Regulations,%20Best%20Practices%20and%20Standards

1
Regulations, Best Practices and Standards

• An Overview and Case Study for Putting it to
  Work in Your Organization

Flagg Management Conference March 17, 2009 310
P.M.
Tom Martin tmartin_at_era-1.com

Tim Mathews tmathews_at_ets.org
Karen Hughes khughes_at_ansi.org
2
Level Setting Definitions
Regulations (Source Georgetown Law School) A
type of "delegated legislation" promulgated by a
state, federal or local administrative agency
given authority to do so by the appropriate
legislature. Regulations generally are very
specific in nature, they are also referred to as
"rules" or simply "administrative law."
Best Practices (Source Business Dictionary.
COM) Methods and techniques that have
consistently shown results superior than those
achieved with other means, and which are used as
benchmarks to strive for. There is, however, no
practice that is best for everyone or in every
situation, and no best practice remains best for
very long as people keep on finding better ways
of doing things.
Standards (Source International Standards
Organization - ISO)Documented agreements
containing technical specifications or other
precise criteria to be used consistently as
rules, guidelines or definitions of
characteristics, to ensure that materials,
products, processes and services are fit for
their purpose.
3
Regulations, Best Practices Standards

• Regulatory (US)
• FFIEC - Federal Financial Institutions
  Examination Council
• OCC - Office of the Controller of the Currency
• FINRA - The Financial Industry Regulatory
  Authority
• SEC - Securities and Exchange Commission
• HIPAA - Health Insurance Portability and
  Accountability Act
• SOX - Sarbanes-Oxley
• Others
• Regulatory (International)
• FSA - Financial Services Authority (UK)
• MAS - Monetary Authority of Singapore
• Basel II G10 Countries (Basel, Switzerland
  June 2004)

4
Regulations, Best Practices Standards

• Best Practices
• ASIS International - Preparedness Continuity
  Management Best Practice Standard
• DRII/BCI - Professional Practices for Business
  Continuity Planners
• BCI - The BCI Good Practice Guidelines 2007
  (United Kingdom)
• DRJ/DRII - Generally Accepted Practices (GAP)
• Basel Committee on Banking Supervision - High
  Level Principles for Business Continuity (2006)

5
Regulations, Best Practices Standards

• Standards
• NFPA1600 - Standard on Disaster/Emergency
  Management and Business Continuity Programs
  (ANSI/US)
• BS 25999 - Business Continuity Management
  (BSI/UK)
• -1 Code of Practice
• -2 Specification
• ISO/PAS 22399 - Incident Preparedness
  Continuity Management (ISO/International)
• Title IX PL 110-53 - Voluntary Certification
  against yet to be Announced Standards (US)
• ISO 24762 Guide for Information and
  Communications Technology for Disaster Recovery
  (ISO/International)
• HB 2922006 - A Practitioners Guide to Business
  Continuity Management (Australia)
• CSA Z1600 - Standard on Emergency Management and
  Business Continuity Programs (Canada)
• TR192004 - BCM Framework Technical Reference
  (Singapore)
• SI 240012007 - Security Continuity Management
  Systems (Israel)

6
Recent Events

• July 2008
• Repligen Corp. (biopharmaceutical) becomes the
  first US firm to be certified in BS 25999
• BSI Certification Status
• 22 firms certified worldwide
• 160 active applications
• SP announced they will enhance their ratings
  process for nonfinancial companies through an
  enterprise risk management review (creating a
  more systematic framework for an inherently
  subjective topic)
• August 2008
• BS 25777 introduced Code of Practice for
  Information and Communications Technology
  Continuity
• Similar to ISO 24762 Guide for ICT and DR
• DHS signed agreement with ANSI-ASQ National
  Accreditation Board (ANAB) to establish and
  oversee the implementation and accreditation of
  Title IX

7
Recent Events (contd)

• August 2008 (contd)
• ASIS announces plans for a new US Business
  Continuity and Risk standard
• Solicits the support of ANSI organization
• ASIS is an ANSI accredited Standards Development
  Organization (SDO)
• DRII protests and rallies others to do the same
• Carnegie Mellon Cert Resiliency Framework Code
  of Practice Standards Crosswalk (11 standards)
  published
• October 2008
• ANSI Homeland Security Standards Panel discussion
• Subject was Public law 110-53 Title XI voluntary
  standards
• ASIS hosted stakeholder deliberation meeting and
  then re-affirms its direction in developing a new
  ANSI standard

