Regulations, Best Practices and Standards How do Current Standards Measure Up? ACP Garden State Chapter April 2, 2009 Tom Martin tmartin@eaglerockalliance. com
Agenda • Review of Regulations, Best Practices & Standards • Review of Recent Events • Specific Focus on BS 25999 & NFPA 1600 – Compare & Contrast The Two Standards • How to Quantify a Standards Assessment? 2 4/02/09
Level Setting Definitions Regulations (Source: Georgetown Law School) A type of "delegated legislation" promulgated by a state, federal or local administrative agency given authority to do so by the appropriate legislature. Regulations generally are very specific in nature, they are also referred to as "rules" or simply "administrative law. " Best Practices (Source: Business Dictionary. COM) Methods and techniques that have consistently shown results superior than those achieved with other means, and which are used as benchmarks to strive for. There is, however, no practice that is best for everyone or in every situation, and no best practice remains best for very long as people keep on finding better ways of doing things. Standards (Source: International Standards Organization - ISO) Documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines or definitions of characteristics, to ensure that materials, products, processes and services are fit for their purpose. 3 4/02/09
How Do Companies Measure the Performance of their BCM Program today? • • • 71. 7% Business Continuity Plan Exercises 51. 8% Audit Findings 31. 8% Benchmarking to Industry Norms 30. 6% Metrics Program 22. 7% Performance Reviews 16. 6% Technology Recovery Test Results 15. 1% Maturity Modeling 14% We do not Measure BCM Performance 13. 8% Service Level Monitoring 8. 7% Review of Program Capabilities vs. Standards Source: 2008 CI/KPMG BCM Benchmark Survey 4 4/02/09
Regulations, Best Practices & Standards • Regulatory (US) § FFIEC - Federal Financial Institutions Examination Council National regulators indicated they were to implement Basel II, in § OCC - Office of the Controller of the Currency some form or another, by 2015. § FINRA - The Financial Industry Regulatory Authority § SEC - Securities and Exchange Commission Basel II attempts to provide regulations about how much capital banks § HIPAA - Health Insurance Portability and Accountability Act need to put aside to guard against the types of financial and operational § SOX Sarbanes-Oxley risks banks -face by setting up rigorous risk and capital management § + Others requirements designed to ensure that a bank holds capital reserves appropriate to the risk the bank exposes itself to through its lending and investment practices. Generally speaking, these rules Authority (UK) § FSA - Financial Services mean that the greater risk to which the bank is exposed, the greater the amount of capital the bank needs to hold § MAS - Monetary Authority of Singapore to safeguard its solvency and overall economic stability. • Regulatory (International) § Basel II – G 10 Countries (Basel, Switzerland – June 2004) 5 4/02/09
Regulations, Best Practices & Standards • Best Practices § ASIS International - Preparedness & Continuity Management Best Practice Standard § DRII/BCI - Professional Practices for Business Continuity Planners § BCI - The BCI Good Practice Guidelines 2007 (United Kingdom) § DRJ/DRII - Generally Accepted Practices (GAP) § Basel Committee on Banking Supervision - High Level Principles for Business Continuity (2006) 6 4/02/09
Regulations, Best Practices & Standards • Standards § NFPA 1600 - Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/US) § BS 25999 - Business Continuity Management (BSI/UK) Ø-1 Code of Practice Ø-2 Specification Ø CSA Z 1600 - Standard on Emergency Management and Business Continuity Programs (Canada) § HB 292: 2006 - A Practitioners Guide to Business Continuity Management (Australia) § TR 19: 2004 - BCM Framework & Technical Reference (Singapore) § SI 24001: 2007 - Security & Continuity Management Systems (Israel) § ISO/PAS 22399 - Incident Preparedness & Continuity Management (ISO/International) § ISO 24762 – Guide for Information and Communications Technology for Disaster Recovery (ISO/International) § Title IX – PL 110 -53 - Voluntary Certification against yet to be Announced Standards (US) 7 4/02/09
Recent Events • July 2008 – Repligen Corp. (biopharmaceutical) becomes the first US firm to be certified in BS 25999 – BSI Certification Status • 22 firms certified worldwide • 160 active applications – Standard & Poor’s announced they will enhance their ratings process for nonfinancial companies through an enterprise risk management review (creating a more systematic framework for an inherently subjective topic) • August 2008 – BS 25777 introduced – Code of Practice for Information and Communications Technology Continuity • Similar to ISO 24762 – Guide for ICT and DR – DHS signed agreement with ANSI-ASQ National Accreditation Board (ANAB) – to establish and oversee the implementation and accreditation of Title IX 8 4/02/09
