Al Berman Certification Presentation 9-8-10 to ACP

advertisement
Boston ACP – September 8, 2010
1

A Non-Profit Organization Committed to:
◦ Promoting a base of common knowledge for the continuity
management industry
◦ Certifying qualified individuals in the discipline of Business Continuity
◦ Promoting the credibility and professionalism of certified individuals

Founded in 1988.

The Industry’s Premier Education and Certification Program Body
 DRII has Certified INDIVIDUALS in over 95 Countries.
 DRII conducts training courses in over 45 countries.
 More individuals choose to maintain their certification through us
than all other organizations in our industry combined (Over
7,500 active individuals as of 2009)
 DRII Certifies individuals in English, Spanish, French, Japanese,
Mandarin and Russian
 DRI International teaches in English, French, Spanish,
Portuguese, Mandarin, Japanese, Italian and Russian
 In 2009 DRII taught more classes outside the US than within the
US.
Government Organizations
•Chaired the Alfred P. Sloan Committee that drafted the Framework for
Preparedness that has been the foundation for the Title IX Implementation.
•Member U.S. Chamber of Commerce Homeland Security Task Force
•Member of the Council of Experts for ANSI-ANAB who will set the
credentialing standard for certifying bodies for PS-Prep
•Member of FEMA National Advisory Council Private Sector Subcommittee
•Member of Advisory Committee for Congressionally funded Project for
National Security Reform
•Meeting with Special Assistant to The President for Homeland Security
Standards Policy
Non-Government Organization
•Member of the NFPA 1600 Technical Committee
•Member of the BS25999 – ASIS Technical Committee
•Participant RIMS (Risk Insurance Managers Society) PERK (Professional
Exchange of Risk Knowledge) Program
•Cooperative Education Credit Sharing with ISACA (Information Systems
Audit and Control Association)
•Cooperative Education Credit Sharing with IC2
•Audit Course Development and Training for Auditors with NFPA (National
Fire Prevention Association)
•Developing Joint Program with Red Cross

Greater Marketplace Recognition
◦ Job Pre-Requisites
◦ Distinguishes Candidate
◦ HR Key Words
 CBCP, ABCP

Financial Gain – certification is
correlated with higher wages
6
7
Courtesy – BC Management – 2008 Survey
8

Employer Benefit –
◦ confirms for the employer, the employee has a
high level of knowledge of standard industry
practices and processes – AND CONTINUES TO
MAINTAIN CURRENT KINOWLEDGE
◦ Provides consistency of knowledge for multinationals
9
10

What Are We Trying to Accomplish?
◦ PREPAREDNESS
 Emergency Management
 Disaster management
 Business Continuity

Is this New?
◦ Regulations
◦ Standards
◦ Guidances
11
Recommendation: We endorse the American National Standards
Institute’s recommended standard for private preparedness. We were
encouraged by Secretary Tom Ridge’s praise of the standard, and urge
the Department of Homeland Security to promote its adoption. We
also encourage the insurance and credit-rating industries to look
closely at a company’s compliance with the ANSI standard in assessing
its insurability and creditworthiness. We believe that compliance
with the standard should define the standard of care owed by a
company to its employees and the public for legal purposes. Privatesector preparedness is not a luxury; it is a cost of doing business in
the post-9/11 world.
12
Business Continuity Regulations and Standards
Post-9/11
Pre-9/11
Consumer Credit Protection Act
OMB Circular A-130
FEMA Guidance Document
Paperwork Reduction Act
ISO 27002 (Previously ISO17799)
FFIEC BCP Handbook
Computer Security Act
12 CFR Part 18
Presidential Decision Directive 67
FDA Guidance on Computerized Systems
used in Clinical Trials
ANSI/NFPA Standard 1600
Turnbull Report (UK)
ANAO Best Practice Guide (Australia)
SEC Rule 17 a-4
FEMA FPC 65
CAR
JHACO
1991 - 2001
Sarbanes-Oxley Act of 2002
HIPAA, Final Security Rule
FFIEC BCP Handbook -2003/ 2008
Fair Credit Reporting Act
NASD Rule 3510
NERC Security Guidelines
FERC Security Standards
NAIC Standard on BCP
NIST Contingency Planning Guide
FRB-OCC-SEC Guidelines for
Strengthening the Resilience of
US
Financial System
NYSE Rule 446
California SB 1386
Australia Standards BCM Handbook
GAO Potential Terrorist Attacks
Guideline
Federal and Legislative BC
Requirements for IRS
Basel Capital Accord
MAS Proposed BCP Guidelines
(Singapore)
NFA Compliance Rule 2-38
FSA Handbook (UK)
BCI Standard, PAS 56 (UK)
Civil Contingencies Bill (UK)
2002 Safety Act
FCD-1/2
NYS Circular Letter 7
ASIS
State of NY FIRM White Paper on CP
NISCC Good Practices (Telecomm)
Australian Prudential Standard on BCM
HB221
HB292
BS25999
SS507 – SS540
TR19
CA Z1600
ISO/PAS 22399
HiTech Act of 2009
DRII
Title IX – 110-53
2002 -------------------------------------------------------2010
13
a. Goal of the new program is to provide a method to independently certify the
emergency preparedness of private sector organizations, including their disaster /
emergency management and business continuity programs. The program focuses on
certifying the preparedness of businesses and other private sector entities, and does not
involve any individual professional certification.
b. The program will be voluntary.
c. Key stakeholders are invited to participate in the development of the
program. Consultation with a variety of organizations and various sectors is required by
the legislation. Program development will likely include involvement by a diversity of
private sector advisory groups and others.
d. The program will be administered outside of government by 3rd party organizations
with experience / expertise in managing and implementing voluntary accreditation and
certification programs.
e. One or more preparedness standards can be designated. NFPA 1600 is reference by
example.
f. Existing industry efforts, certifications and reporting in this area will not be
duplicated or displaced, but rather recognized and integrated.
g. Special consideration will be made for small business.
h. Proprietary and confidential information is to be protected.
14