8
Recent Events (contd)

• October 2008 (contd)
• Singapore (SPRING) launches new certifiable
  standard SS540 which replaces TR 192004
• January 2009
• NFPA issues 2010 version of NFPA1600 for public
  comment
• ASIS International holds joint working group
  meeting to outline new US standard based largely
  on BS 25999
• 1st public feedback session on Title IX sponsored
  by the DHS
• The Business Continuity Institute announced the
  release of an updated version of its business
  continuity Good Practice Guidelines -- designated
  as GPG2008-2
• February 2009
• 2nd public feedback session on Title IX sponsored
  by the DHS

Work Continues
9
BS25999 A Case Study Tuesday, March 17,
2009 Tim Mathews Director, Enterprise
Resiliency Educational Testing Service
10
Educational Testing Service

• Our Mission To advance quality and equity in
  education by providing fair and valid
  assessments, research and related services. Our
  products and services measure knowledge and
  skills, promote learning and educational
  performance, and support education and
  professional development for all people
  worldwide.
• Our Vision To be recognized as the global leader
  in providing fair and valid assessments, research
  and related products and services to help
  individuals, parents, teachers, educational
  institutions, businesses, governments, countries,
  states and school districts, as well as
  measurement specialists and researchers.
• Our Values Social responsibility, equity,
  opportunity, and quality. We practice these
  values by listening to educators, parents and
  critics. We learn what students and the
  institutions they attend need.

We lead in the development of products and
services to help teachers teach, students learn
and parents measure the intellectual progress of
their children.
11
Todays agenda

• Why pursue a standard?
• Why BS 25999?
• What is the process?
• What have we learned?

12
Why pursue a standard?Support the Corporate
Strategy

• Establish and maintain trust enhance and
  preserve the Brand
• Supply chain risk management
• Critical vendors and suppliers may experience a
  disaster
• What do we know about their resiliency?
• Competitive advantage may increase or maintain
  margin vis-à-vis competition
• Certified BCMS is a differentiator (RFI,RFP and
  Contract)
• May reduce the burdens of internal and external
  audits from your key customers.
• SLA and scope expectation management
• Key customers are vague
• As DHS voluntary compliance percolates through
  the business community, there will be a
  Wal-Mart effect
• Training and knowledge transfer

13
Why pursue a standard? Effective Risk Management

• Debt valuation and risk ratings
• SP (and Moodys)
• Enterprise Risk Management (ERM) will be added as
  an element of all corporate ratings
• Requires that a firm address all its risks
• Operational risk is a critical element
  encompassing security, resilience, etc
• ..the extent to which companies are adopting
  standards, would bolster the view that
  management has a proactive culture and attitude
  towards risk. However its too early . to know
  what weight wed place on that evidence.
• Firms must show they are addressing risks in a
  systematic manner
• Tort Negligence Industry standards inform
  prudent practice and affirmative defense. 93
  WTC bombing decision
• Port Authority held more liable than terrorists
  (100M)

14
Why pursue a standard?Compliance and Governance

• DHS voluntary mandate - Title IX
• Various compliance requirements
• Regulatory
• Periodic external financial control audits
• Insurability audits
• Independent client audits
• Common framework for communication of
  capabilities
• Business development
• Supply chain
• Inter-company (parent and subs)
• Integrated recovery planning and exercises (with
  subs, key suppliers and clients)
• Leverage plan development and maintenance
  activities

15
Why BS 25999?

• Accepted Standard that establishes the process,
  principles and terminology of business continuity
  management (BCM)
• BS 25999-1 Code of Practice provides guidance
  and recommendations
• BS 25999-2 Detailed Specification appears to
  meet or exceed the published DHS criteria
• Provides a non-prescriptive, generic model to
  follow in creating and maintaining preparedness
  processes and activities
• ETS Enterprise Resiliency program aligned well to
  the standard
• Gaps were straight forward to implement

16
BS25999-2 Certification Process


Standard (Criteria)
Assessment (Evidence)
Certification
Demonstrate compliance with specification
Address any non-conformities Refresh program
Demonstrate on-going compliance with
specification
Research
Self-assessment
Pre-assessment
Stage 1 audit
Industry practices Peer discussion Online self
assessment Part 1 Code of practice Part 2
Specification
Stage 2 audit
Remediation
Review Policy and SOP Risk Assessments and
Internal Audit Review BIA, BCP, TDRPs and ERP
Surveillance
17
BS25999-2 Certification Timeline


