                                                                                                                                                                                                                         
                                                                                                                                        regional offices of the
                                                                                                                                        same banking group)
                                                                                                                                        with regard to certain
                                                                                                                                        IT controls or support
                                                                                                                                        activities

Business Continuity                        The Hong Kong        Hong Kong New, non-statutory guideline issued by the MA as a guidance                                                                                                          http://www.info.gov.hk/hkma/eng/ba
Planning V.1 –                             Monetary Authority             note. To set out the HKMA‟s supervisory approach to business                                                                                                         nk/spma/attach/TM-G-2.pdf
02.12.02, TM-G-2                                                          continuity planning and the sound practices which the HKMA
                                                                          expects Authorized Institutions to take into consideration
                                                                          regading Business Continuity Planning

Gramm-Leach-Bliley          Reg            Public Law             U.S.A.     Guidelines in this section address standards for developing and Effective July 1, 2001                     E                                                      http://banking.senate.gov/conf/confrpt.
Act of 1999, section                                                         implementing administrative, technical and physical safeguards                                                                                                    htm
501 (b): (P.L. 106-102
1999 S 900)
                                                                             to protect the security, confidentiality and integrity of customer Bank must report to
                                                                             information                                                        the board annually.
                                                                                                                                                                                                                                                                                         
                                                                             The act includes record-retention requirements t




                                                                                                                                                                   Page 6 of 19
     Disaster Recovery Journal                                                                                                                         Rules and Regulations Committee                                                                                                                                                                                                                7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                          The following content was compiled by volunteers, and is as accurate as possible.
                                                                                          The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                   Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                                                                      Infrastructure Category




                                                                                                                                                                          Category (E, A, W,




                                                                                                                                                                                                                                                                                                                                                              Energy (including nuclear)
                                                                                                                                                                                                                                                                                                                                  Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                                                        Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                                                                   Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                                                                      & Communications
                                                                                                                                                                                                                                                                                            Banking & Finance
                             Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                                                              Public Agencies
                                                                                                                                                                                                                                                                                                                Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                                                              Government &
                                                                                                                                                                                                                                                                                                                  Healthcare




                                                                                                                                                                                                                                                                                                                                                                                           Industry



                                                                                                                                                                                                                                                                                                                                                                                                                & Water
                          Standard




                                                                    Country
                                                                                                                                                   Significant
                                              Governing                                                                                           Dates, Fines,
        Title                                   Body                                         Summary / Description                                  Penalties                                                  Notes /Comments                                       Link




                                                                                                                                                                                               I)
Guidance Note on the          Std           Office of the       Hong Kong To better protect the insuring public and ensuring the healthy     Point 11 address the                                                                                      http://www.oci.gov.hk/download/gn
Use of Internet for                         Commissioner of               development of the industry in the information technology era.     issue of security in                                                                                      8-eng.pdf
Insurance Activities                        Insurance - The               The scope of this Guidance Note covers the internet insurance      which service
(GN8)                                       Government of the             activities of all service providers to the extent that such activitproviders are advised
                                            Hong Kong Special                                                                                to take all practicable
                                            Administrative                                                                                   steps to ensure a
                                            Region                                                                                           number of items                                                                                                                                
                                                                                                                                             including the integrity
                                                                                                                                             of data stored in the
                                                                                                                                             system hardware,
                                                                                                                                             whilst in transit and as
                                                                                                                                             displayed on the
                                                                                                                                             website (a), a
Guidelines on                Reg            BNM - Bank            Malaysia    Outlines minimum responsibilities and requirements for         IT environment                              E          applicable to all institutions under the purview   http://www.calamityprevention.com/
Management of IT                                                              planning and managing, as well as, establishing preventive and including business                                     of the Bank, with effect from 1 January 2008       links/FCP_copy_Bank_Negara_Mal
Environment                                 Malaysia                          detective measures that should be implemented by institutions continuity                                                                                                 aysia_BCM_Guidelines_2008.pdf        
BNM/RH/GL/ 013-3                                                              to mitigate the risks pertaining to IT environment
                                            Central Bank
HB 221:2004 Business          Std           Standards            Australia, Sets out a definition and process for business continuity                                                  W            supersedes HB 221: 2003. The objective of this http://infostore.saiglobal.com/store/
Continuity                                  Association of      New Zealand management, and provides a workbook that may be used by                                                                 Handbook is to outline a broad framework and Details.aspx?docn=AS0733762506
Management,                                 Australia                       organisations to assist in implementation. Sets out the                                                                 core processes that should be included in a    AT
                                                                            principles and guidance that the Commission expects                                                                     comprehensive business
                                                                            companies listed on the NZ Stock Exchange to follow for
                                                                            Business Continuity Management and establishing a Business
                                                                                                                                                                                                    continuity process.
                                                                                                                                                                                                    The objective of this revision is to align the
                                                                                                                                                                                                                                                                                                                                                                                                                                  
                                                                            Continuity Plan                                                                                                         Handbook with the 2004
                                                                                                                                                                                                    edition of AS/NZS 4360, Risk management.

HIPAA (Health                Reg            GAO                    U.S.A.     - Proposed contingency plan in effect with data backup plan,      Section 1177                           W            http://www.hipaa.ihs.gov/documents/IHS_ http://www.nchica.org/HIPAAResou
Insurance Portability                                                         disaster recovery plan, emergency mode operation plan,            establishes                                         HIPAA_Security_Checklist.doc            rces/Security/rule.htm
and Accountability Act)                                                       testing and revision procedures and Applications and data         penalties for
Final Security Rule~                                                          Criticality Analysis.                                             any person that
#7. Contingency Plan                                                                                                                            knowingly uses a
(164.308(a)(7)(i))                                                            - Includes specific BCM points                                    unique health
                                                                                                                                                identifier, or obtains
                                                                              - Applies to any organizat
                                                                                                                                                or
                                                                                                                                                discloses
                                                                                                                                                individually
                                                                                                                                                identifiable
                                                                                                                                                health information in
                                                                                                                                                violation of the
                                                                                                                                                part. The penalties
                                                                                                                                                include: (1) A fine of
                                                                                                                                                not more than
                                                                                                                                                $50,000 and/or                                                                                                                                                                                                                                                                                            
                                                                                                                                                imprisonment of not
                                                                                                                                                more than 1 year;
                                                                                                                                                (2) if the offense is
                                                                                                                                                ‘‘under false
                                                                                                                                                pretenses,’’ a fine of
                                                                                                                                                not more than
                                                                                                                                                $100,000 and/or
                                                                                                                                                imprisonment of not
                                                                                                                                                more than 5 years;
                                                                                                                                                and (3) if the
                                                                                                                                                offense
                                                                                                                                                is with intent to sell,
                                                                                                                                                transfer, or use
                                                                                                                                                individually
                                                                                                                                                identifiable health


                                                                                                                                                                   Page 7 of 19
     Disaster Recovery Journal                                                                                                                            Rules and Regulations Committee                                                                                                                                                                                                                7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                           The following content was compiled by volunteers, and is as accurate as possible.
                                                                                           The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                    Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                                                                         Infrastructure Category




                                                                                                                                                                           Category (E, A, W,




                                                                                                                                                                                                                                                                                                                                                                 Energy (including nuclear)
                                                                                                                                                                                                                                                                                                                                     Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                                                           Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                                                                      Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                                                                         & Communications
                                                                                                                                                                                                                                                                                               Banking & Finance
                            Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                                                                 Public Agencies
                                                                                                                                                                                                                                                                                                                   Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                                                                 Government &
                                                                                                                                                                                                                                                                                                                     Healthcare




                                                                                                                                                                                                                                                                                                                                                                                              Industry



                                                                                                                                                                                                                                                                                                                                                                                                                   & Water
                         Standard




                                                                     Country
                                                                                                                                                     Significant
                                              Governing                                                                                             Dates, Fines,
        Title                                   Body                                          Summary / Description                                   Penalties                                                 Notes /Comments                                       Link




