290 likes | 953 Views
Regulations, Best Practices and Standards. An Overview and Case Study for Putting it to Work in Your Organization. Flagg Management Conference March 17, 2009 – 3:10 P.M. Tom Martin tmartin@era-1.com. Tim Mathews tmathews@ets.org. Karen Hughes khughes@ansi.org. Level Setting Definitions.
E N D
Regulations, Best Practices and Standards An Overview and Case Study for Putting it to Work in Your Organization Flagg Management Conference March 17, 2009 – 3:10 P.M. Tom Martin tmartin@era-1.com Tim Mathews tmathews@ets.org Karen Hughes khughes@ansi.org
Level Setting Definitions Regulations (Source: Georgetown Law School) A type of "delegated legislation" promulgated by a state, federal or local administrative agency given authority to do so by the appropriate legislature. Regulations generally are very specific in nature, they are also referred to as "rules" or simply "administrative law." • Best Practices (Source: Business Dictionary. COM) • Methods and techniques that have consistently shown results superior than those achieved with other means, and which are used as benchmarks to strive for. • There is, however, no practice that is best for everyone or in every situation, and no best practice remains best for very long as people keep on finding better ways of doing things. Standards(Source: International Standards Organization - ISO)Documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines or definitions of characteristics, to ensure that materials, products, processes and services are fit for their purpose.
Regulations, Best Practices & Standards • Regulatory (US) • FFIEC - Federal Financial Institutions Examination Council • OCC - Office of the Controller of the Currency • FINRA - The Financial Industry Regulatory Authority • SEC - Securities and Exchange Commission • HIPAA - Health Insurance Portability and Accountability Act • SOX - Sarbanes-Oxley • + Others • Regulatory (International) • FSA - Financial Services Authority (UK) • MAS - Monetary Authority of Singapore • Basel II – G10 Countries (Basel, Switzerland – June 2004)
Regulations, Best Practices & Standards • Best Practices • ASIS International - Preparedness & Continuity Management Best Practice Standard • DRII/BCI - Professional Practices for Business Continuity Planners • BCI - The BCI Good Practice Guidelines 2007 (United Kingdom) • DRJ/DRII - Generally Accepted Practices (GAP) • Basel Committee on Banking Supervision - High Level Principles for Business Continuity (2006)
Regulations, Best Practices & Standards • Standards • NFPA1600 - Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/US) • BS 25999 - Business Continuity Management (BSI/UK) • -1 Code of Practice • -2 Specification • ISO/PAS 22399 - Incident Preparedness & Continuity Management (ISO/International) • Title IX – PL 110-53 - Voluntary Certification against yet to be Announced Standards (US) • ISO 24762 – Guide for Information and Communications Technology for Disaster Recovery (ISO/International) • HB 292:2006 - A Practitioners Guide to Business Continuity Management(Australia) • CSA Z1600 - Standard on Emergency Management and Business Continuity Programs (Canada) • TR19:2004 - BCM Framework & Technical Reference (Singapore) • SI 24001:2007 - Security & Continuity Management Systems (Israel)
Recent Events • July 2008 • Repligen Corp. (biopharmaceutical) becomes the first US firm to be certified in BS 25999 • BSI Certification Status • 22 firms certified worldwide • 160 active applications • S&P announced they will enhance their ratings process for nonfinancial companies through an enterprise risk management review (creating a more systematic framework for an inherently subjective topic) • August 2008 • BS 25777 introduced – Code of Practice for Information and Communications Technology Continuity • Similar to ISO 24762 – Guide for ICT and DR • DHS signed agreement with ANSI-ASQ National Accreditation Board (ANAB) – to establish and oversee the implementation and accreditation of Title IX
Recent Events (cont’d) • August 2008 (cont’d) • ASIS announces plans for a new US Business Continuity and Risk standard • Solicits the support of ANSI organization • ASIS is an ANSI accredited Standards Development Organization (SDO) • DRII protests and rallies others to do the same • Carnegie Mellon – Cert Resiliency Framework Code of Practice Standards Crosswalk (11 standards) published • October 2008 • ANSI Homeland Security Standards Panel discussion • Subject was Public law 110-53 Title XI voluntary standards • ASIS hosted stakeholder deliberation meeting and then re-affirms its direction in developing a new ANSI standard
Recent Events (cont’d) • October 2008 (cont’d) • Singapore (SPRING) launches new certifiable standard SS540 which replaces TR 19:2004 • January 2009 • NFPA issues 2010 version of NFPA1600 for public comment • ASIS International holds joint working group meeting to outline new US standard based largely on BS 25999 • 1st public feedback session on Title IX sponsored by the DHS • The Business Continuity Institute announced the release of an updated version of its business continuity Good Practice Guidelines -- designated as GPG2008-2 • February 2009 • 2nd public feedback session on Title IX sponsored by the DHS Work Continues
