Headline here - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Headline here

Description:

... percolates through the business community, there will be a 'Wal-Mart' effect ... the BCMS through the application of preventive and corrective actions. ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 31
Provided by: mrx84
Category:

less

Transcript and Presenter's Notes

Title: Headline here


1
D1 BS25999 A Case Study Monday, April 27,
2009 Tim Mathews Director, Enterprise
Resiliency Educational Testing Service
2
Educational Testing Service
  • Our Mission To advance quality and equity in
    education by providing fair and valid
    assessments, research and related services. Our
    products and services measure knowledge and
    skills, promote learning and educational
    performance, and support education and
    professional development for all people
    worldwide.
  • Our Vision To be recognized as the global leader
    in providing fair and valid assessments, research
    and related products and services to help
    individuals, parents, teachers, educational
    institutions, businesses, governments, countries,
    states and school districts, as well as
    measurement specialists and researchers.
  • Our Values Social responsibility, equity,
    opportunity, and quality. We practice these
    values by listening to educators, parents and
    critics. We learn what students and the
    institutions they attend need.

We lead in the development of products and
services to help teachers teach, students learn
and parents measure the intellectual progress of
their children.
3
Todays agenda
  • Why pursue a standard?
  • What is BS 25999?
  • What is the process?
  • What did we learn?

4
Corporate Strategy
  • an effective corporate strategy will
    systematically improve the probability of
    success
  • Paul Almeida, Ph.D.
  • Georgetown University
  • Enterprise Resiliency supports the corporate
    strategy by establishing the capabilities and
    resources required to systematically mitigate and
    minimize the impact of a significant business
    interruption.

5
Why pursue a standard? Support the Corporate
Strategy
  • Establish and maintain trust enhance and
    preserve the Brand
  • Supply chain risk management
  • Critical vendors and suppliers may experience a
    disaster
  • What do we know about their resiliency?
  • Competitive advantage may increase or maintain
    margin vis-à-vis competition
  • Certified BCMS is a differentiator (RFI,RFP and
    Contract)
  • May reduce the burdens of internal and external
    audits from your key customers.
  • SLA and scope expectation management
  • Key customer availability requirements may be
    vague
  • As DHS voluntary compliance percolates through
    the business community, there will be a
    Wal-Mart effect

6
Why pursue a standard? Compliance and Governance
  • DHS voluntary mandate - Title IX
  • Various compliance requirements
  • Industry specific regulatory requirements
  • Periodic external financial control audits
  • Insurability audits
  • Independent client audits
  • Common framework for communicating capabilities
  • Business development
  • Supply chain
  • Inter-company (parent and subs)
  • Integrated recovery planning and exercises (with
    subs, key suppliers and clients)

7
Why pursue a standard? Effective Risk Management
  • Debt valuation and risk ratings
  • SP (and Moodys)
  • Enterprise Risk Management (ERM) will be added as
    an element of all corporate ratings
  • Requires that a firm address all its risks
  • Operational risk is a critical element
    encompassing security, resilience, etc
  • ..the extent to which companies are adopting
    standards, would bolster the view that
    management has a proactive culture and attitude
    towards risk. However its too early . to know
    what weight wed place on that evidence.
  • Firms must show they are addressing risks in a
    systematic manner
  • Tort Negligence Industry standards inform
    prudent practice and affirmative defense. 93
    WTC bombing decision
  • Port Authority held more liable than terrorists
    (100M)

8
Why pursue a standard? Staff productivity
  • Leverage program documentation and plan
    development and maintenance activities
  • May reduce the burdens of responding to internal
    and external audits from your key customers.
  • Training and knowledge transfer
  • Institutional knowledge
  • Legacy systems and processes
  • Hiring and staffing expectations

9
Regulations? Best Practices? Standards?
10
Regulations
  • FFIEC Federal Financial Institutions
    Examination Council
  • OCC Office of the Comptroller of the Currency
  • SIRA Security Industry Regulatory Authority
  • SEC Securities and Exchange Commission
  • HIPAA Health Insurance Portability and
    Accountability Act
  • SOX Sarbanes-Oxley
  • FSA Financial Services Authority (UK)
  • MAS Monetary Authority of Singapore
  • Basel II International worlds central banks
  • Title IX PL 110-53 Voluntary assessment
    against standard (tbd)
  • Ratings agencies and . other industry specific

11
Industry Best Practices
  • DRII/BCI Professional practices for Business
    Continuity Planners
  • DRJ/DRII Generally Accepted Practices (GAP)
  • ASIS International Preparedness Continuity
    Management Best Practice Standard
  • Basel Committee on Banking Supervision High
    Level Principles for Business Continuity (2006)
  • Local and peer level activities