                                                                                                                                                                                                I)
HKMA Supervisory            Reg            Hong Kong              Hong Kong Enforced by onsite examinations, requires need for BCP                BCP organization &                      E          \                                                http://www.info.gov.hk/hkma/eng/ba
Policy Manual, BCP TM-                     Monetary Authority               documentation and testing at least annually, planning for             governance structure                                                                                nk/spma/attach/TM-G-2.pdf
G-2 V.1 02.12.02                                                            different scenarios and prolong outages.
                                                                                                                                                  Approach to business
                                                                                                                                                  continuity planning
                                                                                                                                                                                                                                                                                               
                                                                                                                                                  Documentation

                                                                                                                                                  DR site & vendor
                                                                                                                                                  management

HKMA Supervisory            Reg            Hong Kong              Hong Kong Refers to TM-G-2 on BCP on the need to provide continuous             Need to provide                         E
Policy Manual, General                     Monetary Authority               service.                                                              alternative service
Principles for
Technology Risk                                                                                                                                                                                                                                                                                
Management                                                                                                                                                                                                                                            http://www.info.gov.hk/hkma/eng/ba
TM-G-1 V.1 24.06.03
                                                                                                                                                                                                                                                      nk/spma/attach/TM-G-1.pdf
OCC 2001-47                  Std           OCC                       USA       This bulletin provides guidance to national banks on managing
                                                                               the risks that may arise from their business relationship with
                                                                                                                                                                                                     The bank‟s own contingency plan should
                                                                                                                                                                                                     address potential financial problems or
                                                                                                                                                                                                                                                      http://www.ffiec.gov/ffiecinfobase/re
                                                                                                                                                                                                                                                      sources/management/occ-
                                                                                                                                                                                                                                                                                               
                                                                               third parties. A third party‟s inability to deliver products and                                                      insolvency of the third party.                   bul_2001_47_third_party_relations
                                                                               services, whether arising from fraud, error, inadequate                                                                                                                hips.pdf
                                                                               capacity, or technology failure, exposes
                                                                               the bank to transaction risk. Lack of effective business
                                                                               resumption and contingency planning for such situations also
                                                                               increases the bank‟s transaction risk. The contract should
                                                                               provide for continuation of the business function in the event
                                                                               of problems affecting the third party‟s perations, including
                                                                               system breakdown and natural (or man-made) disaster.

HKMA, Supervisory       Reg                Hong Kong              Hong Kong Refers to TM-G-2 on BCP on the need to provide continuous             Need to provide                           E                                                         http://www.info.gov.hk/hkma/eng/ba
Policy Manual,                             Monetary Authority               and/or alternative services.                                          alternative service                                                                                 nk/spma/attach/TM-E-1.pdf
Supervision of E-                                                                                                                                                                                                                                                                              
Banking TM-E-1 V.1 17-
Feb-2004
Homeland Security       Std                FSSCC (Financial         U.S.A.     Ensuring the resiliency of the nation to minimize the damage                                             W                                                             http://digital.library.unt.edu/govdocs
Strategy for Critical                      Services Sector                     and expedite the recovery from attacks that do occur.                                                                                                                  /crs/permalink/meta-crs-7844:1
Infrastructure                             Coordinating                        https://www.fsscc.org/fsscc/reports/2006/Bank_Finance_SSP_
Protection in Financial                    Council for Critical                061213.pdf                                                                                                                                                             http://www.sifma.org/services/busin                                                                                                                                                                    
Services Sector (May                       Infrastructure                                                                                                                                                                                             ess_continuity/pdf/NationalStrategy
2004)                                      Protection)                                                                                                                                                                                                .pdf
IDA By-law 17.19 -          Reg            OSC (Ontario            Canada      The purpose of the                                                                                         E                                                           http://www.osc.gov.on.ca/MarketRe
Business Continuity                        Securities                          proposed by-law is to require each IDA member to                                                                                                                       gulation/SRO/ida/rr/srr-
Plan Requirement                           Commission)                         establish and maintain a business continuity plan, such that                                                                                                           ida_20050107_not-pro-bylaw-17-
                                                                               the member can stay in business in the event of a
                                                                               significant business disruption and can meet obligations to
                                                                                                                                                                                                                                                      19.pdf                                   
                                                                               its customers and other capital markets counterparts.


India BCP                   Reg            1. Reserve Bank of       India      Enforced by audit, requires need for BCP documentation and         BCP, DR Site                            E          Link provides multiple RBI circulars regarding   http://www.rbi.org.in/scripts/BS_Ent
                                           India (RBI)                         testing at least annually.                                                                                            BCP                                              ireSearch.aspx?searchString=busi
                                           2. Securities &                                                                                                                                                                                            ness%20continuity&strSection=Not
                                           Exchange Board of
                                           India, (SEBI)
                                                                                                                                                                                                                                                      ifications
                                                                                                                                                                                                                                                                                               
                                           3. National Stock
                                           Exchange (NSE)
                                           4. Bombay Stock
Indonesia BCP               Reg            Exchange (BSE)
                                           Bank Indonesia         Indonesia    Requires BCP documentation and testing at least annually with BCP RTGS, DR Site                            E                                                           http://www.bi.go.id/web/en/Peratura
                                           (Central Bank)                      focus on Bank Indonesia RTGS system. Requires Internal Audit
                                                                               to conduct an audit at least annually and provide report to
                                                                                                                                                                                                                                                      n/Perbankan/se_093007.htm
                                                                                                                                                                                                                                                                                               
                                                                               Bank Indonesia.


                                                                                                                                                                        Page 8 of 19
     Disaster Recovery Journal                                                                                                                          Rules and Regulations Committee                                                                                                                                                                                                          7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                           The following content was compiled by volunteers, and is as accurate as possible.
                                                                                           The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                    Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                                                                 Infrastructure Category




                                                                                                                                                                         Category (E, A, W,




                                                                                                                                                                                                                                                                                                                                                         Energy (including nuclear)
                                                                                                                                                                                                                                                                                                                             Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                                                   Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                                                              Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                                                                 & Communications
                                                                                                                                                                                                                                                                                       Banking & Finance
                           Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                                                         Public Agencies
                                                                                                                                                                                                                                                                                                           Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                                                         Government &
                                                                                                                                                                                                                                                                                                             Healthcare




                                                                                                                                                                                                                                                                                                                                                                                      Industry



                                                                                                                                                                                                                                                                                                                                                                                                           & Water
                        Standard




                                                                    Country
                                                                                                                                                    Significant
                                            Governing                                                                                              Dates, Fines,
        Title                                 Body                                            Summary / Description                                  Penalties                                                Notes /Comments                                  Link




                                                                                                                                                                                              I)
Information                 Std           Canadian Institute      Canada      Crisis Management for Directors                                                                           E                                                      http://www.cica.ca/multimedia/Downlo
Technology Control
Guidelines
                                          of Chartered
                                          Accountants
                                                                                                                                                                                                                                               ad_Library/Standards/CoCo/cris-eng-
                                                                                                                                                                                                                                               txt.pdf
                                                                                                                                                                                                                                                                                                                                                                                                                             
Interagency Paper for      Reg            FRB (Federal             U.S.A.     During discussions about the lessons learned from September        For Market Utilities                   E                                                      http://www.sec.gov/news/studies/3
Strengthening the                         Reserve Bank)                       11, industry participants and others agreed that three business    and Core Clearing and                                                                         4-47638.htm
Resilience of US                                                              continuity objectives have special importance for all financial    Settlement Agencies,
Financial System (May                     OCC (Office of the                  firms and the U.S. financial system as a whole:                    goal to meet
2003; Implementation                      Comptroller of the                                                                                     objectives is end of
in 2007)                                  Currency)                                                                                              2004.
                                                                              Rapid recovery and timely resumption of critical operations
                                          SEC (Securities and
                                          Exchange
                                                                              following a wide-scale disruption;                                 For Significant Role
                                                                                                                                                 Firms, the goal is no
                                                                                                                                                                                                                                                                                       