Recent Events (cont’d) • August 2008 (cont’d) – ASIS announces plans for a new US Business Continuity and Risk standard • Solicits the support of ANSI organization – ASIS is an ANSI accredited Standards Development Organization (SDO) • DRII protests and rallies others to do the same – Carnegie Mellon – CERT Resiliency Framework Code of Practice Standards Crosswalk (11 standards) published • October 2008 – ANSI & Homeland Security Standards Panel discussion • Subject was Public law 110 -53 Title XI voluntary standards • DHS draft on criteria to be evaluated in standards selection – ASIS hosted stakeholder deliberation meeting and then reaffirms its direction in developing a new ANSI standard 9 4/02/09
Recent Events (cont’d) • October 2008 (cont’d) – Singapore (SPRING) launches new certifiable standard SS 540 which replaces TR 19: 2004 • January 2009 – NFPA issues 2010 version of NFPA 1600 for public comment – ASIS International holds joint working group meeting to outline new US standard based largely on BS 25999 – 1 st public feedback session on Title IX sponsored by the DHS – The Business Continuity Institute (BCI) announced the release of an updated version of its business continuity Good Practice Guidelines -designated as GPG 2008 -2 • February 2009 – 2 nd public feedback session on Title IX sponsored by the DHS Work Continues 10 4/02/09
BS 25999 & NFPA 1600 Comparison Ø Ø Ø Ø Ø BS 25999 7 year history (PAS 56) 2006 -07 releases BSI Standard (UK) Certifiable Follows ISO structure 11 Element Groupings ~156 detail points Available for Cost 12 pages (specification) Ø Ø Ø Ø Ø 11 NFPA 1600 17 year history 2007 update/2010 draft ANSI Standard (US) Not Currently Certifiable Non ISO structure 16 Element Groupings ~112 detail points Available for Free 4 pages 4/02/09
Key Differences • NFPA 1600 § Component/Task Focus § More Reactive in Nature § Flow Applicable to Mitigation/Preparedness/Response/Recovery § Strong on Emergency Planning & Response • BS 25999 § § § Process/System Focus More Proactive in Nature Flow Applicable to Plan-Do-Check-Act Model (ISO) Strong on Awareness “Embed into the Culture” Strong on Documentation, Records & Accountability 12 4/02/09
Core Elements of These and Other Standards • • • A set of voluntary criteria Applicable to any size organization Provides for auditing and validation Are an alternative to regulations May become recognized as industry best practices (are also driven from same) • A private sector vs. legislative process • Source: Sloan Report “Framework for Voluntary Preparedness” Published February 2008 – compared 7 standards/best practices 13 4/02/09
Common Elements Examined by These Standards • Scope & Policy • Risk Identification • Prevention & Mitigation, Evaluation & Any. Planning standards, guidelines, best practices, or regulatory of the existing approaches can be used to meet the intent of the Title IX PL 110 -53. • Incident Management What is lacking is the know-how, implementation tools and evaluation • Recovery metrics to help the private sector, particularly small and medium businesses, successfully select and implement an approach. • Awareness & Training • Exercise & Testing • Program Revision & Improvement Source: Sloan Report “Framework for Voluntary Preparedness” 14 4/02/09
Why Perform a Program Assessment? “If we could first know where we are, and whither we are tending, we could better judge what to do, and how to do it. ” - Abraham Lincoln • Simplify measuring and managing continuity activities • Understand how key resiliency competencies map to leading BC practice standards, i. e. , NFPA 1600, BS 25999, etc. • Improve compliance efficiency – streamline and simplify management reporting and/or regulatory efforts • Provide an appraisal methodology to benchmark an organization’s resiliency and those of third party suppliers. • Establish a sharable common measurement of risk and resiliency • Establish a roadmap for implementing a mature resiliency program 15 4/02/09
How to Aggregate & Report Results? 16 4/02/09
BS 25999 -2 Summary Perspective 17 4/02/09
NFPA 1600 Summary Perspective 18 4/02/09
Grouping of Examination Points 19 4/02/09
Program Maturity 20 4/02/09
Quadrant Placement 21 4/02/09
Thank You tmartin@eaglerockalliance. com 973 -325 -9900 22 4/02/09
Скачать презентацию Regulations Best Practices and Standards How do Current
cb0cd423be8eff442100f797d21fccf7.ppt