Regulations, Best Practices and Standards

1
Regulations, Best Practices and Standards

• How do Current Standards Measure Up?

ACP Garden State Chapter April 2, 2009
Tom Martin tmartin_at_eaglerockalliance.com



2
Agenda

• Review of Regulations, Best Practices Standards
  
• Review of Recent Events
• Specific Focus on BS 25999 NFPA1600
• Compare Contrast The Two Standards
• How to Quantify a Standards Assessment?

3
Level Setting Definitions
Regulations (Source Georgetown Law School) A
type of "delegated legislation" promulgated by a
state, federal or local administrative agency
given authority to do so by the appropriate
legislature. Regulations generally are very
specific in nature, they are also referred to as
"rules" or simply "administrative law."
Best Practices (Source Business
Dictionary.COM) Methods and techniques that have
consistently shown results superior than those
achieved with other means, and which are used as
benchmarks to strive for. There is, however, no
practice that is best for everyone or in every
situation, and no best practice remains best for
very long as people keep on finding better ways
of doing things.
Standards (Source International Standards
Organization - ISO)Documented agreements
containing technical specifications or other
precise criteria to be used consistently as
rules, guidelines or definitions of
characteristics, to ensure that materials,
products, processes and services are fit for
their purpose.
4
How Do Companies Measure the Performance of
their BCM Program today?

• 71.7 Business Continuity Plan Exercises
• 51.8 Audit Findings
• 31.8 Benchmarking to Industry Norms
• 30.6 Metrics Program
• 22.7 Performance Reviews
• 16.6 Technology Recovery Test Results
• 15.1 Maturity Modeling
• 14 We do not Measure BCM Performance
• 13.8 Service Level Monitoring
• 8.7 Review of Program Capabilities vs. Standards

Source 2008 CI/KPMG BCM Benchmark Survey
5
Regulations, Best Practices Standards

• Regulatory (US)
• FFIEC - Federal Financial Institutions
  Examination Council
• OCC - Office of the Controller of the Currency
• FINRA - The Financial Industry Regulatory
  Authority
• SEC - Securities and Exchange Commission
• HIPAA - Health Insurance Portability and
  Accountability Act
• SOX - Sarbanes-Oxley
• Others
• Regulatory (International)
• FSA - Financial Services Authority (UK)
• MAS - Monetary Authority of Singapore
• Basel II G10 Countries (Basel, Switzerland
  June 2004)

National regulators indicated they were to
implement Basel II, in some form or another, by
2015.
Basel II attempts to provide regulations about
how much capital banks need to put aside to guard
against the types of financial and operational
risks banks face by setting up rigorous risk and
capital management requirements designed to
ensure that a bank holds capital reserves
appropriate to the risk the bank exposes itself
to through its lending and investment practices.
Generally speaking, these rules mean that the
greater risk to which the bank is exposed, the
greater the amount of capital the bank needs to
hold to safeguard its solvency and overall
economic stability.
6
Regulations, Best Practices Standards

• Best Practices
• ASIS International - Preparedness Continuity
  Management Best Practice Standard
• DRII/BCI - Professional Practices for Business
  Continuity Planners
• BCI - The BCI Good Practice Guidelines 2007
  (United Kingdom)
• DRJ/DRII - Generally Accepted Practices (GAP)
• Basel Committee on Banking Supervision - High
  Level Principles for Business Continuity (2006)

7
Regulations, Best Practices Standards

• Standards
• NFPA1600 - Standard on Disaster/Emergency
  Management and Business Continuity Programs
  (ANSI/US)
• BS 25999 - Business Continuity Management
  (BSI/UK)
• -1 Code of Practice
• -2 Specification
• CSA Z1600 - Standard on Emergency Management and
  Business Continuity Programs (Canada)
• HB 2922006 - A Practitioners Guide to Business
  Continuity Management (Australia)
• TR192004 - BCM Framework Technical Reference
  (Singapore)
• SI 240012007 - Security Continuity Management
  Systems (Israel)
• ISO/PAS 22399 - Incident Preparedness
  Continuity Management (ISO/International)
• ISO 24762 Guide for Information and
  Communications Technology for Disaster Recovery
  (ISO/International)
• Title IX PL 110-53 - Voluntary Certification
  against yet to be Announced Standards (US)