                                          Commission)                         Rapid recovery and timely resumption of critical operations        later than 2006.
                                                                              following the loss or inaccessibility of staff in at least one
                                                                              major operating location; and

                                                                              A high level of confidence, through ongoing use or robust
                                                                              testing, that critical internal and external continuity
                                                                              arrangements are effective and compatible.
IRS Procedure 91-59        Reg            IRS (Internal            U.S.A.     · Legal requirements for computer records containing tax                                                   I         IRS Ruling 98-25 supersedes this:           http://www.uiowa.edu/~fusrmp/irsru
                                          Revenue Service)                    information.                                                                                                                                                     ling98-25.html
(Superseded IRS                                                                                                                                                                                    http://www.uiowa.edu/~fusrmp/irsruling98-                                                                                                                                                                                 
Procedure 86-19)                                                              · Requires off-site protection and documentation of computer                                                         25.html
                                                                              records maintaining tax information
ISO 9000                    Std           ISO                   International ISO 9000:2000, Quality management systems - Fundamentals                                                W                                                        http://en.wikipedia.org/wiki/ISO_90
                                                                              and vocabulary. covers the basics of what quality management                                                                                                     00
                                                                              systems are and also contains the core language of the ISO
                                                                              9000 series of standards.

                                                                              Purpose is to determine elements of quality control systems,                                                                                                                                                                                                                                            
                                                                              especially maintenance of records and verification standards.
                                                                              While business continuity planning is not required by statute,
                                                                              vendors report that records retention and data availability are
                                                                              issues with their customers, and that they are specifically
                                                                              asked about their plans.
ISO 9001                    Std           ISO                   International ISO 9001:2000 Quality management systems - Requirements                                                 W                                                        http://en.wikipedia.org/wiki/ISO_90
                                                                              is intended for use in any organization which designs,                                                                                                           01
                                                                              develops, manufactures, installs and/or services any product or
                                                                              provides any form of service. It provides a number of
                                                                              requirements which an organization needs to fulfill if it is to
                                                                              achieve customer satisfaction through consistent products and
                                                                                                                                                                                                                                                                                                                                                                                      
                                                                              services which meet customer expectations. This is the only
                                                                              implementation for which third-party auditors may grant
                                                                              certifications.
ISO 9002, Quality           Std           ISO                   International Addresses risk management and continuity planning issues for                                            W            previous members of the ISO 9000 series 9002 http://en.wikipedia.org/wiki/ISO_90
assurance standard,                                                           compliance.                                                                                                          and 9003 have been integrated into 9001      01                                                                                                                                    
ISO 9004 Quality            Std           ISO                   International ISO 9004:2000 Quality management systems - Guidelines for                                               W                                                        http://en.wikipedia.org/wiki/ISO_9004
management sysetms -                                                          performance improvements. covers continual improvement.
Guidelines for
performance
                                                                              This gives you advice on what you could do to enhance a
                                                                              mature system. This standard very specifically states that it is
                                                                                                                                                                                                                                                                                                                                                                                      
improvement                                                                   not intended as a guide to implementation




                                                                                                                                                                     Page 9 of 19
     Disaster Recovery Journal                                                                                                                          Rules and Regulations Committee                                                                                                                                                                                                              7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                              The following content was compiled by volunteers, and is as accurate as possible.
                                                                                              The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                       Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                                                                     Infrastructure Category




                                                                                                                                                                         Category (E, A, W,




                                                                                                                                                                                                                                                                                                                                                             Energy (including nuclear)
                                                                                                                                                                                                                                                                                                                                 Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                                                       Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                                                                  Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                                                                     & Communications
                                                                                                                                                                                                                                                                                           Banking & Finance
                              Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                                                             Public Agencies
                                                                                                                                                                                                                                                                                                               Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                                                             Government &
                                                                                                                                                                                                                                                                                                                 Healthcare




                                                                                                                                                                                                                                                                                                                                                                                          Industry



                                                                                                                                                                                                                                                                                                                                                                                                               & Water
                           Standard




                                                                       Country
                                                                                                                                                      Significant
                                               Governing                                                                                             Dates, Fines,
        Title                                    Body                                           Summary / Description                                  Penalties                                             Notes /Comments                                      Link




                                                                                                                                                                                              I)
ISO/IEC 27002:2005             Std           ISO (International    International Focuses on                                                                                           W            ISO/IEC 17799:2005: It has subsequently        http://en.wikipedia.org/wiki/ISO_17799
                                             Organization for                                                                                                                                      renumbered ISO/IEC 27002:2005 in July 2007,
                                             Standardization)                    · Business continuity management process                                                                          bringing it into line with the other ISO/IEC
                                                                                                                                                                                                   27000-series standards. It is entitled
                                                                                 · Writing and implementing continuity plans                                                                       Information technology - Security techniques -
                                                                                                                                                                                                   Code of practice for information security
                                                                                 · Business continuity planning framework                                                                          management

                                                                                 · Business continuity and impact analysis
                                                                                                                                                                                                                                                                                                                                                                                          
                                                                                 · Testing and maintaining BCPs

                                                                                 Areas reviewed include:

                                                                                 · Was BS17799 originally and proposed as ISO 7799.

ISO/IEC 27005:2008             Std           ISO               International Continuation of ISO 27000 series standard        The purpose of     Published June, 2008                 W                                                          http://www.iso27001security.com/html
                                                                             ISO/IEC 27005 is to provide guidelines for information security                                                                                                     /27005.html http://www.27000.org/                                                                                                                                                                       
                                                                             risk management
IT Security Guidelines -       Std           Information        Hong Kong Introduces general concepts relating to Information                    In this document,                                 http://www.ogcio.gov.hk/eng/prodev/esecp
G3                                           Technology                      Technology Security and elaborates interpretations on the           government bureau                                 ol.htm
                                             Services                        Baseline IT Security Policy. It also provides readers some          and departments are                               http://www.ogcio.gov.hk/eng/prodev/esecp
                                             Department - The                guidelines and considerations in defining security                  suggested to consider                             ol.htm
                                             Government of the               requirements.                                                       implementing a
                                             Hong Kong Special                                                                                   BCP/DR as part of                                                                                                                                                                                                                                                                                              
                                             Administrative                                                                                      business planning.
                                             Region
                                                                                                                                                 V4.1 November 2008

ITIL- IT Infrastructure        Std           ITIL (IT                 U.S.A.     Global standard in the area of service management. ITIL®        .                                    W                                                          http://www.ogc.gov.uk/index.asp?id
Library                                      Infrastructure                      (IT Infrastructure Library®) is the most widely accepted                                                                                                        =2261
                                             Library)                            approach to IT service management in the world. ITIL
                                                                                 provides a cohesive set of best practice, drawn from the public
                                                                                 and private sectors internationally.                                                                                                                                                                                                                                                                                                                                    
                                                                                 Contains comprehensive publicly accessible specialist
                                                                                 documentation on the planning, provision and support of IT
                                                                                 services
JCAHO 2010 Hospital                          Joint Commission         U.S.A.     Guidelines for information management established by JCAHO                                             E                                                        http://www.jcrinc.com/Accreditation-
Accreditation                                on Accreditation of                 Standard Label: IM.1.20 - The [organization] plans for the                                                                                                      Manuals/2010-Hospital-
Standards                                    Healthcare                          continuity of its information management processes.                                                                                                             Accreditation-Standards/1388/                                    
                                             Organizations
                                             (JCAHO)




