Regulations Best Practices and Standards An Overview and

Regulations, Best Practices and Standards An Overview and Case Study for Putting it to Work in Your Organization Flagg Management Conference March 17, 2009 – 3: 10 P. M. Tom Martin tmartin@era-1. com Tim Mathews tmathews@ets. org Karen Hughes khughes@ansi. org

Level Setting Definitions Regulations (Source: Georgetown Law School) A type of "delegated legislation" promulgated by a state, federal or local administrative agency given authority to do so by the appropriate legislature. Regulations generally are very specific in nature, they are also referred to as "rules" or simply "administrative law. " Best Practices (Source: Business Dictionary. COM) Methods and techniques that have consistently shown results superior than those achieved with other means, and which are used as benchmarks to strive for. There is, however, no practice that is best for everyone or in every situation, and no best practice remains best for very long as people keep on finding better ways of doing things. Standards (Source: International Standards Organization - ISO) Documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines or definitions of characteristics, to ensure that materials, products, processes and services are fit for their purpose. 2 5/19/08

Regulations, Best Practices & Standards • Regulatory (US) § FFIEC - Federal Financial Institutions Examination Council § OCC - Office of the Controller of the Currency § § § FINRA - The Financial Industry Regulatory Authority SEC - Securities and Exchange Commission HIPAA - Health Insurance Portability and Accountability Act SOX - Sarbanes-Oxley + Others • Regulatory (International) § FSA - Financial Services Authority (UK) § MAS - Monetary Authority of Singapore § Basel II – G 10 Countries (Basel, Switzerland – June 2004) 3 5/19/08

Regulations, Best Practices & Standards • Best Practices § ASIS International - Preparedness & Continuity Management Best Practice Standard § DRII/BCI - Professional Practices for Business Continuity Planners § BCI - The BCI Good Practice Guidelines 2007 (United Kingdom) § DRJ/DRII - Generally Accepted Practices (GAP) § Basel Committee on Banking Supervision - High Level Principles for Business Continuity (2006) 4 5/19/08

Regulations, Best Practices & Standards • Standards § NFPA 1600 - Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/US) § BS 25999 - Business Continuity Management (BSI/UK) Ø-1 Code of Practice Ø-2 Specification § ISO/PAS 22399 - Incident Preparedness & Continuity Management (ISO/International) § Title IX – PL 110 -53 - Voluntary Certification against yet to be Announced Standards (US) § ISO 24762 – Guide for Information and Communications Technology for Disaster Recovery (ISO/International) § HB 292: 2006 - A Practitioners Guide to Business Continuity Management (Australia) § CSA Z 1600 - Standard on Emergency Management and Business Continuity Programs (Canada) § TR 19: 2004 - BCM Framework & Technical Reference (Singapore) § SI 24001: 2007 - Security & Continuity Management Systems (Israel) 5 5/19/08

Recent Events • July 2008 – Repligen Corp. (biopharmaceutical) becomes the first US firm to be certified in BS 25999 – BSI Certification Status • 22 firms certified worldwide • 160 active applications – S&P announced they will enhance their ratings process for nonfinancial companies through an enterprise risk management review (creating a more systematic framework for an inherently subjective topic) • August 2008 – BS 25777 introduced – Code of Practice for Information and Communications Technology Continuity • Similar to ISO 24762 – Guide for ICT and DR – DHS signed agreement with ANSI-ASQ National Accreditation Board (ANAB) – to establish and oversee the implementation and accreditation of Title IX 6 5/19/08

Recent Events (cont’d) • August 2008 (cont’d) – ASIS announces plans for a new US Business Continuity and Risk standard • Solicits the support of ANSI organization – ASIS is an ANSI accredited Standards Development Organization (SDO) • DRII protests and rallies others to do the same – Carnegie Mellon – Cert Resiliency Framework Code of Practice Standards Crosswalk (11 standards) published • October 2008 – ANSI Homeland Security Standards Panel discussion • Subject was Public law 110 -53 Title XI voluntary standards – ASIS hosted stakeholder deliberation meeting and then reaffirms its direction in developing a new ANSI standard 7 5/19/08