BS25999: A Case Study Tuesday, March 17, 2009 Tim Mathews Director, Enterprise Resiliency Educational Testing Service
Educational Testing Service • Our Mission:To advance quality and equity in education by providing fair and valid assessments, research and related services. Our products and services measure knowledge and skills, promote learning and educational performance, and support education and professional development for all people worldwide. • Our Vision: To be recognized as the global leader in providing fair and valid assessments, research and related products and services to help individuals, parents, teachers, educational institutions, businesses, governments, countries, states and school districts, as well as measurement specialists and researchers. • Our Values:Social responsibility, equity, opportunity, and quality. We practice these values by listening to educators, parents and critics. We learn what students and the institutions they attend need. We lead in the development of products and services to help teachers teach, students learn and parents measure the intellectual progress of their children.
Today’s agenda: • Why pursue a standard? • Why BS 25999? • What is the process? • What have we learned?
Why pursue a standard?Support the Corporate Strategy • Establish and maintain trust – enhance and preserve the Brand • Supply chain risk management • Critical vendors and suppliers may experience a disaster • What do we know about their resiliency? • Competitive advantage – may increase or maintain margin vis-à-vis competition • Certified BCMS is a differentiator (RFI,RFP and Contract) • May reduce the burdens of internal and external audits from your key customers. • SLA and scope “expectation” management • Key customers are vague • As DHS voluntary compliance percolates through the business community, there will be a “Wal-Mart” effect • Training and knowledge transfer
Why pursue a standard? Effective Risk Management • Debt valuation and risk ratings • S&P (and Moody’s) • Enterprise Risk Management (ERM) will be added as an element of all corporate ratings • Requires that a firm address all its risks • Operational risk is a critical element … encompassing security, resilience, etc “..the extent to which companies are adopting standards, … would bolster the view that management has a proactive culture and attitude towards risk. However it’s too early …. to know what weight we’d place on that evidence.” • Firms must show they are addressing risks in a systematic manner • Tort Negligence: Industry standards inform prudent practice and “affirmative defense.” – ’93 WTC bombing decision • Port Authority held more liable than terrorists ($100M)
Why pursue a standard?Compliance and Governance • DHS voluntary mandate - Title IX • Various compliance requirements • Regulatory • Periodic external financial control audits • Insurability audits • Independent client audits • Common framework for communication of capabilities • Business development • Supply chain • Inter-company (parent and subs) • Integrated recovery planning and exercises (with subs, key suppliers and clients) • Leverage plan development and maintenance activities
Why BS 25999? • Accepted Standard that establishes the process, principles and terminology of business continuity management (BCM) • BS 25999-1 Code of Practice – provides guidance and recommendations • BS 25999-2 Detailed Specification – appears to meet or exceed the published DHS criteria • Provides a non-prescriptive, generic model to follow in creating and maintaining preparedness processes and activities • ETS Enterprise Resiliency program aligned well to the standard • Gaps were straight forward to implement
BS25999-2 Certification Process + = Standard (Criteria) Assessment (Evidence) Certification Demonstrate compliance with specification Address any non-conformities Refresh program Demonstrate on-going compliance with specification Research Self-assessment Pre-assessment Stage 1 audit Industry practices Peer discussion Online self assessment Part 1: Code of practice Part 2: Specification Stage 2 audit Review Policy and SOP Risk Assessments and Internal Audit Review BIA, BCP, TDRPs and ERP Remediation Surveillance
BS25999-2 Certification Timeline + = Standard (Criteria) Assessment (Evidence) Certification 2 months annual recurring 7 months 9/08 – 4/09 Research Self-assessment Pre-assessment 3 months Stage 1 audit 1 month Stage 2 audit Remediation 2 days Surveillance 2 days 6 weeks 4 months 4/08 – 8/08 10 days 2 days
Lessons Learned • A really good and effective BC program does not necessarily meet the standard. • Learn standards “speak” • “shall = will” • Do what you say you do – write it down! • BC/DR planning software may introduce a document management gap • Internal Audit is not an Internal Audit • You cannot dance around the Maximum Tolerable Period of Disruption (MTOTB) • Risk Assessment – must be part of your program • Who needs a CAPA? • Light on the Technology aspects of recovery planning • Dot the i’s and cross the t’s – the devil is in the details!
