Title: Headline here
1D1 BS25999 A Case Study Monday, April 27,
2009 Tim Mathews Director, Enterprise
Resiliency Educational Testing Service
2Educational Testing Service
- Our Mission To advance quality and equity in
education by providing fair and valid
assessments, research and related services. Our
products and services measure knowledge and
skills, promote learning and educational
performance, and support education and
professional development for all people
worldwide. - Our Vision To be recognized as the global leader
in providing fair and valid assessments, research
and related products and services to help
individuals, parents, teachers, educational
institutions, businesses, governments, countries,
states and school districts, as well as
measurement specialists and researchers. - Our Values Social responsibility, equity,
opportunity, and quality. We practice these
values by listening to educators, parents and
critics. We learn what students and the
institutions they attend need.
We lead in the development of products and
services to help teachers teach, students learn
and parents measure the intellectual progress of
their children.
3Todays agenda
- Why pursue a standard?
- What is BS 25999?
- What is the process?
- What did we learn?
4Corporate Strategy
- an effective corporate strategy will
systematically improve the probability of
success - Paul Almeida, Ph.D.
- Georgetown University
- Enterprise Resiliency supports the corporate
strategy by establishing the capabilities and
resources required to systematically mitigate and
minimize the impact of a significant business
interruption.
5Why pursue a standard? Support the Corporate
Strategy
- Establish and maintain trust enhance and
preserve the Brand - Supply chain risk management
- Critical vendors and suppliers may experience a
disaster - What do we know about their resiliency?
- Competitive advantage may increase or maintain
margin vis-à-vis competition - Certified BCMS is a differentiator (RFI,RFP and
Contract) - May reduce the burdens of internal and external
audits from your key customers. - SLA and scope expectation management
- Key customer availability requirements may be
vague - As DHS voluntary compliance percolates through
the business community, there will be a
Wal-Mart effect
6Why pursue a standard? Compliance and Governance
- DHS voluntary mandate - Title IX
- Various compliance requirements
- Industry specific regulatory requirements
- Periodic external financial control audits
- Insurability audits
- Independent client audits
- Common framework for communicating capabilities
- Business development
- Supply chain
- Inter-company (parent and subs)
- Integrated recovery planning and exercises (with
subs, key suppliers and clients)
7Why pursue a standard? Effective Risk Management
- Debt valuation and risk ratings
- SP (and Moodys)
- Enterprise Risk Management (ERM) will be added as
an element of all corporate ratings - Requires that a firm address all its risks
- Operational risk is a critical element
encompassing security, resilience, etc - ..the extent to which companies are adopting
standards, would bolster the view that
management has a proactive culture and attitude
towards risk. However its too early . to know
what weight wed place on that evidence. - Firms must show they are addressing risks in a
systematic manner - Tort Negligence Industry standards inform
prudent practice and affirmative defense. 93
WTC bombing decision - Port Authority held more liable than terrorists
(100M)
8Why pursue a standard? Staff productivity
- Leverage program documentation and plan
development and maintenance activities - May reduce the burdens of responding to internal
and external audits from your key customers. - Training and knowledge transfer
- Institutional knowledge
- Legacy systems and processes
- Hiring and staffing expectations
9Regulations? Best Practices? Standards?
10Regulations
- FFIEC Federal Financial Institutions
Examination Council - OCC Office of the Comptroller of the Currency
- SIRA Security Industry Regulatory Authority
- SEC Securities and Exchange Commission
- HIPAA Health Insurance Portability and
Accountability Act - SOX Sarbanes-Oxley
- FSA Financial Services Authority (UK)
- MAS Monetary Authority of Singapore
- Basel II International worlds central banks
- Title IX PL 110-53 Voluntary assessment
against standard (tbd) - Ratings agencies and . other industry specific
11Industry Best Practices
- DRII/BCI Professional practices for Business
Continuity Planners - DRJ/DRII Generally Accepted Practices (GAP)
- ASIS International Preparedness Continuity
Management Best Practice Standard - Basel Committee on Banking Supervision High
Level Principles for Business Continuity (2006) - Local and peer level activities
12Standards
- NFPA1600 Standard on Disaster/Emergency
Management and Business Continuity Programs - ISO/PAS 22399 Incident Preparedness
Continuity Management - HB 2922006 A practitioners Guide to Business
Continuity Management (Australia) - CSA Z1600 Standard on Emergency Management and
Business Continuity Programs (Canada) - TR192004 BCM Framework Technical Reference
(Singapore) - SI 240012007 Security Continuity Management
Systems (Israel)
13Why BS 25999?