Recent Events (cont’d) • October 2008 (cont’d) – Singapore (SPRING) launches new certifiable standard SS 540 which replaces TR 19: 2004 • January 2009 – NFPA issues 2010 version of NFPA 1600 for public comment – ASIS International holds joint working group meeting to outline new US standard based largely on BS 25999 – 1 st public feedback session on Title IX sponsored by the DHS – The Business Continuity Institute announced the release of an updated version of its business continuity Good Practice Guidelines -- designated as GPG 2008 -2 • February 2009 – 2 nd public feedback session on Title IX sponsored by the DHS Work Continues 8 5/19/08

BS 25999: A Case Study Tuesday, March 17, 2009 Tim Mathews Director, Enterprise Resiliency Educational Testing Service

Educational Testing Service • Our Mission: To advance quality and equity in education by providing fair and valid assessments, research and related services. Our products and services measure knowledge and skills, promote learning and educational performance, and support education and professional development for all people worldwide. • Our Vision: To be recognized as the global leader in providing fair and valid assessments, research and related products and services to help individuals, parents, teachers, educational institutions, businesses, governments, countries, states and school districts, as well as measurement specialists and researchers. • Our Values: Social responsibility, equity, opportunity, and quality. We practice these values by listening to educators, parents and critics. We learn what students and the institutions they attend need. We lead in the development of products and services to help teachers teach, students learn and parents measure the intellectual progress of their children.

Today’s agenda: • Why pursue a standard? • Why BS 25999? • What is the process? • What have we learned?

Why pursue a standard? Support the Corporate Strategy • Establish and maintain trust – enhance and preserve the Brand • Supply chain risk management – Critical vendors and suppliers may experience a disaster – What do we know about their resiliency? • Competitive advantage – may increase or maintain margin vis-à- vis competition – Certified BCMS is a differentiator (RFI, RFP and Contract) – May reduce the burdens of internal and external audits from your key customers. • SLA and scope “expectation” management – Key customers are vague – As DHS voluntary compliance percolates through the business community, there will be a “Wal-Mart” effect • Training and knowledge transfer

Why pursue a standard? Effective Risk Management • Debt valuation and risk ratings – S&P (and Moody’s) • Enterprise Risk Management (ERM) will be added as an element of all corporate ratings • Requires that a firm address all its risks • Operational risk is a critical element … encompassing security, resilience, etc “. . the extent to which companies are adopting standards, … would bolster the view that management has a proactive culture and attitude towards risk. However it’s too early …. to know what weight we’d place on that evidence. ” – Firms must show they are addressing risks in a systematic manner • Tort Negligence: Industry standards inform prudent practice and “affirmative defense. ” – ’ 93 WTC bombing decision – Port Authority held more liable than terrorists ($100 M)

Why pursue a standard? Compliance and Governance • DHS voluntary mandate - Title IX • Various compliance requirements – Regulatory – Periodic external financial control audits – Insurability audits – Independent client audits • Common framework for communication of capabilities – Business development – Supply chain – Inter-company (parent and subs) • Integrated recovery planning and exercises (with subs, key suppliers and clients) • Leverage plan development and maintenance activities

Why BS 25999? • Accepted Standard that establishes the process, principles and • • • terminology of business continuity management (BCM) BS 25999 -1 Code of Practice – provides guidance and recommendations BS 25999 -2 Detailed Specification – appears to meet or exceed the published DHS criteria Provides a non-prescriptive, generic model to follow in creating and maintaining preparedness processes and activities ETS Enterprise Resiliency program aligned well to the standard Gaps were straight forward to implement

BS 25999 -2 Certification Process Standard (Criteria) Research + Assessment (Evidence) Demonstrate compliance with specification Self-assessment Peer discussion Stage 1 audit Address any nonconformities Demonstrate on-going compliance with specification Stage 2 audit Online self assessment Review Policy and SOP Part 1: Code of practice Risk Assessments and Internal Audit Part 2: Specification Certification Refresh program Pre-assessment Industry practices = Review BIA, BCP, TDRPs and ERP Remediation Surveillance

BS 25999 -2 Certification Timeline Standard (Criteria) + Assessment (Evidence) = Certification 7 months 2 months 9/08 – 4/09 Research annual recurring Self-assessment Pre-assessment 3 months Stage 1 audit Stage 2 audit 1 month Remediation 2 days 4 months 4/08 – 8/08 10 days 6 weeks Surveillance 2 days

Lessons Learned • A really good and effective BC program does not necessarily • • meet the standard. Learn standards “speak” – “shall = will” – Do what you say you do – write it down! BC/DR planning software may introduce a document management gap Internal Audit is not an Internal Audit You cannot dance around the Maximum Tolerable Period of Disruption (MTOTB) Risk Assessment – must be part of your program Who needs a CAPA? Light on the Technology aspects of recovery planning Dot the i’s and cross the t’s – the devil is in the details!