                                                                                                                                                                   Page 10 of 19
     Disaster Recovery Journal                                                                                                                           Rules and Regulations Committee                                                                                                                                                                                                                7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                              The following content was compiled by volunteers, and is as accurate as possible.
                                                                                              The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                       Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                                                                        Infrastructure Category




                                                                                                                                                                            Category (E, A, W,




                                                                                                                                                                                                                                                                                                                                                                Energy (including nuclear)
                                                                                                                                                                                                                                                                                                                                    Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                                                          Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                                                                     Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                                                                        & Communications
                                                                                                                                                                                                                                                                                              Banking & Finance
                             Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                                                                Public Agencies
                                                                                                                                                                                                                                                                                                                  Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                                                                Government &
                                                                                                                                                                                                                                                                                                                    Healthcare




                                                                                                                                                                                                                                                                                                                                                                                             Industry



                                                                                                                                                                                                                                                                                                                                                                                                                  & Water
                          Standard




                                                                     Country
                                                                                                                                                    Significant
                                              Governing                                                                                            Dates, Fines,
         Title                                  Body                                            Summary / Description                                Penalties                                                   Notes /Comments                                      Link




                                                                                                                                                                                                 I)
King I Report - 1994          Std           King Committee on    South Africa This is a standard for good corporate governance which most                                                W            From Wikipedia:                                  http://en.wikipedia.org/wiki/King_Co
King II Report - 2002                       Corporate                         companies in South Africa make reference to in their AFS and                                                                                                             mmittee
King lll 2009                               Governance                        try to adhere to.                                                                                                       The King Committee on Corporate
                                                                                                                                                                                                      Governance, formed in 1993 by the
                                                                                                                                                                                                      Institute of Directors in Southern Africa
                                                                                                                                                                                                      (IoD) was established to investigate the
                                                                                                                                                                                                      role of boards of directors in South African
                                                                                                                                                                                                      firms.[1] Chaired by businessman and
                                                                                                                                                                                                      former judge Mervyn E. King, the
                                                                                                                                                                                                      committee included Phillip Armstrong,
                                                                                                                                                                                                      Nigel Payne, and Richard Wilkinson.                                                                                                                                                                                           
                                                                                                                                                                                                      The committee has released three King
                                                                                                                                                                                                      reports on corporate governance in South
                                                                                                                                                                                                      Africa:

                                                                                                                                                                                                      1994 King I
                                                                                                                                                                                                      2002 King II
                                                                                                                                                                                                      2009 King III

Major Hazard                 Reg            Occupational         South Africa Talks about emergency plans-""emergency plan" means a plan                                                              Subject to the provisions of subregulation (3)   http://www.labour.gov.za/search?S
Installation                                Health & Safety                   in writing which, on the basis of identified potential incidents                                                        these regulations shall apply to                 earchableText=occupational+healt
Regulations, 1993                                                             at the installation, together with their consequences, describes                                                        employers, self-employed persons and users,      h+and+safety
                                                                              how such incidents and their                                                                                            who have on their premises, either                                                                                                                                                                                            
                                                                              consequences should be dealt with on-                                                                                   permanently or temp


Management,                   Std           Securities and       Hong Kong “A licensed or registered person should have internal control         In section 36 under
Supervision and                             Futures                        procedures and financial and operational capabilities which can       operational risk: An                                 Copies of the Guidelines are available at the
Internal Control                            Commission of                  be reasonably expected to protect its operations, its clients         effective business                                   SFC. They can also be found on the SFC's
Guidelines ("The                            Hong Kong                      and other licensed or registered persons from financial loss          continuity plan                                      website at http://www.sfc.hk/sfc/html/EN/
Internal Control                                                           arisin                                                                appropriate to the size
Guidelines") For                                                                                                                                 of the firm is
Persons Licensed By                                                                                                                              implemented to ensure                                                                                                                        
OR Registerd With The                                                                                                                            that the firm is
Securities and Futures                                                                                                                           protected from the risk
Commission                                                                                                                                       of interruption to its
                                                                                                                                                 business continuity.
                                                                                                                                                 Key processes in this
                                                                                                                                                 area includ
Manila Bank BCP              Reg            Bank of Central      Philippines   Enforced by audit, requires all banks to setup of a disaster      DR Site                                   E
                                            Philippines (local                 recovery facility.                                                                                                                                                                                             
                                            central bank)
Manual for the               Reg            FISC (The Center        Japan      Audit matter                                                      BCP development (DR                       E          Manual for the Development of Contingency       http://www.fisc.or.jp/english/
Development of                              for Financial                                                                                        site/vital records, etc)                             Plans Developing of contingency plans is one of
Contingency Plans in                        Industry                           Appointment of BCP manager                                                                                             the most important security measures for
Financial Institutions.                     Information                                                                                                                                               financial institutions. FISC published "Manual
Japan FSA                                   System)                            Implementation of policy & standard                                                                                    for the Development of Contingency Plans" in
                                                                                                                                                                                                      January 1994, which summarizes development
                                                                               Proper documentation                                                                                                   procedures of contingency plans. This manual
                                                                                                                                                                                                      was revised in 2001 and in 2006 including                                               
                                                                               Regular review of plan                                                                                                 lessons learned from earthquakes.

                                                                               Corporate-wide testing at least annually

                                                                               Planning for different scenarios




                                                                                                                                                                     Page 11 of 19
     Disaster Recovery Journal                                                                                                                          Rules and Regulations Committee                                                                                                                                                                                7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                          The following content was compiled by volunteers, and is as accurate as possible.
                                                                                          The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                   Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                                       Infrastructure Category




                                                                                                                                                                       Category (E, A, W,




                                                                                                                                                                                                                                                                                                                               Energy (including nuclear)
                                                                                                                                                                                                                                                                                                   Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                         Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                                    Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                                       & Communications
                                                                                                                                                                                                                                                             Banking & Finance
                            Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                               Public Agencies
                                                                                                                                                                                                                                                                                 Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                               Government &
                                                                                                                                                                                                                                                                                   Healthcare




                                                                                                                                                                                                                                                                                                                                                            Industry



                                                                                                                                                                                                                                                                                                                                                                                 & Water
                         Standard




                                                                    Country
                                                                                                                                                    Significant
                                             Governing                                                                                             Dates, Fines,
        Title                                  Body                                           Summary / Description                                  Penalties                                   Notes /Comments                   Link




                                                                                                                                                                                            I)
MAS Business               Regs            MAS (Monetary          Singapore   7 Guiding Principles on Senior Management responsibilities for     International                        E                            http://www.mas.gov.sg/resource/legisl
Continuity                                 Authority of                       BCM; embedding BCM into Business-as-usual activities,                                                                                ation_guidelines/risk_mgt/BCMGuidelin
Management                                 Singapore)                         incorporating sound practices; testing BCP regularly,                                                                                es.pdf                                    
Guidelines (June 2003)                                                        completely and meaningfully; developing recovery strategies
                                                                              and setting RTO for crit
MAS Guidelines on            Std           MAS (Monetary          Singapore   Guidelines on ensuring BC preparedness is not compromised          International                        E                            http://www.mas.gov.sg/legislation_gui
Outsourcing - Section                      Authority of                       by outsourcing; taking steps to evaluate and satisfy itself that   Issued October 2007                                               delines/risk_mgt/Guidelines_on_Risk_M
6.6 BCM (Oct 2004)                         Singapore)                         interdependency risk arising from the outsourcing arrangement      Updated July 1 2005                                               anagement_Practices.html
                                                                              can be adequately mitigated such that the institution remains
                                                                              able to conduct its business with integrity and competence in                                                                                                                  
                                                                              the event of disruption, or unexpected termination of the
                                                                              outsourcing or liquidation of the service provider.