- Accepted Standard that establishes the process,
principles and terminology of business continuity
management - BS 25999-1 Code of Practice provides guidance
and recommendations - BS 25999-2 Detailed Specification appears to
meet or exceed the published DHS criteria - Provides a non-prescriptive, generic model to
follow in creating and maintaining preparedness
processes and activities - Current Enterprise Resiliency program aligned
well to the standard - Gaps were straight forward to implement
14BS25999 PDCA Cycle
Note Shall Will
15BS 25999-2 Navigating the Standard .
163. Planning the business continuity management
system
BIA identifies critical business processes,
applications and systems
- 3.2 Establishing and managing the BCMS
- 3.2.1 Scope and objectives of the BCMS
- shall identify key products and services
- 3.2.2 BCM policy
- shall be communicated to all persons working
for or on behalf of the organization - 3.2.3 Provision of resources
- shall determine and provide the resources
needed - 3.2.4 Competency of BCM personnel
- shall ensure that all personnel are
competent.. - e) maintain records of education, training,
skills, experience and qualifications.
Employees, contractors, partners, etc
People and
173. Planning the business continuity management
system (contd)
- 3.3 Embedding BCM in the organizations culture
- a) Raise, enhance and maintain awareness
- b) Communicate to all employees the importance
of - 1) meeting BCM objectives
- 2) conforming to the BC policy and
- 3) continual improvement and
- c) Ensure that all employees are aware of how
they contribute to the achievement of the
organizations BC objectives
Must be able to demonstrate the communication was
made and received
183. Planning the business continuity management
system (contd)
Document management methods and tools
- 3.4.1 General (list of documentation covering
aspects of the BCMS) - 3.4.1.1 shall have documentation (a o)
- 3.4.1.2 Records shall be established,
maintained and controlled to provide evidence of
the effective operation of the BCMS. - 3.4.1.3 Documented procedures shall be
established in order to identify the controls
over BCMS documentation and records.
Evidence needs to pertain to the BCMS being
audited
193. Planning the business continuity management
system (contd)
- 3.4.2 Control of BCMS records shall be
established in order to - a) ensure that they remain legible, readily
identifiable and retrievable and - b) provide for their identification, storage,
protection and retrieval.
Integration with corporate records management,
protection and retention PP
203. Planning the business continuity management
system (contd)
- 3.4.3 Control of BCMS documentation shall be
established to ensure that - a) documents are approved for adequacy prior to
use - b) ..reviewed and updated as necessary and
re-approved - c) changes and the current revision status
are identified - d) relevant versions are available at points
of use - e) documents of external origin are identified
and controlled - f) the unintended use of obsolete documents is
prevented suitably identified if they are
retained for any purpose
DBMS based plan development and maintenance
systems present a challenge
214. Implementing and operating the BCMS
Product and service level rather than Process and
Activity
- 4.1.1 Business impact analysis method for
determining the impact of any disruption key
products and services - a) identify activities key products and
services - b) ..impacts vary over time
- c) maximum tolerable period of disruption
- d) priority for recovery
- e) dependencies suppliers and outsource
partners - f) BCM arrangements in place for 3rd parties
- g) RTO within the mtopd and
- h) resources required for resumption
Be sure to understand this and align it with the
BIA
224. Implementing and operating the BCMS (contd)
- 4.1.2 Risk assessment
- 4.1.2.1 shall be a defined method that
will enable the organization to understand the
threats to its critical activities, including
those provided by suppliers and outsource
partners - 4.1.2.2 shall understand the impact if an
identified threat became an incident and caused a
business disruption. - 4.1.3 Determining choices shall identify
available risk treatments that - a) reduce the likelihood of a disruption
- b) shorten the period of disruption and
- c) limit the impact on the key products and
services - 4.1.3.2 choose and implement risk
treatmentsin accordance with its level of risk
acceptance
Management must state risk tolerance
234. Implementing and operating the BCMS (contd)
- 4.2 Determining business continuity strategy
- a) define a incident response structure