Flagg Management Conference Presented by Karen Hughes Director of Homeland Security Standards March 17, 2009 19

Agenda n n ANSI-HSSP Overview Title IX Program Trajectory of ISO/PAS 22399 Business Case for Certification Flagg Management Conference March 17, 2009 Slide 20

ANSI-Homeland Security Standards Panel Mission: n n Identify and facilitate the development and enhancement of homeland security standards Serve as private/public sector partnership for standards issues that cut cross-sector Provide a forum for information sharing on homeland security standards issue, as well as the overall standards development and conformity assessment processes Facilitate dialogue and networking on key issues for homeland security stakeholders Flagg Management Conference March 17, 2009 Slide 21

Voluntary Private Sector Preparedness Accreditation & Certification Program n Goal Improve private sector preparedness in disaster management, emergency management, and business continuity to enhance nationwide resilience in an all hazards environment n Background Mandated by the Implementing Recommendations of the 9/11 Commission Act of 2007 to establish a common set of criteria for private sector preparedness Flagg Management Conference March 17, 2009 Slide 22

Voluntary Private Sector Preparedness Accreditation & Certification Program Key Guiding Principles n Participation is voluntary n Provide method to independently certify preparedness of private sector entities n Administered by non-government entity (ANAB) n DHS designation of one or more standards to be used in assessing private sector preparedness n Incorporate existing regulatory requirements and existing efforts n Certification of private sector entities will be performed by nongovernment certifying bodies Flagg Management Conference March 17, 2009 Slide 23

Voluntary Private Sector Preparedness Accreditation & Certification Program Possible Standards n International Ø ISO 22399 Ø ISO 22301 n National Ø NFPA 1600 (USA) Ø BS 25999 (UK) Ø CSA Z 1600 (Canada) Flagg Management Conference March 17, 2009 Slide 24

ISO/PAS 22399: 2007 ISO/TC 223 – Societal Security n Scope International standardization in the area of societal security, aimed at increasing crisis management and business continuity capabilities, amongst all interested parties. n Structure WG 1 – Framework standard on societal security management WG 2 – Terminology WG 3 – Command control, coordination and cooperation WG 4 – Preparedness and continuity n Membership Participating countries: 37 Observing countries: 17 Flagg Management Conference March 17, 2009 Slide 25

ISO/PAS 22399: 2007 ISO/TC 223 Work Program n ISO/PAS 22399: 2007 Societal security - Guideline for incident preparedness and operational continuity management n Next Steps: Ø Development of ISO 22301 – Management system standard focused on preparedness and continuity management Ø Conversion of ISO 22399 from PAS to Draft International Standard as a guide to ISO 22301 Flagg Management Conference March 17, 2009 Slide 26

Inter. CEP n n n International Center for Enterprise Preparedness Catalyst focused on Private Sector Preparedness & Corporate Resilience Working Groups Ø Ø n Supply Chain Management Legal Liability Mitigation Insurance Acknowledgement Rating Agency Acknowledgement Online Clearinghouse of information Flagg Management Conference March 17, 2009 Slide 27

Business Case for Certification According to the Institute for Business & Home Safety, an estimated 25% of businesses do not reopen following a major disaster. Compliance with preparedness standards can… Ø Minimize impact of business disruptions Ø Reduce overall costs Ø Enhance corporate reputation Ø Employee protection Ø Link between good practice/standards (what to do) and benefits (why to do it) Flagg Management Conference March 17, 2009 Slide 28

Further Information n For additional information about: Ø ANSI: www. ansi. org/hssp Ø ANAB: www. anab. org Ø Inter. CEP: www. nyu. edu/intercep Ø PS-Prep: www. fema. gov/business/certification/index. htm Ø ISO: www. iso. org Ø HSSD: www. hssd. us/ Ø Questions can be directed to: l Karen Hughes Program Director, Homeland Security Standards (khughes@ansi. org; 212 -642 -4992) Flagg Management Conference March 17, 2009 Slide 29