Disaster Management         Reg            Ministry for          South Africa Proposed national disaster management framework.                                                        E                            http://www.acts.co.za/disaster/index.ht
Act 2002                                   Provincial & Local                                                                                                                                                      m
                                           Government                         Provides for:
                                           Disaster
                                           Management Act,                    · An integrated and coordinated disaster management policy
                                                                                                                                                                                                                                                                                                                                                                                                   
                                           2002                               that focuses on preventing and reducing the risk of disasters,
                                                                              mitigating the severity of disasters, emergency preparedness,
                                                                              rapid
NASD Rule 108 (Sept         Reg            NASD (North             U.S.A.     · Each member must create and maintain a written business                                               E                            http://www.sec.gov/rules/sro/34-
9, 02) and SR-NASD-                        American Securities                continuity plan identifying procedures relating to an emergency                                                                      48503.htm
2002-112 (March 10,                        Dealers                            or significant business disruption.
03)                                        Association)/
                                                                              · Must update its plan in the event of any material change to
                                                                                                                                                                                                                                                             
(Release No. 34-                           SEC                                the member's operations, structur
48503; File No. SR-
NASD-2002-108)
NASD Rule 3500:             Reg            NASD                    U.S.A.     Requires a Business Continuity Plan addressing:                                                         E                            http://www.nasd.com/web/groups/r
Emergency                                                                                                                                                                                                          ules_regs/documents/notice_to_m
Preparedness Part                                                             · Alternate communications between customers, firm and                                                                               embers/nasdw_003095.pdf
3510: Business                                                                employees
continuity Plans
                                                                              · Business constituent, bank and counter party impact                                                                                                                          
                                                                              · Regulatory Reporting

                                                                              · Mission Critical Systems

NASD Rule 3500:             Reg            NASD                    U.S.A.     · Operational and NASD members to provide NASD with
                                                                              Rule 3520 requires Finan                                                                                E                            http://www.nasd.com/web/groups/r
Emergency                                                                     emergency contact information and to update any information                                                                          ules_regs/documents/notice_to_m
Preparedness Part
3520: Emergency
                                                                              upon the occurrence of a material change. The Rule requires
                                                                              members to designate two emergency contact persons that
                                                                                                                                                                                                                   embers/nasdw_003095.pdf                   
Contact Information                                                           NASD may contact in the e

NFA Compliance Rule         Reg            CFTC (Commodity         U.S.A.     Requires all National Futures Association members to establish                                          E                            http://www.nfa.futures.org/nfamanu
2-38: Business                             Futures Trading                    and maintain a written business continuity and disaster                                                                              al/NFAManual.aspx?RuleID=9052
Continuity and                             Commission)                        recovery plan that outlines procedures to be followed in the                                                                         &Section=9                                
Disaster Recovery Plan                                                        event of an emergency or significant disruption.

NFPA 111:Standard on         Std           NFPA                    U.S.A.     Guideline of a step-by-step approach to emergency planning,                                           W                              http://www.nfpa.org/aboutthecodes/
Stored Electrical                                                             response and recovery for companies.                                                                                                 AboutTheCodes.asp?DocNum=11
Energy Emergency and                                                                                                                                                                                               1&cookie%5Ftest=1                                                                                                                                                                                       
Standby Power
Systems
NFPA 232: Standard           Std           NFPA                    U.S.A.     Standards for protection of business records, archives and                                            W                              http://www.nfpa.org/aboutthecodes/
on Protection of
Records
                                                                              records centers.                                                                                                                     AboutTheCodes.asp?DocNum=23                                                                                                                                                                             
                                                                                                                                                                                                                   2




                                                                                                                                                                  Page 12 of 19
     Disaster Recovery Journal                                                                                                                         Rules and Regulations Committee                                                                                                                                                                                   7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                          The following content was compiled by volunteers, and is as accurate as possible.
                                                                                          The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                   Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                                         Infrastructure Category




                                                                                                                                                                         Category (E, A, W,




                                                                                                                                                                                                                                                                                                                                 Energy (including nuclear)
                                                                                                                                                                                                                                                                                                     Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                           Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                                      Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                                         & Communications
                                                                                                                                                                                                                                                               Banking & Finance
                            Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                                 Public Agencies
                                                                                                                                                                                                                                                                                   Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                                 Government &
                                                                                                                                                                                                                                                                                     Healthcare




                                                                                                                                                                                                                                                                                                                                                              Industry



                                                                                                                                                                                                                                                                                                                                                                                   & Water
                         Standard




                                                                   Country
                                                                                                                                                   Significant
                                             Governing                                                                                            Dates, Fines,
        Title                                  Body                                          Summary / Description                                  Penalties                                      Notes /Comments                    Link




                                                                                                                                                                                              I)
NFPA Standard 1600           Std           NFPA (National Fire    U.S.A.     Establishes minimum criteria for disaster management for the 4th Edition due out                         W                              http://www.nfpa.org/PDF/nfpa1600.
on                                         Protection                        private and public sectors in the development of a program for around April, 2010.                                                      pdf?src=nfpa
Disaster/Emergency
Management and
                                           Association                       effective disaster mitigation, preparedness, response and
                                                                             recovery.
                                                                                                                                                                                                                                                                                                                                                                                                                             
Business Continuity
Programs
NIST SP 800-34               Std           NIST (National         U.S.A.     · Details the fundamental planning principles necessary for                                                E                            http://csrc.nist.gov/publications/nist
Contingency Planning                       Institute of                      developing an effective contingency capability.                                                                                         pubs/800-34/sp800-34.pdf
Guide                                      Standards and
                                           Technology)                       · Contingency planning guidance includes preliminary
                                                                                                                                                                                                                                                                                                                                                                                                     
                                                                             planning, business impact analysis, alternative site selection
                                                                             and recovery strategies.
NYSE Rule 446:              Reg            NYSE (New York         U.S.A.     · Members and member organizations must develop and                Possible Image and                      E                            http://www.sec.gov/rules/sro/34-
Business Continuity                        Stock Exchange)                   maintain a written business continuity and contingency plan        Reputation impacts for                                               48502.htm
and Contingency                                                              establishing procedures to be followed in the event of an          not complying with
Planning                                                                     emergency or disruption.                                           stock market
                                                                                                                                                regulations including,
                                                                                                                                                                                                                                                               
                                                                             · Yearly review must be conducted of the business continuity       in extreme cases,
                                                                             - Amended in September, 2008.                                      potential de-listing.
OCC 2001-47: Third-         Reg            OCC                    U.S.A.     Provides guidance to national banks on managing risks                                                      E                            http://www.occ.treas.gov/ftp/bulletin
Party Relationships                                                          resulting from business relationships with third parties. It                                                                            /2001-47.txt
(November 1, 2001)                                                           explains that third-party contracts should provide for:
                                                                                                                                                                                                                                                                                                                                                                                                          
                                                                             · Continuation of the business function in the event of
                                                                             problems with the third
OCC 2003-18: FFIEC          Reg            OCC                    U.S.A.     Information Technology Examination Handbook- Business                                                      E                            http://www.occ.treas.gov/ftp/bulletin
(March 2003)                                                                 Continuity Planning and supervision of Technology Service                                                                               /2003-18.doc
                                                                             Providers Booklets

                                                                             The BCP Booklet describes the process for managing business
                                                                                                                                                                                                                                                                                                                                                                                                          
                                                                             continuity based on risk as the following:

                                                                             · Business impact
OCC 99-9:                   Reg            OCC                    U.S.A.     · Identifies and raises awareness of vulnerabilities and threats                                           E                            http://www.occ.treas.gov/ftp/bulletin/9
Infrastructure Threats                                                       of cyber terrorism to the financial services industry, including                                                                        9-9.txt
from Cyber-Terrorists                                                        ensuring that these threats are taken into account when
(March 5, 1999)                                                              preparing and testing a disaster recovery/business contingen                                                                                                                                                                                                                                                                 
                                                                             · Exp
OSHA - Occupational         Reg            OSHA                   U.S.A.     · Disaster preparedness                                                                                     I                           http://www.osha.gov/SLTC/emerge
Safety and Health                          (Occupational                                                                                                                                                             ncypreparedness/index.html
Administration                             Safety and Health                 · OSHA requires that all businesses with more than 10
                                           Administration)                   employees have a written Emergency Contingency Plan (ECP).
                                                                                                                                                                                                                                                                                                                                                                                                     
