Headline here

1
D1 BS25999 A Case Study Monday, April 27,
2009 Tim Mathews Director, Enterprise
Resiliency Educational Testing Service
2
Educational Testing Service

• Our Mission To advance quality and equity in
  education by providing fair and valid
  assessments, research and related services. Our
  products and services measure knowledge and
  skills, promote learning and educational
  performance, and support education and
  professional development for all people
  worldwide.
• Our Vision To be recognized as the global leader
  in providing fair and valid assessments, research
  and related products and services to help
  individuals, parents, teachers, educational
  institutions, businesses, governments, countries,
  states and school districts, as well as
  measurement specialists and researchers.
• Our Values Social responsibility, equity,
  opportunity, and quality. We practice these
  values by listening to educators, parents and
  critics. We learn what students and the
  institutions they attend need.

We lead in the development of products and
services to help teachers teach, students learn
and parents measure the intellectual progress of
their children.
3
Todays agenda

• Why pursue a standard?
• What is BS 25999?
• What is the process?
• What did we learn?

4
Corporate Strategy

• an effective corporate strategy will
  systematically improve the probability of
  success
• Paul Almeida, Ph.D.
• Georgetown University
• Enterprise Resiliency supports the corporate
  strategy by establishing the capabilities and
  resources required to systematically mitigate and
  minimize the impact of a significant business
  interruption.

5
Why pursue a standard? Support the Corporate
Strategy

• Establish and maintain trust enhance and
  preserve the Brand
• Supply chain risk management
• Critical vendors and suppliers may experience a
  disaster
• What do we know about their resiliency?
• Competitive advantage may increase or maintain
  margin vis-à-vis competition
• Certified BCMS is a differentiator (RFI,RFP and
  Contract)
• May reduce the burdens of internal and external
  audits from your key customers.
• SLA and scope expectation management
• Key customer availability requirements may be
  vague
• As DHS voluntary compliance percolates through
  the business community, there will be a
  Wal-Mart effect

6
Why pursue a standard? Compliance and Governance

• DHS voluntary mandate - Title IX
• Various compliance requirements
• Industry specific regulatory requirements
• Periodic external financial control audits
• Insurability audits
• Independent client audits
• Common framework for communicating capabilities
• Business development
• Supply chain
• Inter-company (parent and subs)
• Integrated recovery planning and exercises (with
  subs, key suppliers and clients)

7
Why pursue a standard? Effective Risk Management

• Debt valuation and risk ratings
• SP (and Moodys)
• Enterprise Risk Management (ERM) will be added as
  an element of all corporate ratings
• Requires that a firm address all its risks
• Operational risk is a critical element
  encompassing security, resilience, etc
• ..the extent to which companies are adopting
  standards, would bolster the view that
  management has a proactive culture and attitude
  towards risk. However its too early . to know
  what weight wed place on that evidence.
• Firms must show they are addressing risks in a
  systematic manner
• Tort Negligence Industry standards inform
  prudent practice and affirmative defense. 93
  WTC bombing decision
• Port Authority held more liable than terrorists
  (100M)

8
Why pursue a standard? Staff productivity

• Leverage program documentation and plan
  development and maintenance activities
• May reduce the burdens of responding to internal
  and external audits from your key customers.
• Training and knowledge transfer
• Institutional knowledge
• Legacy systems and processes
• Hiring and staffing expectations

9
Regulations? Best Practices? Standards?
10
Regulations

• FFIEC Federal Financial Institutions
  Examination Council
• OCC Office of the Comptroller of the Currency
• SIRA Security Industry Regulatory Authority
• SEC Securities and Exchange Commission
• HIPAA Health Insurance Portability and
  Accountability Act
• SOX Sarbanes-Oxley
• FSA Financial Services Authority (UK)
• MAS Monetary Authority of Singapore
• Basel II International worlds central banks
• Title IX PL 110-53 Voluntary assessment
  against standard (tbd)
• Ratings agencies and . other industry specific

11
Industry Best Practices

• DRII/BCI Professional practices for Business
  Continuity Planners
• DRJ/DRII Generally Accepted Practices (GAP)
• ASIS International Preparedness Continuity
  Management Best Practice Standard
• Basel Committee on Banking Supervision High
  Level Principles for Business Continuity (2006)
• Local and peer level activities

12
Standards

• NFPA1600 Standard on Disaster/Emergency
  Management and Business Continuity Programs
• ISO/PAS 22399 Incident Preparedness
  Continuity Management
• HB 2922006 A practitioners Guide to Business
  Continuity Management (Australia)
• CSA Z1600 Standard on Emergency Management and
  Business Continuity Programs (Canada)
• TR192004 BCM Framework Technical Reference
  (Singapore)
• SI 240012007 Security Continuity Management
  Systems (Israel)