12
Standards
  • NFPA1600 Standard on Disaster/Emergency
    Management and Business Continuity Programs
  • ISO/PAS 22399 Incident Preparedness
    Continuity Management
  • HB 2922006 A practitioners Guide to Business
    Continuity Management (Australia)
  • CSA Z1600 Standard on Emergency Management and
    Business Continuity Programs (Canada)
  • TR192004 BCM Framework Technical Reference
    (Singapore)
  • SI 240012007 Security Continuity Management
    Systems (Israel)

13
Why BS 25999?
  • Accepted Standard that establishes the process,
    principles and terminology of business continuity
    management
  • BS 25999-1 Code of Practice provides guidance
    and recommendations
  • BS 25999-2 Detailed Specification appears to
    meet or exceed the published DHS criteria
  • Provides a non-prescriptive, generic model to
    follow in creating and maintaining preparedness
    processes and activities
  • Current Enterprise Resiliency program aligned
    well to the standard
  • Gaps were straight forward to implement

14
BS25999 PDCA Cycle
Note Shall Will
15
BS 25999-2 Navigating the Standard .
16
3. Planning the business continuity management
system
BIA identifies critical business processes,
applications and systems
  • 3.2 Establishing and managing the BCMS
  • 3.2.1 Scope and objectives of the BCMS
  • shall identify key products and services
  • 3.2.2 BCM policy
  • shall be communicated to all persons working
    for or on behalf of the organization
  • 3.2.3 Provision of resources
  • shall determine and provide the resources
    needed
  • 3.2.4 Competency of BCM personnel
  • shall ensure that all personnel are
    competent..
  • e) maintain records of education, training,
    skills, experience and qualifications.

Employees, contractors, partners, etc
People and
17
3. Planning the business continuity management
system (contd)
  • 3.3 Embedding BCM in the organizations culture
  • a) Raise, enhance and maintain awareness
  • b) Communicate to all employees the importance
    of
  • 1) meeting BCM objectives
  • 2) conforming to the BC policy and
  • 3) continual improvement and
  • c) Ensure that all employees are aware of how
    they contribute to the achievement of the
    organizations BC objectives

Must be able to demonstrate the communication was
made and received
18
3. Planning the business continuity management
system (contd)
Document management methods and tools
  • 3.4.1 General (list of documentation covering
    aspects of the BCMS)
  • 3.4.1.1 shall have documentation (a o)
  • 3.4.1.2 Records shall be established,
    maintained and controlled to provide evidence of
    the effective operation of the BCMS.
  • 3.4.1.3 Documented procedures shall be
    established in order to identify the controls
    over BCMS documentation and records.

Evidence needs to pertain to the BCMS being
audited
19
3. Planning the business continuity management
system (contd)
  • 3.4.2 Control of BCMS records shall be
    established in order to
  • a) ensure that they remain legible, readily
    identifiable and retrievable and
  • b) provide for their identification, storage,
    protection and retrieval.

Integration with corporate records management,
protection and retention PP
20
3. Planning the business continuity management
system (contd)
  • 3.4.3 Control of BCMS documentation shall be
    established to ensure that
  • a) documents are approved for adequacy prior to
    use
  • b) ..reviewed and updated as necessary and
    re-approved
  • c) changes and the current revision status
    are identified
  • d) relevant versions are available at points
    of use
  • e) documents of external origin are identified
    and controlled
  • f) the unintended use of obsolete documents is
    prevented suitably identified if they are
    retained for any purpose

DBMS based plan development and maintenance
systems present a challenge
21
4. Implementing and operating the BCMS
Product and service level rather than Process and
Activity
  • 4.1.1 Business impact analysis method for
    determining the impact of any disruption key
    products and services
  • a) identify activities key products and
    services
  • b) ..impacts vary over time
  • c) maximum tolerable period of disruption
  • d) priority for recovery
  • e) dependencies suppliers and outsource
    partners
  • f) BCM arrangements in place for 3rd parties
  • g) RTO within the mtopd and
  • h) resources required for resumption

Be sure to understand this and align it with the
BIA
22
4. Implementing and operating the BCMS (contd)
  • 4.1.2 Risk assessment
  • 4.1.2.1 shall be a defined method that
    will enable the organization to understand the
    threats to its critical activities, including
    those provided by suppliers and outsource
    partners
  • 4.1.2.2 shall understand the impact if an
    identified threat became an incident and caused a
    business disruption.
  • 4.1.3 Determining choices shall identify
    available risk treatments that
  • a) reduce the likelihood of a disruption
  • b) shorten the period of disruption and
  • c) limit the impact on the key products and
    services
  • 4.1.3.2 choose and implement risk
    treatmentsin accordance with its level of risk
    acceptance