                                                                             · For businesses with 10 or less a written plan is not
                                                                             mandated but recommended.
Personal Data                Std           Office of the       Hong Kong The purpose of the Ordinance is to protect the privacy                                                                                      http://www.pco.org.hk/english/ordinan
(Privacy) Ordinance                        Privacy                       interests of living individuals in relation to personal data. It                                                                            ce/ordglance.html
                                           Commissioner for              also contributes to Hong Kong's continued economic well-being
                                           Personal Data - The           by safeguarding the free flow of personal data to Hong Kong
                                           Government of the
                                           Hong Kong Special
                                                                         from restriction.                   Base on the Data Protection
                                                                         Principles published, the relevant principles to BCM are
                                                                                                                                                                                                                                                                                                                                                                                                     
                                           Administrative                Principle 2 - the personal data should be accurate, up-to-date
                                           Region                        and kept no longer than necessary; Principle 4 - appropriate
                                                                         security measures should be applied to persona
Privacy Act of 1974         Reg                                   U.S.A.     Requires management to safeguard and to keep the                                                            I                           http://www.justice.gov/opcl/privstat.ht
(SUSC552a)                                                                   information accurate and current to protect the individual.                                                                             m                                                                                                                                                                               



                                                                                                                                                                  Page 13 of 19
     Disaster Recovery Journal                                                                                                                             Rules and Regulations Committee                                                                                                                                                                                                                7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                              The following content was compiled by volunteers, and is as accurate as possible.
                                                                                              The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                       Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                                                                          Infrastructure Category




                                                                                                                                                                              Category (E, A, W,




                                                                                                                                                                                                                                                                                                                                                                  Energy (including nuclear)
                                                                                                                                                                                                                                                                                                                                      Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                                                            Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                                                                       Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                                                                          & Communications
                                                                                                                                                                                                                                                                                                Banking & Finance
                             Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Public Agencies
                                                                                                                                                                                                                                                                                                                    Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Government &
                                                                                                                                                                                                                                                                                                                      Healthcare




                                                                                                                                                                                                                                                                                                                                                                                               Industry



                                                                                                                                                                                                                                                                                                                                                                                                                    & Water
                          Standard




                                                                       Country
                                                                                                                                                      Significant
                                              Governing                                                                                              Dates, Fines,
        Title                                   Body                                             Summary / Description                                 Penalties                                                   Notes /Comments                                       Link




                                                                                                                                                                                                   I)
Prudent Man Concept          Reg            Common Law -         International · As per the Uniform Commercial Code, legal standard used to                                                   I         Uniform Commercial Code                            http://www.law.cornell.edu/uscode/
                                            Negligence Liability               determine whether appropriate action was taken in a particular                                                                                                              html/uscode29/usc_sec_29_00001
                                                                               situation.                                                                                                               Any company, regardless of its industry, is        104----000-.html
                                                                                                                                                                                                        expected to exercise due-care to implement
                                                                                 · Directors, senior management, officers and agents, when                                                              and maintain security mechanisms and
                                                                                 working for an organization, are considered to be in a posi                                                            practices that protect the company, its
                                                                                                                                                                                                        employees, customers, and partners., Due-                                                                                                                                                                                     
                                                                                                                                                                                                        Care can be compared to the "prudent man"
                                                                                                                                                                                                        concept. A prudent man is seen as
                                                                                                                                                                                                        responsible, careful, cautious, and practical. A
                                                                                                                                                                                                        company practicing due-care is seen in the
                                                                                                                                                                                                        same light by State and Federal Courts.

Public Finance        Reg                                          South Africa Unable to find anything specific to BC or DR… “availability of                                                                                                             http://www.acts.co.za/public_fin_m
Management Act, 1999-                                                           financial information” was included…                                                                                                                                       an/index.htm
DRAFT Treasury
Relations
BS (British Standard) Std                   BSI (British         International · BS 25999-1 is a BCM code of practice and BS25999-2 is a                                                     E                                                             http://www.w3j.com/xml/
25999                                       Standards Institute)               specification for business continuity management. (NOTE:
                                                                               The BS25999 standard is a standard that must be purchased.)
                                                                                                                                                                                                                                                                                                                                                                                                                                                              
                                                                                 BS 25999-1 (Code of Practice) replaced PAS56.

Publicly Available            Std           BSI (British               UK                                                                                                                    E
Specification (PAS) 56-                     Standards Institute)
Guide to Business                                                                PAS56 has been replaced with BS 25999.
Continuity
Management
SAMOS and CLS                 Std           South African          South Africa Business Continuity Procedures for SA Reserve Bank and                                                       E                                                             www.reservebank.co.za/internet/Pu
Business Continuity                         Reserve Bank                        Participants                                                                                                                                                               blication.nsf/LADV/8B8A38FD0C1
Procedures- SA
Reserve Bank                                National Payment
                                                                                                                                                                                                                                                           E5F5042256FCE00308106/$File/C
                                                                                                                                                                                                                                                           LSBCP_SARB.pdf
                                                                                                                                                                                                                                                                                                
                                            System Department

Sarbanes-Oxley Act of        Reg            PCAOB - Public           U.S.A.      · Auditors are increasing scrutiny of all areas of internal       Non-complying                             E                                                             http://news.findlaw.com/hdocs/docs
2002: (P.L. 107-204                         Company                              control, including security and business continuity controls      organizations may                                                                                       /gwbush/sarbanesoxley072302.pdf
2002 HR 3763) -                             Accounting                                                                                             receive qualified
SECTION 404                                 Oversight Board                      · Potential for data loss (ability to identify and rebuild lost
                                                                                 transactions and source documentation)
                                                                                                                                                   opinions on their
                                                                                                                                                   internal controls from
                                                                                                                                                                                                                                                                                                                                                                                                                                                              
                                                                                                                                                   their external auditors.
                                                                                 · Vital records creation,
Sarbanes-Oxley Act of        Reg            PCAOB - Public           U.S.A.      · Issuers must disclose information on material changes in        · If IT processing                        E                                                             http://news.findlaw.com/hdocs/docs
2002: SECTION 409                           Company                              financial condition on a regular basis                            disruption results in                                                                                   /gwbush/sarbanesoxley072302.pdf
                                            Accounting                                                                                             lost data, officers and
                                            Oversight Board                      Areas assessed include:                                           external auditors may
                                                                                                                                                   not be able to sign off
                                                                                 · Potential for data loss (ability to identify and rebuild lost   on quarterly or annual
                                                                                 transactions and source documentation)                            SOX disclosure and                                                                                                                                                                                                                                                                                         
                                                                                                                                                   internal control
                                                                                 · Vital records creation                                          operating effectiveness
                                                                                                                                                   certifications/opinion.