13
Why BS 25999?

• Accepted Standard that establishes the process,
  principles and terminology of business continuity
  management
• BS 25999-1 Code of Practice provides guidance
  and recommendations
• BS 25999-2 Detailed Specification appears to
  meet or exceed the published DHS criteria
• Provides a non-prescriptive, generic model to
  follow in creating and maintaining preparedness
  processes and activities
• Current Enterprise Resiliency program aligned
  well to the standard
• Gaps were straight forward to implement

14
BS25999 PDCA Cycle
Note Shall Will
15
BS 25999-2 Navigating the Standard .
16
3. Planning the business continuity management
system
BIA identifies critical business processes,
applications and systems

• 3.2 Establishing and managing the BCMS
• 3.2.1 Scope and objectives of the BCMS
• shall identify key products and services
• 3.2.2 BCM policy
• shall be communicated to all persons working
  for or on behalf of the organization
• 3.2.3 Provision of resources
• shall determine and provide the resources
  needed
• 3.2.4 Competency of BCM personnel
• shall ensure that all personnel are
  competent..
• e) maintain records of education, training,
  skills, experience and qualifications.

Employees, contractors, partners, etc
People and
17
3. Planning the business continuity management
system (contd)

• 3.3 Embedding BCM in the organizations culture
• a) Raise, enhance and maintain awareness
• b) Communicate to all employees the importance
  of
• 1) meeting BCM objectives
• 2) conforming to the BC policy and
• 3) continual improvement and
• c) Ensure that all employees are aware of how
  they contribute to the achievement of the
  organizations BC objectives

Must be able to demonstrate the communication was
made and received
18
3. Planning the business continuity management
system (contd)
Document management methods and tools

• 3.4.1 General (list of documentation covering
  aspects of the BCMS)
• 3.4.1.1 shall have documentation (a o)
• 3.4.1.2 Records shall be established,
  maintained and controlled to provide evidence of
  the effective operation of the BCMS.
• 3.4.1.3 Documented procedures shall be
  established in order to identify the controls
  over BCMS documentation and records.

Evidence needs to pertain to the BCMS being
audited
19
3. Planning the business continuity management
system (contd)

• 3.4.2 Control of BCMS records shall be
  established in order to
• a) ensure that they remain legible, readily
  identifiable and retrievable and
• b) provide for their identification, storage,
  protection and retrieval.

Integration with corporate records management,
protection and retention PP
20
3. Planning the business continuity management
system (contd)

• 3.4.3 Control of BCMS documentation shall be
  established to ensure that
• a) documents are approved for adequacy prior to
  use
• b) ..reviewed and updated as necessary and
  re-approved
• c) changes and the current revision status
  are identified
• d) relevant versions are available at points
  of use
• e) documents of external origin are identified
  and controlled
• f) the unintended use of obsolete documents is
  prevented suitably identified if they are
  retained for any purpose

DBMS based plan development and maintenance
systems present a challenge
21
4. Implementing and operating the BCMS
Product and service level rather than Process and
Activity

• 4.1.1 Business impact analysis method for
  determining the impact of any disruption key
  products and services
• a) identify activities key products and
  services
• b) ..impacts vary over time
• c) maximum tolerable period of disruption
• d) priority for recovery
• e) dependencies suppliers and outsource
  partners
• f) BCM arrangements in place for 3rd parties
• g) RTO within the mtopd and
• h) resources required for resumption

Be sure to understand this and align it with the
BIA
22
4. Implementing and operating the BCMS (contd)

• 4.1.2 Risk assessment
• 4.1.2.1 shall be a defined method that
  will enable the organization to understand the
  threats to its critical activities, including
  those provided by suppliers and outsource
  partners
• 4.1.2.2 shall understand the impact if an
  identified threat became an incident and caused a
  business disruption.
• 4.1.3 Determining choices shall identify
  available risk treatments that
• a) reduce the likelihood of a disruption
• b) shorten the period of disruption and
• c) limit the impact on the key products and
  services
• 4.1.3.2 choose and implement risk
  treatmentsin accordance with its level of risk
  acceptance

Management must state risk tolerance
23
4. Implementing and operating the BCMS (contd)