8
Recent Events

• July 2008
• Repligen Corp. (biopharmaceutical) becomes the
  first US firm to be certified in BS 25999
• BSI Certification Status
• 22 firms certified worldwide
• 160 active applications
• Standard Poors announced they will enhance
  their ratings process for nonfinancial companies
  through an enterprise risk management review
  (creating a more systematic framework for an
  inherently subjective topic)
• August 2008
• BS 25777 introduced Code of Practice for
  Information and Communications Technology
  Continuity
• Similar to ISO 24762 Guide for ICT and DR
• DHS signed agreement with ANSI-ASQ National
  Accreditation Board (ANAB) to establish and
  oversee the implementation and accreditation of
  Title IX

9
Recent Events (contd)

• August 2008 (contd)
• ASIS announces plans for a new US Business
  Continuity and Risk standard
• Solicits the support of ANSI organization
• ASIS is an ANSI accredited Standards Development
  Organization (SDO)
• DRII protests and rallies others to do the same
• Carnegie Mellon CERT Resiliency Framework Code
  of Practice Standards Crosswalk (11 standards)
  published
• October 2008
• ANSI Homeland Security Standards Panel
  discussion
• Subject was Public law 110-53 Title XI voluntary
  standards
• DHS draft on criteria to be evaluated in
  standards selection
• ASIS hosted stakeholder deliberation meeting and
  then re-affirms its direction in developing a new
  ANSI standard

10
Recent Events (contd)

• October 2008 (contd)
• Singapore (SPRING) launches new certifiable
  standard SS540 which replaces TR 192004
• January 2009
• NFPA issues 2010 version of NFPA1600 for public
  comment
• ASIS International holds joint working group
  meeting to outline new US standard based largely
  on BS 25999
• 1st public feedback session on Title IX sponsored
  by the DHS
• The Business Continuity Institute (BCI) announced
  the release of an updated version of its business
  continuity Good Practice Guidelines -- designated
  as GPG2008-2
• February 2009
• 2nd public feedback session on Title IX sponsored
  by the DHS

Work Continues
11
BS 25999 NFPA1600 Comparison

• NFPA1600
• 17 year history
• 2007 update/2010 draft
• ANSI Standard (US)
• Not Currently Certifiable
• Non ISO structure
• 16 Element Groupings
• 112 detail points
• Available for Free
• 4 pages

• BS 25999
• 7 year history (PAS 56)
• 2006-07 releases
• BSI Standard (UK)
• Certifiable
• Follows ISO structure
• 11 Element Groupings
• 156 detail points
• Available for Cost
• 12 pages (specification)

12
Key Differences

• NFPA1600
• Component/Task Focus
• More Reactive in Nature
• Flow Applicable to Mitigation/Preparedness/Respons
  e/Recovery
• Strong on Emergency Planning Response
• BS 25999
• Process/System Focus
• More Proactive in Nature
• Flow Applicable to Plan-Do-Check-Act Model (ISO)
• Strong on Awareness Embed into the Culture
• Strong on Documentation, Records Accountability

13
Core Elements of These and Other Standards

• A set of voluntary criteria
• Applicable to any size organization
• Provides for auditing and validation
• Are an alternative to regulations
• May become recognized as industry best practices
  (are also driven from same)
• A private sector vs. legislative process

• Source Sloan Report Framework for Voluntary
  Preparedness
• Published February 2008 compared 7
  standards/best practices

14
Common Elements Examined by These Standards

• Scope Policy
• Risk Identification
• Prevention Mitigation, Evaluation Planning
• Incident Management
• Recovery
• Awareness Training
• Exercise Testing
• Program Revision Improvement

Any of the existing standards, guidelines, best
practices, or regulatory approaches can be used
to meet the intent of the Title IX PL 110-53.
What is lacking is the know-how, implementation
tools and evaluation metrics to help the private
sector, particularly small and medium businesses,
successfully select and implement an approach.
Source Sloan Report Framework for Voluntary
Preparedness
15
Why Perform a Program Assessment?
If we could first know where we are, and whither
we are tending, we could better judge what to
do, and how to do it. - Abraham Lincoln

• Simplify measuring and managing continuity
  activities
• Understand how key resiliency competencies map to
  leading BC practice standards, i.e., NFPA1600, BS
  25999, etc.
• Improve compliance efficiency streamline and
  simplify management reporting and/or regulatory
  efforts
• Provide an appraisal methodology to benchmark an
  organizations resiliency and those of third
  party suppliers.
• Establish a sharable common measurement of risk
  and resiliency
• Establish a roadmap for implementing a mature
  resiliency program

16
How to Aggregate Report Results?
17
BS 25999-2 Summary Perspective
18
NFPA 1600 Summary Perspective
19
Grouping of Examination Points
20
Program Maturity
21
Quadrant Placement
22
Thank You tmartin_at_eaglerockalliance.com 973-325
-9900