Standard (Criteria)
Assessment (Evidence)
Certification
7 months 9/08 4/09
2 months annual recurring
Research
Self-assessment
Pre-assessment
3 months
Stage 1 audit
Stage 2 audit
1 month
Remediation
2 days
Surveillance
2 days
6 weeks
4 months 4/08 8/08
10 days
2 days
18
Lessons Learned

• A really good and effective BC program does not
  necessarily meet the standard.
• Learn standards speak
• shall will
• Do what you say you do write it down!
• BC/DR planning software may introduce a document
  management gap
• Internal Audit is not an Internal Audit
• You cannot dance around the Maximum Tolerable
  Period of Disruption (MTOTB)
• Risk Assessment must be part of your program
• Who needs a CAPA?
• Light on the Technology aspects of recovery
  planning
• Dot the is and cross the ts the devil is in
  the details!

19
Flagg Management Conference
Presented by Karen HughesDirector of Homeland
Security Standards March 17, 2009
20
Agenda

• ANSI-HSSP Overview
• Title IX Program
• Trajectory of ISO/PAS 22399
• Business Case for Certification

21
ANSI-Homeland Security Standards Panel

• Mission
• Identify and facilitate the development and
  enhancement of homeland security standards
• Serve as private/public sector partnership for
  standards issues that cut cross-sector
• Provide a forum for information sharing on
  homeland security standards issue, as well as the
  overall standards development and conformity
  assessment processes
• Facilitate dialogue and networking on key issues
  for homeland security stakeholders

22
Voluntary Private Sector Preparedness
Accreditation Certification Program

• GoalImprove private sector preparedness in
  disaster management, emergency management, and
  business continuity to enhance nationwide
  resilience in an all hazards environment
• BackgroundMandated by the Implementing
  Recommendations of the 9/11 Commission Act of
  2007 to establish a common set of criteria for
  private sector preparedness

23
Voluntary Private Sector Preparedness
Accreditation Certification Program

• Key Guiding Principles
• Participation is voluntary
• Provide method to independently certify
  preparedness of private sector entities
• Administered by non-government entity (ANAB)
• DHS designation of one or more standards to be
  used in assessing private sector preparedness
• Incorporate existing regulatory requirements and
  existing efforts
• Certification of private sector entities will be
  performed by non-government certifying bodies

24
Voluntary Private Sector Preparedness
Accreditation Certification Program

• Possible Standards
• International
• ISO 22399
• ISO 22301
• National
• NFPA 1600 (USA)
• BS 25999 (UK)
• CSA Z1600 (Canada)

25
ISO/PAS 223992007

• ISO/TC 223 Societal Security
• Scope
• International standardization in the area of
  societal security, aimed at increasing crisis
  management and business continuity capabilities,
  amongst all interested parties.
• Structure
• WG 1 Framework standard on societal security
  management
• WG 2 Terminology
• WG 3 Command and control, coordination and
  cooperation
• WG 4 Preparedness and continuity
• Membership
• Participating countries 37
• Observing countries 17

26
ISO/PAS 223992007

• ISO/TC 223 Work Program
• ISO/PAS 223992007
• Societal security - Guideline for incident
  preparedness and operational continuity
  management
• Next Steps
• Development of ISO 22301 Management system
  standard focused on preparedness and continuity
  management
• Conversion of ISO 22399 from PAS to Draft
  International Standard as a guide to ISO 22301

27
InterCEP

• International Center for Enterprise Preparedness
• Catalyst focused on Private Sector Preparedness
  Corporate Resilience
• Working Groups
• Supply Chain Management
• Legal Liability Mitigation
• Insurance Acknowledgement
• Rating Agency Acknowledgement
• Online Clearinghouse of information

28
Business Case for Certification

• According to the Institute for Business Home
  Safety, an
• estimated 25 of businesses do not reopen
  following a
• major disaster.
• Compliance with preparedness standards can
• Minimize impact of business disruptions
• Reduce overall costs
• Enhance corporate reputation
• Employee protection
• Link between good practice/standards (what to do)
  and benefits (why to do it)

29
Further Information

• For additional information about
• ANSI www.ansi.org/hssp
• ANAB www.anab.org
• InterCEP www.nyu.edu/intercep
• PS-Prep www.fema.gov/business/certification/inde
  x.htm
• ISO www.iso.org
• HSSD www.hssd.us/
• Questions can be directed to
• Karen Hughes
• Program Director, Homeland Security Standards
• (khughes_at_ansi.org 212-642-4992)