1 / 22

Regulations, Best Practices and Standards

Regulations, Best Practices and Standards. How do Current Standards Measure Up?. ACP Garden State Chapter April 2, 2009. Tom Martin tmartin@eaglerockalliance.com. Agenda. Review of Regulations, Best Practices & Standards Review of Recent Events Specific Focus on BS 25999 & NFPA1600

bdonna
Télécharger la présentation

Regulations, Best Practices and Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Regulations, Best Practices and Standards How do Current Standards Measure Up? ACP Garden State Chapter April 2, 2009 Tom Martin tmartin@eaglerockalliance.com

  2. Agenda • Review of Regulations, Best Practices & Standards • Review of Recent Events • Specific Focus on BS 25999 & NFPA1600 • Compare & Contrast The Two Standards • How to Quantify a Standards Assessment?

  3. Level Setting Definitions Regulations (Source: Georgetown Law School) A type of "delegated legislation" promulgated by a state, federal or local administrative agency given authority to do so by the appropriate legislature. Regulations generally are very specific in nature, they are also referred to as "rules" or simply "administrative law." • Best Practices (Source: Business Dictionary.COM) • Methods and techniques that have consistently shown results superior than those achieved with other means, and which are used as benchmarks to strive for. • There is, however, no practice that is best for everyone or in every situation, and no best practice remains best for very long as people keep on finding better ways of doing things. Standards(Source: International Standards Organization - ISO)Documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines or definitions of characteristics, to ensure that materials, products, processes and services are fit for their purpose.

  4. How Do Companies Measure the Performance of their BCM Program today? • 71.7% Business Continuity Plan Exercises • 51.8% Audit Findings • 31.8% Benchmarking to Industry Norms • 30.6% Metrics Program • 22.7% Performance Reviews • 16.6% Technology Recovery Test Results • 15.1% Maturity Modeling • 14% We do not Measure BCM Performance • 13.8% Service Level Monitoring • 8.7% Review of Program Capabilities vs. Standards Source: 2008 CI/KPMG BCM Benchmark Survey

  5. Regulations, Best Practices & Standards • Regulatory (US) • FFIEC - Federal Financial Institutions Examination Council • OCC - Office of the Controller of the Currency • FINRA - The Financial Industry Regulatory Authority • SEC - Securities and Exchange Commission • HIPAA - Health Insurance Portability and Accountability Act • SOX - Sarbanes-Oxley • + Others • Regulatory (International) • FSA - Financial Services Authority (UK) • MAS - Monetary Authority of Singapore • Basel II – G10 Countries (Basel, Switzerland – June 2004) National regulators indicated they were to implement Basel II, in some form or another, by 2015. Basel II attempts to provide regulations about how much capital banks need to put aside to guard against the types of financial and operational risks banks face by setting up rigorous risk and capital management requirements designed to ensure that a bank holds capital reserves appropriate to the risk the bank exposes itself to through its lending and investment practices. Generally speaking, these rules mean that the greater risk to which the bank is exposed, the greater the amount of capital the bank needs to hold to safeguard its solvency and overall economic stability.

  6. Regulations, Best Practices & Standards • Best Practices • ASIS International - Preparedness & Continuity Management Best Practice Standard • DRII/BCI - Professional Practices for Business Continuity Planners • BCI - The BCI Good Practice Guidelines 2007 (United Kingdom) • DRJ/DRII - Generally Accepted Practices (GAP) • Basel Committee on Banking Supervision - High Level Principles for Business Continuity (2006)

  7. Regulations, Best Practices & Standards • Standards • NFPA1600 - Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/US) • BS 25999 - Business Continuity Management (BSI/UK) • -1 Code of Practice • -2 Specification • CSA Z1600 - Standard on Emergency Management and Business Continuity Programs (Canada) • HB 292:2006 - A Practitioners Guide to Business Continuity Management(Australia) • TR19:2004 - BCM Framework & Technical Reference (Singapore) • SI 24001:2007 - Security & Continuity Management Systems (Israel) • ISO/PAS 22399 - Incident Preparedness & Continuity Management (ISO/International) • ISO 24762 – Guide for Information and Communications Technology for Disaster Recovery (ISO/International) • Title IX – PL 110-53 - Voluntary Certification against yet to be Announced Standards (US)