• 4.2 Determining business continuity strategy
• a) define a incident response structure
• b) determine how it will recover each critical
  activity within its RTO resources required for
  resumption and the products and services provided
  by suppliers and outsource partners, and
• c) manage relationships with key stakeholders
  and external parties..
• 4.3 Developing and implementing a BCM response
• 4.3.2 Incident response structure
• 4.3.3 Business continuity plans and incident
  management plans (a-p)
• b) be accessible to and understood by those who
  will use them
• m) recording key information about the
  incident, actions taken and decisions made
• p) prioritized objectives critical activities
  to be recovered, the timescales and recovery
  levels needed for each critical activity

Be sure you know who may use them
24
4. Implementing and operating the BCMS (contd)
1/3 of arrangements (capabilities and plans) need
to be exercised per year

• 4.4 Exercising, maintaining and reviewing BCM
  arrangements
• 4.4.2 BCM exercising
• a) consistent with scope of the BCMS
• b) approved by top management planned
  intervals and when significant changes occur
• c) a range of different exercises that taken
  together validate the whole of its BC
  arrangements
• e-g) document each exercise
• 4.3 Maintaining and reviewing BCM arrangements
• 4.4.3.3 review of BCM arrangements shall be
  regular and conducted either through
  self-assessment or audit
• 4.4.3.4 an incident that results in the
  invocation of the BCP or the IMP, a post-incident
  review shall be undertaken
• a-e) After Action Review documentation

Do not confuse with the Internal Audit requirement
25
5. Monitoring and reviewing the BCMS

• 5.1 Internal Audit
• Note. The internal audit is distinct from the
  self-assessment or audit in 4.4.3.3
• 5.1.1 ..ensure that internal audits of the BCMS
  are conducted at planned intervals
• a) 1) conforms to planned arrangements for BCM,
  including the requirements of this BCM standard
  and
• 5.1.2 audit programme(s) shall be planned,
  taking into account the BIA, risk assessment,
  control and mitigation measures and the results
  of previous audits
• 5.1.4 Selection of auditors and conduct of
  audits shall ensure objectivity and the
  impartiality of the audit process
• 5.2 Management review of the BCMS
• 5.2.2 Review input
• a-m) CAPA, ..residual risk, threats not
  adequately addressed,.
• 5.2.3 Review output
• a-e) decisions and actions related to changes of
  the BCMS, resources and funding

Does not have to be external resources
26
6. Maintaining and improving the BCMS
Actions regarding the BCMS -

• 6.1 Preventive and corrective actions
• 6.1.1.1 ...improve the BCMS through the
  application of preventive and corrective actions.
• 6.1.2 Preventive action guard against potential
  nonconformities
• a-g) priority of preventive actions based on
  the results of the risk assessment and the BIA
• 6.1.3 Corrective action eliminate the cause of
  nonconformities
• a-f) determining and implementing the corrective
  action needed
• 6.2 Continual improvement
• .continually improve the effectiveness of the
  BCMS through the review of the business
  continuity policy and objectives, audit results,
  analysis of monitored events, preventive and
  corrective actions, and management review.

27
BS25999-2 Certification Process


Standard (Criteria)
Assessment (Evidence)
Certification
Demonstrate compliance with specification
Address any non-conformities Refresh program
Demonstrate on-going compliance with
specification
Research
Self-assessment
Pre-assessment
Stage 1 audit
Industry practices Peer discussion Online self
assessment Part 1 Code of practice Part 2
Specification
Stage 2 audit
Remediation
Review Policy and SOP Risk Assessments and
Internal Audit Review BIA, BCP, TDRPs and ERP
Surveillance
28
BS25999-2 Certification Timeline


Standard (Criteria)
Assessment (Evidence)
Certification
7 months 9/08 4/09
2 months annual recurring
Research
Self-assessment
Pre-assessment
3 months
Stage 1 audit
Stage 2 audit
1 month
Remediation
2 days
Surveillance
2 days
6 weeks
4 months 4/08 8/08
10 days
2 days
29
Lessons Learned

• A really good and effective BC program does not
  necessarily meet the standard.
• Learn standards speak
• shall will
• Do what you say you do write it down!
• BC/DR planning software may introduce a document
  management gap
• Internal Audit is not an Internal Audit
• Understand the Maximum Tolerable Period of
  Disruption (MTOTB) in relationship to the BIA and
  recovery arrangements
• Risk Assessment must be part of your program
• CAPA isnt an Italian cold cut?
• Light on the Technology aspects of recovery
  planning
• Dot the is and cross the ts the devil is in
  the details!

30
D1 BS25999 A Case Study QUESTIONS? Tim
Mathews Director, Enterprise Resiliency Educationa
l Testing Service