Download Eagle Rock ROIC Presentation

Regulations, Best Practices and
Standards
How do Current Standards Measure
Up?
ACP Garden State Chapter
April 2, 2009
Tom Martin
[email protected]
Agenda
• Review of Regulations, Best Practices &
Standards
• Review of Recent Events
• Specific Focus on BS 25999 & NFPA1600
– Compare & Contrast The Two Standards
• How to Quantify a Standards Assessment?
2
4/02/09
Level Setting Definitions
Regulations (Source: Georgetown Law School)
A type of "delegated legislation" promulgated by a state, federal or local administrative
agency given authority to do so by the appropriate legislature. Regulations generally
are very specific in nature, they are also referred to as "rules" or simply "administrative
law."
Best Practices (Source: Business Dictionary.COM)
Methods and techniques that have consistently shown results superior than those
achieved with other means, and which are used as benchmarks to strive for.
There is, however, no practice that is best for everyone or in every situation, and
no best practice remains best for very long as people keep on finding better ways
of doing things.
Standards (Source: International Standards Organization - ISO)
Documented agreements containing technical specifications or other precise criteria
to be used consistently as rules, guidelines or definitions of characteristics, to ensure
that materials, products, processes and services are fit for their purpose.
3
4/02/09
How Do Companies Measure the Performance
of their BCM Program today?
•
•
•
•
•
•
•
•
•
•
71.7% Business Continuity Plan Exercises
51.8% Audit Findings
31.8% Benchmarking to Industry Norms
30.6% Metrics Program
22.7% Performance Reviews
16.6% Technology Recovery Test Results
15.1% Maturity Modeling
14% We do not Measure BCM Performance
13.8% Service Level Monitoring
8.7% Review of Program Capabilities vs. Standards
Source: 2008 CI/KPMG BCM Benchmark Survey
4
4/02/09
Regulations, Best Practices & Standards
• Regulatory (US)
 FFIEC - Federal Financial Institutions Examination Council
National regulators indicated they were to implement Basel II, in
 OCC - Office of the Controller of the Currency
some form or another, by 2015.
 FINRA - The Financial Industry Regulatory Authority
 SEC - Securities and Exchange Commission
Basel II attempts to provide regulations about how much capital banks
 HIPAA - Health Insurance Portability and Accountability Act
need to put aside to guard against the types of financial and operational
 banks
SOX -face
Sarbanes-Oxley
risks
by setting up rigorous risk and capital management
 + Othersdesigned to ensure that a bank holds capital reserves
requirements
appropriate to the risk the bank exposes itself to through its lending and
investment practices.
Generally
these
rules Authority
mean that(UK)
the greater risk to which the
 FSAspeaking,
- Financial
Services
bank
exposed,
the greater
the amount
of capital the bank needs to hold
 is
MAS
- Monetary
Authority
of Singapore
to safeguard its solvency and overall economic stability.