                                                                                                                                                                       Page 14 of 19
     Disaster Recovery Journal                                                                                                                            Rules and Regulations Committee                                                                                                                                                                               7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                         The following content was compiled by volunteers, and is as accurate as possible.
                                                                                         The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                  Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                                        Infrastructure Category




                                                                                                                                                                           Category (E, A, W,




                                                                                                                                                                                                                                                                                                                                Energy (including nuclear)
                                                                                                                                                                                                                                                                                                    Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                          Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                                     Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                                        & Communications
                                                                                                                                                                                                                                                              Banking & Finance
                            Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                                Public Agencies
                                                                                                                                                                                                                                                                                  Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                                Government &
                                                                                                                                                                                                                                                                                    Healthcare




                                                                                                                                                                                                                                                                                                                                                             Industry



                                                                                                                                                                                                                                                                                                                                                                                  & Water
                         Standard




                                                                  Country
                                                                                                                                                      Significant
                                             Governing                                                                                               Dates, Fines,
        Title                                  Body                                         Summary / Description                                      Penalties                                     Notes /Comments                  Link




                                                                                                                                                                                                I)
Statement on Auditing        Std           American Institute    U.S.A.     SAS 70 is a widely recognized auditing standard developed by Effective 1993                                                                http://www.sas70.com/
Standards (SAS) 70                         of Certified Public              the American Institute of Certified Public Accountants (AICPA).
audit reports                              Accountants                      A service auditor's examination performed in accordance with
                                           (AICPA).                         SAS No. 70 ("SAS 70 Audit") is widely recognized, because it
                                                                            represents that a service organization has been through an in-
                                                                            depth audit of their control objectives and control activities,
                                                                            which often include controls over information technology and
                                                                            related processes.

                                                                            Service organizations receive significant value from having a                                                                                                                                                                                                                                                           
                                                                            SAS 70 engagement performed. A Service Auditor's Report
                                                                            with an unqualified opinion that is issued by an Independent
                                                                            Accounting Firm differentiates the service organization from its
                                                                            peers by demonstrating the establishment of effectively
                                                                            designed control objectives and control activities. A Service
                                                                            Auditor's Report also helps a service organization build trust
                                                                            with its user organizations (i.e. customers).


SEC 38-a : Investment                      SEC                   U.S.A.                                                                                                                   E                            http://www.law.uc.edu/CCL/InvCoAct/s
Company Act of 1940                                                                                                                                                                                                    ec38.html
                                                                                                                                                                                                                                                              
SEC Act of 1934: (15        Reg            SEC                   U.S.A.     Without a current Service Auditor's Report, a service                                                         E                            http://www.sec.gov/about/laws/sea34.
U.S.C.A 78A)                                                                organization may have to entertain multiple audit requests                                                                                 pdf
                                                                            from its customers and their respective auditors. Multiple
Rule 17a-4                                                                  visits from user auditors can place a strain on the service                                                                                http://www.sec.gov/about/laws.shtml#
                                                                            organization's resources. A Service Auditor's Report ensures                                                                               secexact1934                                                                                                                                                                 
                                                                            that all user organizations and their auditors have access to
                                                                            the same information and in many cases this will satisfy the                                                                               (summary information)
                                                                            user auditor's requirements.
Securities and              Reg            SEC                   U.S.A.     · Policy addresses criminal liability of Directors and officers for    Potential fines                        E                            http://www.law.uc.edu/CCL/34Act/sec3
Exchange Act, Sections                                                      failure to: Protect computerized information; Document                 imposed include                                                     2.html
32(a) and (b)                                                               process used to assess risks of information loss; exercise “duty
                                                                            of care”
                                                                                                                                                   personal fines up to
                                                                                                                                                   $10,000 and corporate
                                                                                                                                                                                                                                                                                                                                                                                                    
                                                                                                                                                   fines up to
                                                                            · Burden of proof lies with the Directors and Officers                 $1,000,000.
Supervision of               Std           FFIEC                 U.S.A.     BUSINESS CONTINUITY PLANNING, SUPERVISION OF                                                                W                              http://www.ffiec.gov/press/pr05200
Technology Service                                                          TECHNOLOGY SERVICE PROVIDER GUIDANCE RELEASED BY                                                                                           3.htm
Providers Booklets                                                          FEDERAL FINANCIAL REGULATORS
(May 2003)
                                                                            The Business Continuity Planning Booklet provides guidance
                                                                            and examination procedures to assist examiners in evaluating
                                                                            financial institution and service provider risk management
                                                                            processes to ensure the availability of critical financial services.

                                                                            Examiners should focus on:
                                                                                                                                                                                                                                                              
                                                                            · Management of Technology- the planning and overseeing of
                                                                            technological resources and services and ensuring they support
                                                                            the strategic goals and objectives of the financial institution or
                                                                            technology service providers.

                                                                            · Int




                                                                                                                                                                    Page 15 of 19
     Disaster Recovery Journal                                                                                                                          Rules and Regulations Committee                                                                                                                                                                                                             7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                           The following content was compiled by volunteers, and is as accurate as possible.
                                                                                           The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                                    Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                                                                    Infrastructure Category




                                                                                                                                                                          Category (E, A, W,




                                                                                                                                                                                                                                                                                                                                                            Energy (including nuclear)
                                                                                                                                                                                                                                                                                                                                Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                                                      Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                                                                 Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                                                                    & Communications
                                                                                                                                                                                                                                                                                          Banking & Finance
                           Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                                                            Public Agencies
                                                                                                                                                                                                                                                                                                              Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                                                            Government &
                                                                                                                                                                                                                                                                                                                Healthcare




                                                                                                                                                                                                                                                                                                                                                                                         Industry



                                                                                                                                                                                                                                                                                                                                                                                                              & Water
                        Standard




                                                                    Country
                                                                                                                                                    Significant
                                            Governing                                                                                              Dates, Fines,
        Title                                 Body                                            Summary / Description                                  Penalties                                                Notes /Comments                                     Link




                                                                                                                                                                                               I)
Telecommunications         Reg            FCC - Federal           U.S.A.      The act was intended to promote competition in the                                                         E                                                        www.fcc.gov/telecom.html
Act of 1996                               Communications                      telecommunications industry. Section 256 gives the FCC the
                                          Commission                          right to oversee that telecommunications networks “seamlessly
                                                                              and transparently transmit and receive information between
                                                                              and across telecommunications networks.”
                                                                                                                                                                                                                                                                                                                                                                                                                                                        
                                                                              The FCC‟s Network Reliability and Interoperability Council
                                                                              provides best practices for business continuity and disaster
                                                                              recovery in the telecommunications industry. (www.nric.org)



Terrorism- Real             Std           Business                U.S.A.      The Roundtable examines the unique nature of the terrorist                                               W                                                          http://www.abanet.org/adminlaw/co
Threats, Real Costs,                      Roundtable                          threat, as well as the strengths and weaknesses of both                                                                                                             nference/2003/NewFrontier/Newfro
Joint solutions (June                                                         government and business in addressing that threat. It then                                                                                                          ntierprogram.html
2003)                                                                         recommends various tools and procedures for government to
                                                                              use when regulating and outline the difficulty of allocating the                                                                                                                                                                                                                                                                                                          
                                                                              costs of security.



Thailand BCP               Reg            Governing Body will    Thailand     The FCC‟s Network Reliability and Interoperability Council         BCP, Vital records, DR                  E          Unofficial Translation by the courtesy of The    http://www2.bot.or.th/fipcs/Docume
                                          be Bank of                          provides best practices for business continuity and disaster       Site                                               Foreign Banks' Association                       nts/FPG/2549/EngPDF/25490062.
                                          Thailand /                          recovery in the telecommunications industry. (www.nric.org)                                                           This translation is for the convenience of those pdf
                                          Securities and                                                                                                                                            unfamiliar with the Thai language.
                                          Exchange                                                                                                                                                  Please refer to the Thai text for the official
                                          Commission,                                                                                                                                               version.
                                          Thailand.                                                                                                                                                                                                                                       



The Promotion of           Reg            Parliament of the     South Africa ACT - To give effect to the constitutional right of access to any                                                                                                    http://www.acts.co.za/promotion_of
Access to Information                     Repulblic of South                 information held by the State and any information that is held                                                                                                       _access_to_information_act_2000.
Act (#2 of 2000)                          Africa                             by another person and that is required for the exercise or                                                                                                           htm                                                                                                                                                                           
                                                                             protection of any rights; and to provide for matters connected
                                                                             ther
Turnbull Report            Reg            Institute of              UK       Internal Control-Guidance for Director on the Combined Code Those companies                                 E                                                        www.icaew.co.uk/index.cfm?route=
(September 1999)                          Chartered                                                                                            found in violation                                                                                 120907
                                          Accountants in                     · States that anyone listed on the London Stock Exchange          could be de-listed from
                                          England and Wales                  must have BCP                                                     the London Stock
                                                                                                                                               Exchange.
                                                                                                                                                                                                                                                                                                                                                                                                                             