- b) determine how it will recover each critical
activity within its RTO resources required for
resumption and the products and services provided
by suppliers and outsource partners, and - c) manage relationships with key stakeholders
and external parties.. - 4.3 Developing and implementing a BCM response
- 4.3.2 Incident response structure
- 4.3.3 Business continuity plans and incident
management plans (a-p) - b) be accessible to and understood by those who
will use them - m) recording key information about the
incident, actions taken and decisions made - p) prioritized objectives critical activities
to be recovered, the timescales and recovery
levels needed for each critical activity
Be sure you know who may use them
244. Implementing and operating the BCMS (contd)
1/3 of arrangements (capabilities and plans) need
to be exercised per year
- 4.4 Exercising, maintaining and reviewing BCM
arrangements - 4.4.2 BCM exercising
- a) consistent with scope of the BCMS
- b) approved by top management planned
intervals and when significant changes occur - c) a range of different exercises that taken
together validate the whole of its BC
arrangements - e-g) document each exercise
- 4.3 Maintaining and reviewing BCM arrangements
- 4.4.3.3 review of BCM arrangements shall be
regular and conducted either through
self-assessment or audit - 4.4.3.4 an incident that results in the
invocation of the BCP or the IMP, a post-incident
review shall be undertaken - a-e) After Action Review documentation
Do not confuse with the Internal Audit requirement
255. Monitoring and reviewing the BCMS
- 5.1 Internal Audit
- Note. The internal audit is distinct from the
self-assessment or audit in 4.4.3.3 - 5.1.1 ..ensure that internal audits of the BCMS
are conducted at planned intervals - a) 1) conforms to planned arrangements for BCM,
including the requirements of this BCM standard
and - 5.1.2 audit programme(s) shall be planned,
taking into account the BIA, risk assessment,
control and mitigation measures and the results
of previous audits - 5.1.4 Selection of auditors and conduct of
audits shall ensure objectivity and the
impartiality of the audit process - 5.2 Management review of the BCMS
- 5.2.2 Review input
- a-m) CAPA, ..residual risk, threats not
adequately addressed,. - 5.2.3 Review output
- a-e) decisions and actions related to changes of
the BCMS, resources and funding
Does not have to be external resources
266. Maintaining and improving the BCMS
Actions regarding the BCMS -
- 6.1 Preventive and corrective actions
- 6.1.1.1 ...improve the BCMS through the
application of preventive and corrective actions. - 6.1.2 Preventive action guard against potential
nonconformities - a-g) priority of preventive actions based on
the results of the risk assessment and the BIA - 6.1.3 Corrective action eliminate the cause of
nonconformities - a-f) determining and implementing the corrective
action needed - 6.2 Continual improvement
- .continually improve the effectiveness of the
BCMS through the review of the business
continuity policy and objectives, audit results,
analysis of monitored events, preventive and
corrective actions, and management review.
27BS25999-2 Certification Process
Standard (Criteria)
Assessment (Evidence)
Certification
Demonstrate compliance with specification
Address any non-conformities Refresh program
Demonstrate on-going compliance with
specification
Research
Self-assessment
Pre-assessment
Stage 1 audit
Industry practices Peer discussion Online self
assessment Part 1 Code of practice Part 2
Specification
Stage 2 audit
Remediation
Review Policy and SOP Risk Assessments and
Internal Audit Review BIA, BCP, TDRPs and ERP
Surveillance
28BS25999-2 Certification Timeline
Standard (Criteria)
Assessment (Evidence)
Certification
7 months 9/08 4/09
2 months annual recurring
Research
Self-assessment
Pre-assessment
3 months
Stage 1 audit
Stage 2 audit
1 month
Remediation
2 days
Surveillance
2 days
6 weeks
4 months 4/08 8/08
10 days
2 days
29Lessons Learned
- A really good and effective BC program does not
necessarily meet the standard. - Learn standards speak
- shall will
- Do what you say you do write it down!
- BC/DR planning software may introduce a document
management gap - Internal Audit is not an Internal Audit
- Understand the Maximum Tolerable Period of
Disruption (MTOTB) in relationship to the BIA and
recovery arrangements - Risk Assessment must be part of your program
- CAPA isnt an Italian cold cut?
- Light on the Technology aspects of recovery
planning - Dot the is and cross the ts the devil is in
the details!
30D1 BS25999 A Case Study QUESTIONS? Tim
Mathews Director, Enterprise Resiliency Educationa
l Testing Service