• Regulatory (International)
 Basel II – G10 Countries (Basel, Switzerland – June 2004)
5
4/02/09
Regulations, Best Practices & Standards
• Best Practices
 ASIS International - Preparedness & Continuity Management Best
Practice Standard
 DRII/BCI - Professional Practices for Business Continuity Planners
 BCI - The BCI Good Practice Guidelines 2007 (United Kingdom)
 DRJ/DRII - Generally Accepted Practices (GAP)
 Basel Committee on Banking Supervision - High Level Principles for
Business Continuity (2006)
6
4/02/09
Regulations, Best Practices & Standards
•
Standards
 NFPA1600 - Standard on Disaster/Emergency Management and Business
Continuity Programs (ANSI/US)
 BS 25999 - Business Continuity Management (BSI/UK)
-1 Code of Practice
-2 Specification
 CSA Z1600 - Standard on Emergency Management and Business Continuity
Programs (Canada)
 HB 292:2006 - A Practitioners Guide to Business Continuity Management
(Australia)
 TR19:2004 - BCM Framework & Technical Reference (Singapore)
 SI 24001:2007 - Security & Continuity Management Systems (Israel)
 ISO/PAS 22399 - Incident Preparedness & Continuity Management
(ISO/International)
 ISO 24762 – Guide for Information and Communications Technology for Disaster
Recovery (ISO/International)
 Title IX – PL 110-53
Standards (US)
- Voluntary Certification against yet to be Announced
7
4/02/09
Recent Events
• July 2008
– Repligen Corp. (biopharmaceutical) becomes the first US firm to be certified
in BS 25999
– BSI Certification Status
• 22 firms certified worldwide
• 160 active applications
– Standard & Poor’s announced they will enhance their ratings process for
nonfinancial companies through an enterprise risk management review
(creating a more systematic framework for an inherently subjective topic)
• August 2008
– BS 25777 introduced – Code of Practice for Information and
Communications Technology Continuity
• Similar to ISO 24762 – Guide for ICT and DR
– DHS signed agreement with ANSI-ASQ National Accreditation Board
(ANAB) – to establish and oversee the implementation and accreditation of
Title IX
8
4/02/09
Recent Events (cont’d)
• August 2008 (cont’d)
– ASIS announces plans for a new US Business Continuity
and Risk standard
• Solicits the support of ANSI organization
– ASIS is an ANSI accredited Standards Development Organization (SDO)
• DRII protests and rallies others to do the same
– Carnegie Mellon – CERT Resiliency Framework Code of
Practice Standards Crosswalk (11 standards) published
• October 2008
– ANSI & Homeland Security Standards Panel discussion
• Subject was Public law 110-53 Title XI voluntary standards
• DHS draft on criteria to be evaluated in standards selection
– ASIS hosted stakeholder deliberation meeting and then reaffirms its direction in developing a new ANSI standard
9
4/02/09
Recent Events (cont’d)
• October 2008 (cont’d)
– Singapore (SPRING) launches new certifiable standard SS540 which
replaces TR 19:2004
• January 2009
– NFPA issues 2010 version of NFPA1600 for public comment
– ASIS International holds joint working group meeting to outline new US
standard based largely on BS 25999
– 1st public feedback session on Title IX sponsored by the DHS
– The Business Continuity Institute (BCI) announced the release of an
updated version of its business continuity Good Practice Guidelines -designated as GPG2008-2
• February 2009
– 2nd public feedback session on Title IX sponsored by the DHS
Work Continues
10
4/02/09
BS 25999 & NFPA1600 Comparison









BS 25999
7 year history (PAS 56)
2006-07 releases
BSI Standard (UK)
Certifiable
Follows ISO structure
11 Element Groupings
~156 detail points
Available for Cost
12 pages (specification)









11
NFPA1600
17 year history
2007 update/2010 draft
ANSI Standard (US)
Not Currently Certifiable
Non ISO structure
16 Element Groupings
~112 detail points
Available for Free
4 pages
4/02/09
Key Differences
• NFPA1600
 Component/Task Focus
 More Reactive in Nature
 Flow Applicable to
Mitigation/Preparedness/Response/Recovery
 Strong on Emergency Planning & Response
• BS 25999





Process/System Focus
More Proactive in Nature
Flow Applicable to Plan-Do-Check-Act Model (ISO)
Strong on Awareness “Embed into the Culture”
Strong on Documentation, Records & Accountability
12
4/02/09
Core Elements of These and Other Standards
•
•
•
•
•
A set of voluntary criteria
Applicable to any size organization
Provides for auditing and validation
Are an alternative to regulations
May become recognized as industry best
practices (are also driven from same)
• A private sector vs. legislative process
•Source: Sloan Report “Framework for Voluntary Preparedness”
Published February 2008 – compared 7 standards/best practices
13
4/02/09
Common Elements Examined by These Standards
• Scope & Policy
• Risk Identification
• Prevention & Mitigation, Evaluation &
AnyPlanning
of the existing standards, guidelines, best practices, or regulatory
approaches can be used to meet the intent of the Title IX PL 110-53.