                                                                             · Requires companies to report whether the board has
                                                                             reviewed the system of “internal




                                                                                                                                                                   Page 16 of 19
     Disaster Recovery Journal                                                                                                                Rules and Regulations Committee                                                                                                                                                                                 7/1/2011 4:44 AM
     Editorial Advisory Board

                                                                                                     The following content was compiled by volunteers, and is as accurate as possible.
                                                                                     The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                                              Revision Date: March 17, 2010

                                                                                                                                                                                                                                                                              Infrastructure Category




                                                                                                                                                               Category (E, A, W,




                                                                                                                                                                                                                                                                                                                      Energy (including nuclear)
                                                                                                                                                                                                                                                                                          Transportation & Shipping




                                                                                                                                                                                                                                                                                                                                                                Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                                                                                           Information Distribution
                                                                                                                                                                                                                                                                                                                                                                                              & Communications
                                                                                                                                                                                                                                                    Banking & Finance
                           Regulation /




                                                                                                                                                                                                                                                                                                                                                                                                                      Public Agencies
                                                                                                                                                                                                                                                                        Public Health &




                                                                                                                                                                                                                                                                                                                                                                                                                      Government &
                                                                                                                                                                                                                                                                          Healthcare




                                                                                                                                                                                                                                                                                                                                                   Industry



                                                                                                                                                                                                                                                                                                                                                                        & Water
                        Standard




                                                               Country
                                                                                                                                         Significant
                                            Governing                                                                                   Dates, Fines,
        Title                                 Body                                      Summary / Description                             Penalties                                      Notes /Comments                   Link




                                                                                                                                                                                    I)
USA Patriot Act of         Reg            DHS                 U.S.A.     · The act includes requirements for records retention for    · Within 6 months                       E                            http://www.epic.org/privacy/terrorism/
2001: (P.L. 107-56                                                       compliance with section 326 on Customer Identification       after the date of                                                    hr3162.html
2001 HR 3162)                                                            Programs.                                                    enactment of this act,
                                                                                                                                      the secretary and
                                                                                                                                      other appropriate
                                                                                                                                      government agencies
                                                                                                                                      shall submit a report
                                                                                                                                      to Congress.
                                                                                                                                                                                                                                                                                                                                                                                          
                                                                                                                                      · Imposes stiff prison
                                                                                                                                      terms for those who
                                                                                                                                      violate computer
                                                                                                                                      security or use
                                                                                                                                      computers in criminal
                                                                                                                                      or terrorist acts


Various OCC                 Std           Office of the       U.S.A.     The OCC Comptroller Handbooks are issued to provide                                                  E                            http://www.occ.treas.gov/handbook
Comptroller's                             Comptroller                    guidance for examiners. Several of these handbooks discuss                                                                        /chndbk.htm
Handbooks                                                                business continuity planning and provide guidance for
                                                                         examiners. Listed below are some of the OCC handbooks that
                                                                         discuss BCP:

                                                                         * Asset Management
                                                                         * Asset Securitization
                                                                         * Community Bank Fiduciary Activities Supervision
                                                                         * Community Bank Supervision
                                                                         * Custody Services
                                                                         * Emerging Market Country Products and Trading Activities
                                                                                                                                                                                                                                                    
                                                                         * Federal Branches and Agencies Supervision
                                                                         * Insurance Activities
                                                                         * Internal and External Audits
                                                                         * Internal Controls
                                                                         * Internet Banking
                                                                         * Investment Management Services
                                                                         * Large Bank Supervision
                                                                         * Liquidity
                                                                         * Merchant Processing
VISA CISP (Cardholder       Std           VISA, endorsed by   U.S.A.     * Risk Management of Financial Derivatives
                                                                         Required compliance standards for major credit card          Failure to comply can                   E                            http://www.usa.visa.com/merchants
Information Security                      AMEX, Diners,                  companies for regular security assessments and reporting.    result in:                                                           /risk_management/cisp_overview.h
Program)                                  Discover, JCB                                                                                                                                                    tml?it=l2|/merchants/risk_managem
                                                                                                                                      · Fines of $50,000 for                                               ent/cisp.html|Overview#anchor_2
                                                                                                                                      first violation,
                                                                                                                                      $100,000 for the
                                                                                                                                      second violation.
                                                                                                                                                                                                                                                    
                                                                                                                                      · Restrictions on
                                                                                                                                      merchant

                                                                                                                                      · Permanent
                                                                                                                                      prohibition of
                                                                                                                                      participation in Visa

Enforced (E) Most frequently enforced for compliance purposes
Ambiguous (A) Further clarification regarding strong ties with Business Continuity need to happen
Watch List (W) Participating members should be looking for the presence of this item within the coming months/years
Invocation @ Incident (I) Likely to be invoked or brought to bear as a result of an “incident” occurring involving your organization




                                                                                                                                                          Page 17 of 19
  Disaster Recovery Journal                                                                          Rules and Regulations Committee                                                                                                                                                     7/1/2011 4:44 AM
  Editorial Advisory Board

                                                                          The following content was compiled by volunteers, and is as accurate as possible.
                                                          The content is subject to change without notice. For the most timely information please go directly to the source.
                                                                                                   Revision Date: March 17, 2010

                                                                                                                                                                                                         Infrastructure Category




                                                                                                                  Category (E, A, W,




                                                                                                                                                                                                                                                 Energy (including nuclear)
                                                                                                                                                                                                                     Transportation & Shipping




                                                                                                                                                                                                                                                                                           Agriculture, Food Supply


                                                                                                                                                                                                                                                                                                                      Information Distribution
                                                                                                                                                                                                                                                                                                                         & Communications
                                                                                                                                                                               Banking & Finance
                     Regulation /




                                                                                                                                                                                                                                                                                                                                                 Public Agencies
                                                                                                                                                                                                   Public Health &




                                                                                                                                                                                                                                                                                                                                                 Government &
                                                                                                                                                                                                     Healthcare




                                                                                                                                                                                                                                                                              Industry



                                                                                                                                                                                                                                                                                                   & Water
                  Standard




                                                Country
                                                                                                  Significant
                                    Governing                                                    Dates, Fines,
    Title                             Body                  Summary / Description                  Penalties                                Notes /Comments           Link




                                                                                                                                       I)
Additional Resources:
 see regulatory checklist at http://www.planning.sungard.com/KnowledgeNet/ReferenceDesk/regulations.asp
 see: http://www.strohlsystems.com/Education/_files/Regulations/RegulationsStandards.pdf




                                                                                                              Page 18 of 19
                                                                                                                                                                               7/1/2011 4:44 AM




                                                                                                                                                   Homework Assigned by Rows


   Acromtn                    Country      Definition


   BSE                           India     Bombay Stock Exchange
   DHS                           U.S.A.    Department of Homeland Security (USA)
   FRB                           U.S.A.    Federal Reserve Bank
   FSSCC                         U.S.A.    Financial Services Sector Coordinating Council for Critical Infrastructure Protection
   NSE                           India     National Stock Exchange
   OCC                           U.S.A.    Office of the Comptroller of the Currency
   RBI                           India     Reserve Bank of India
   SEBI                          India     Securities & Exchange Board of India
   SEC                           U.S.A.    Securities and Exchange Commission




a9c4e9ee-dfc8-4f23-8bd9-46ce08ef081a.xls
R&R Acronyms                                                                                                                       Page 19 of 19

				
DOCUMENT INFO