Flagg Management Conference Presented by Karen HughesDirector of Homeland Security Standards March 17, 2009
Agenda • ANSI-HSSP Overview • Title IX Program • Trajectory of ISO/PAS 22399 • Business Case for Certification
ANSI-Homeland Security Standards Panel Mission: • Identify and facilitate the development and enhancement of homeland security standards • Serve as private/public sector partnership for standards issues that cut cross-sector • Provide a forum for information sharing on homeland security standards issue, as well as the overall standards development and conformity assessment processes • Facilitate dialogue and networking on key issues for homeland security stakeholders
Voluntary Private Sector Preparedness Accreditation & Certification Program • GoalImprove private sector preparedness in disaster management, emergency management, and business continuity to enhance nationwide resilience in an all hazards environment • BackgroundMandated by the Implementing Recommendations of the 9/11 Commission Act of 2007 to establish a common set of criteria for private sector preparedness
Voluntary Private Sector Preparedness Accreditation & Certification Program Key Guiding Principles • Participation is voluntary • Provide method to independently certify preparedness of private sector entities • Administered by non-government entity (ANAB) • DHS designation of one or more standards to be used in assessing private sector preparedness • Incorporate existing regulatory requirements and existing efforts • Certification of private sector entities will be performed by non-government certifying bodies
Voluntary Private Sector Preparedness Accreditation & Certification Program Possible Standards • International • ISO 22399 • ISO 22301 • National • NFPA 1600 (USA) • BS 25999 (UK) • CSA Z1600 (Canada)
ISO/PAS 22399:2007 ISO/TC 223 – Societal Security • Scope International standardization in the area of societal security, aimed at increasing crisis management and business continuity capabilities, amongst all interested parties. • Structure WG 1 – Framework standard on societal security management WG 2 – Terminology WG 3 – Command and control, coordination and cooperation WG 4 – Preparedness and continuity • Membership Participating countries: 37 Observing countries: 17
ISO/PAS 22399:2007 ISO/TC 223 Work Program • ISO/PAS 22399:2007 Societal security - Guideline for incident preparedness and operational continuity management • Next Steps: • Development of ISO 22301 – Management system standard focused on preparedness and continuity management • Conversion of ISO 22399 from PAS to Draft International Standard as a guide to ISO 22301
InterCEP • International Center for Enterprise Preparedness • Catalyst focused on Private Sector Preparedness & Corporate Resilience • Working Groups • Supply Chain Management • Legal Liability Mitigation • Insurance Acknowledgement • Rating Agency Acknowledgement • Online Clearinghouse of information
Business Case for Certification According to the Institute for Business & Home Safety, an estimated 25% of businesses do not reopen following a major disaster. Compliance with preparedness standards can… • Minimize impact of business disruptions • Reduce overall costs • Enhance corporate reputation • Employee protection • Link between good practice/standards (what to do) and benefits (why to do it)
Further Information • For additional information about: • ANSI: www.ansi.org/hssp • ANAB: www.anab.org • InterCEP: www.nyu.edu/intercep • PS-Prep: www.fema.gov/business/certification/index.htm • ISO: www.iso.org • HSSD: www.hssd.us/ • Questions can be directed to: • Karen Hughes Program Director, Homeland Security Standards (khughes@ansi.org; 212-642-4992)