Management must state risk tolerance
23
4. Implementing and operating the BCMS (contd)
  • 4.2 Determining business continuity strategy
  • a) define a incident response structure
  • b) determine how it will recover each critical
    activity within its RTO resources required for
    resumption and the products and services provided
    by suppliers and outsource partners, and
  • c) manage relationships with key stakeholders
    and external parties..
  • 4.3 Developing and implementing a BCM response
  • 4.3.2 Incident response structure
  • 4.3.3 Business continuity plans and incident
    management plans (a-p)
  • b) be accessible to and understood by those who
    will use them
  • m) recording key information about the
    incident, actions taken and decisions made
  • p) prioritized objectives critical activities
    to be recovered, the timescales and recovery
    levels needed for each critical activity

Be sure you know who may use them
24
4. Implementing and operating the BCMS (contd)
1/3 of arrangements (capabilities and plans) need
to be exercised per year
  • 4.4 Exercising, maintaining and reviewing BCM
    arrangements
  • 4.4.2 BCM exercising
  • a) consistent with scope of the BCMS
  • b) approved by top management planned
    intervals and when significant changes occur
  • c) a range of different exercises that taken
    together validate the whole of its BC
    arrangements
  • e-g) document each exercise
  • 4.3 Maintaining and reviewing BCM arrangements
  • 4.4.3.3 review of BCM arrangements shall be
    regular and conducted either through
    self-assessment or audit
  • 4.4.3.4 an incident that results in the
    invocation of the BCP or the IMP, a post-incident
    review shall be undertaken
  • a-e) After Action Review documentation

Do not confuse with the Internal Audit requirement
25
5. Monitoring and reviewing the BCMS
  • 5.1 Internal Audit
  • Note. The internal audit is distinct from the
    self-assessment or audit in 4.4.3.3
  • 5.1.1 ..ensure that internal audits of the BCMS
    are conducted at planned intervals
  • a) 1) conforms to planned arrangements for BCM,
    including the requirements of this BCM standard
    and
  • 5.1.2 audit programme(s) shall be planned,
    taking into account the BIA, risk assessment,
    control and mitigation measures and the results
    of previous audits
  • 5.1.4 Selection of auditors and conduct of
    audits shall ensure objectivity and the
    impartiality of the audit process
  • 5.2 Management review of the BCMS
  • 5.2.2 Review input
  • a-m) CAPA, ..residual risk, threats not
    adequately addressed,.
  • 5.2.3 Review output
  • a-e) decisions and actions related to changes of
    the BCMS, resources and funding

Does not have to be external resources
26
6. Maintaining and improving the BCMS
Actions regarding the BCMS -
  • 6.1 Preventive and corrective actions
  • 6.1.1.1 ...improve the BCMS through the
    application of preventive and corrective actions.
  • 6.1.2 Preventive action guard against potential
    nonconformities
  • a-g) priority of preventive actions based on
    the results of the risk assessment and the BIA
  • 6.1.3 Corrective action eliminate the cause of
    nonconformities
  • a-f) determining and implementing the corrective
    action needed
  • 6.2 Continual improvement
  • .continually improve the effectiveness of the
    BCMS through the review of the business
    continuity policy and objectives, audit results,
    analysis of monitored events, preventive and
    corrective actions, and management review.

27
BS25999-2 Certification Process


Standard (Criteria)
Assessment (Evidence)
Certification
Demonstrate compliance with specification
Address any non-conformities Refresh program
Demonstrate on-going compliance with
specification
Research
Self-assessment
Pre-assessment
Stage 1 audit
Industry practices Peer discussion Online self
assessment Part 1 Code of practice Part 2
Specification
Stage 2 audit
Remediation
Review Policy and SOP Risk Assessments and
Internal Audit Review BIA, BCP, TDRPs and ERP
Surveillance
28
BS25999-2 Certification Timeline


Standard (Criteria)
Assessment (Evidence)
Certification
7 months 9/08 4/09
2 months annual recurring
Research
Self-assessment
Pre-assessment
3 months
Stage 1 audit
Stage 2 audit
1 month
Remediation
2 days
Surveillance
2 days
6 weeks
4 months 4/08 8/08
10 days
2 days
29
Lessons Learned
  • A really good and effective BC program does not
    necessarily meet the standard.
  • Learn standards speak
  • shall will
  • Do what you say you do write it down!
  • BC/DR planning software may introduce a document
    management gap
  • Internal Audit is not an Internal Audit
  • Understand the Maximum Tolerable Period of
    Disruption (MTOTB) in relationship to the BIA and
    recovery arrangements
  • Risk Assessment must be part of your program
  • CAPA isnt an Italian cold cut?
  • Light on the Technology aspects of recovery
    planning
  • Dot the is and cross the ts the devil is in
    the details!

30
D1 BS25999 A Case Study QUESTIONS? Tim
Mathews Director, Enterprise Resiliency Educationa
l Testing Service
Write a Comment
User Comments (0)
About PowerShow.com