  8. Recent Events • July 2008 • Repligen Corp. (biopharmaceutical) becomes the first US firm to be certified in BS 25999 • BSI Certification Status • 22 firms certified worldwide • 160 active applications • Standard & Poor’s announced they will enhance their ratings process for nonfinancial companies through an enterprise risk management review (creating a more systematic framework for an inherently subjective topic) • August 2008 • BS 25777 introduced – Code of Practice for Information and Communications Technology Continuity • Similar to ISO 24762 – Guide for ICT and DR • DHS signed agreement with ANSI-ASQ National Accreditation Board (ANAB) – to establish and oversee the implementation and accreditation of Title IX

  9. Recent Events (cont’d) • August 2008 (cont’d) • ASIS announces plans for a new US Business Continuity and Risk standard • Solicits the support of ANSI organization • ASIS is an ANSI accredited Standards Development Organization (SDO) • DRII protests and rallies others to do the same • Carnegie Mellon – CERT Resiliency Framework Code of Practice Standards Crosswalk (11 standards) published • October 2008 • ANSI & Homeland Security Standards Panel discussion • Subject was Public law 110-53 Title XI voluntary standards • DHS draft on criteria to be evaluated in standards selection • ASIS hosted stakeholder deliberation meeting and then re-affirms its direction in developing a new ANSI standard

  10. Recent Events (cont’d) • October 2008 (cont’d) • Singapore (SPRING) launches new certifiable standard SS540 which replaces TR 19:2004 • January 2009 • NFPA issues 2010 version of NFPA1600 for public comment • ASIS International holds joint working group meeting to outline new US standard based largely on BS 25999 • 1st public feedback session on Title IX sponsored by the DHS • The Business Continuity Institute (BCI) announced the release of an updated version of its business continuity Good Practice Guidelines -- designated as GPG2008-2 • February 2009 • 2nd public feedback session on Title IX sponsored by the DHS Work Continues

  11. NFPA1600 17 year history 2007 update/2010 draft ANSI Standard (US) Not Currently Certifiable Non ISO structure 16 Element Groupings ~112 detail points Available for Free 4 pages BS 25999 7 year history (PAS 56) 2006-07 releases BSI Standard (UK) Certifiable Follows ISO structure 11 Element Groupings ~156 detail points Available for Cost 12 pages (specification) BS 25999 & NFPA1600 Comparison

  12. Key Differences • NFPA1600 • Component/Task Focus • More Reactive in Nature • Flow Applicable to Mitigation/Preparedness/Response/Recovery • Strong on Emergency Planning & Response • BS 25999 • Process/System Focus • More Proactive in Nature • Flow Applicable to Plan-Do-Check-Act Model (ISO) • Strong on Awareness “Embed into the Culture” • Strong on Documentation, Records & Accountability

  13. Core Elements of These and Other Standards • A set of voluntary criteria • Applicable to any size organization • Provides for auditing and validation • Are an alternative to regulations • May become recognized as industry best practices (are also driven from same) • A private sector vs. legislative process • Source: Sloan Report “Framework for Voluntary Preparedness” • Published February 2008 – compared 7 standards/best practices

  14. Common Elements Examined by These Standards • Scope & Policy • Risk Identification • Prevention & Mitigation, Evaluation & Planning • Incident Management • Recovery • Awareness & Training • Exercise & Testing • Program Revision & Improvement Any of the existing standards, guidelines, best practices, or regulatory approaches can be used to meet the intent of the Title IX PL 110-53. What is lacking is the know-how, implementation tools and evaluation metrics to help the private sector, particularly small and medium businesses, successfully select and implement an approach. Source: Sloan Report “Framework for Voluntary Preparedness”

  15. Why Perform a Program Assessment? “If we could first know where we are, and whither we are tending, we could better judge what to do, and how to do it.” - Abraham Lincoln • Simplify measuring and managing continuity activities • Understand how key resiliency competencies map to leading BC practice standards, i.e., NFPA1600, BS 25999, etc. • Improve compliance efficiency – streamline and simplify management reporting and/or regulatory efforts • Provide an appraisal methodology to benchmark an organization’s resiliency and those of third party suppliers. • Establish a sharable common measurement of risk and resiliency • Establish a roadmap for implementing a mature resiliency program

  16. How to Aggregate & Report Results?

  17. BS 25999-2 Summary Perspective

  18. NFPA 1600 Summary Perspective

  19. Grouping of Examination Points

  20. Program Maturity

  21. Quadrant Placement

  22. Thank You tmartin@eaglerockalliance.com 973-325-9900

More Related