• Incident Management
What
is lacking is the know-how, implementation tools and evaluation
• Recovery
metrics to help the private sector, particularly small and medium
businesses,
successfully
and implement an approach.
• Awareness
& select
Training
• Exercise & Testing
• Program Revision & Improvement
Source: Sloan Report “Framework for Voluntary Preparedness”
14
4/02/09
Why Perform a Program Assessment?
“If we could first know where we are, and whither we are tending, we
could better judge what to do, and how to do it.”
- Abraham Lincoln
• Simplify measuring and managing continuity activities
• Understand how key resiliency competencies map to
leading BC practice standards, i.e., NFPA1600, BS 25999,
etc.
• Improve compliance efficiency – streamline and simplify
management reporting and/or regulatory efforts
• Provide an appraisal methodology to benchmark an
organization’s resiliency and those of third party suppliers.
• Establish a sharable common measurement of risk and
resiliency
• Establish a roadmap for implementing a mature resiliency
program
15
4/02/09
How to Aggregate & Report Results?
Process/System Approach
Component/Task Approach
BS 25999-2
NFPA 1600
BCM Program Management
Understanding the Organization
Determining BCM Strategy
Developing & Implementing the Response
Exercising Maintaining
Management Review
Embedding BCM in the Culture
Documentation & Records
Internal Audit
Preventive & Corrective Actions
Continual Improvement
Program Management
Laws & Authorities
Risk Assessment
Incident Prevention
Mitigation
Resource Management & Logistics
Mutual Aid & Assistance
Planning
Incident Management
Communications & Warning
Operational Procedures
Facilities
Training
Exercises, Evaluations & Corrective Actions
Crisis Communication & Public Information
Finance & Administration
Elements/Examination Points
11/156
16/112
16
4/02/09
BS 25999-2 Summary Perspective
BS 25999-2 View
--Measurement Against Specifications-Establish & Manage
3.00
Continual Improvement
2.75
Embed in the Culture
2.50
2.25
2.00
1.75
1.50
Preventive & Corrective Actions
Documentation & Records
1.25
1.00
0.75
0.50
0.25
0.00
Management Review
Understand the Organization
Internal Audit
Determine the Strategy
Exercise & Maintain
Develop & Implement
Composite Score
1.94
17
4/02/09
NFPA 1600 Summary Perspective
NFPA1600 View
Program Management
Finance & Administration
3.00
Laws & Authorities
2.75
2.50
Crisis Communication & Public Information
2.25
Risk Assessment
2.00
1.75
1.50
Exercises, Evaluations & Corrective Actions
1.25
Incident Prevention
1.00
0.75
0.50
0.25
Training
Mitigation
0.00
Facilities
Resource Management & Logistics
Operational Procedures
Mutual Aid & Assistance
Communications & Warning
Planning
Incident Management
Composite Score
2.05
18
4/02/09
Grouping of Examination Points
% Examination Points -- Tabulation Within Each Grouping
100%
90%
80%
60%
50%
40%
30%
20%
10%
Policy
Organization
Methodology
Documentation
Capability
0%
Activity
% Results
70%
Group
Yes
Qyes
19
No
4/02/09
Program Maturity
% Responses in Each Program Level
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
Basic
Emerging
Yes
Q yes
20
No
TBD
Mature
N/A
4/02/09
Quadrant Placement
Execution
Strong
BS 25999-2 Elements Within Quadrants
Weak
Establish & Manage
Embed in the Culture
Documentation & Records
Understand the Organization
Determine the Strategy
Develop & Implement
Exercise & Maintain
Internal Audit
Management Review
Preventive & Corrective Actions
Continual Improvement
Weak
Planning
21
Strong
4/02/09
Thank You
[email protected]
973-325-9900
22
4/02/09