A list of Recommended Standards Against
Which a Company May Certify:

ASIS International SPC.1-2009 Organizational Resilience: Security

British Standards Institution 25999 (2007 Edition) - Business

National Fire Protection Association 1600-Standard on Disaster /
Preparedness, and Continuity Management System – Requirements
with Guidance for use (2009 Edition).
Continuity Management.(BS 25999:2006-1 Code of practice for
business continuity management and BS 25999: 2007-2
Specification for business continuity management)
Emergency Management and Business Continuity Programs, 2007
and 2010 editions.
15
ANSI-ANAB
In progress - ANSI
DHS
16

DRI/NFPA Course is proceeding with ANSI-CAP Accreditation for the Course

ANSI-CAP follows the accreditation process outlined in the international
standard ISO/IEC 17011, General Requirements for Accreditation Bodies
Accrediting Conformity Assessment Bodies and recognized by ANSI-ANAB

Passing the Exam will Provide a Certificate of Completion (Because training is a
requirement there can be no examination only)

This Certificate will Be Required to Seek CBCA/CBCLAs

DRI International will maintain recertification through continuing education
(RSBSQA requirement)
17


Created by Government/Industry Regulatory
Bodies
Punitive
◦ Fines
◦ Shutdown




Subject to Annual (Operational/Financial) Audit
Audit Conducted by Third Party
Results are Board Issues
May Create Vendor Requirements
◦ FFIEC
◦ HIPPA




Voluntary
Non-Punitive
Auditable Through First, Second or Third Parties
State of Flux
◦ NFPA 1600 is the ANSI National Standard is in Revised Every
3 years
◦ ASIS/BS25999 are Currently in the Early Stages of Seeking
ANSI Accreditation not Due until at Least End of 2009
◦ ISO 22399/PAS (Publicly Available Specifications) Interim
State
◦ New Australian Standard
◦ New Singapore Standard

A Certification by an Approved Certification
Body
◦ No Endorsement by DHS/FEMA or Federal
Government
 A Distancing by DHS from the Process
 Private Sector Certification Bodies
◦ Available Before PS-Prep




NFPA 1600
BS 25999
SS507 – SS540
Private Companies
20

No Get Out of Jail Free (Safe Harbor)
◦ Safety Act of 2002

No Reduction in Insurance Premiums

Does Not Exempt Regulatory Compliance

DHS Cannot Make It Mandatory – Only
Legislative Action Can
◦ Highly Unlikely
◦ Consider Sarbanes-Oxley
21

Rewards
◦ May Satisfy Customer Inquiries
 Supply Chain
 RFPs
◦ Create Uniformity
 Multi-Nationals
◦ Increase Preparedness
 PS-Prep Raised Awareness of Need to Prepare

Risks
◦ May Not Provide Legal Protection
 Judge and Jury Decision
 No Known NFPA1600 Defense
◦ Quality of Auditors
 Proper Training
 No Control
 Precludes “Any organization that provides preparedness
consulting services to private sector entities”

Potential Conflict
 Financial – Operational Audit
 Corporate Governance
 Regulation

Expensive





Think Sarbanes-Oxley
Initial Expense
Annual or bi-Annual Review
REMEDIATION
Discoverable (Corrective Action Plan)

Focus on the Regs *

Broaden Your Viewpoint *

Keep Your Eyes on Transition *

Hold Off On (the Actual) Certification *

Walk Don’t Run *

Talk to Your General Counsel (DHS Does)
* The Standards Race
Author: Mark Carroll

Let’s Work On Preparedness
◦ Small Steps – Easily Accomplished
•The Greater Tampa Bay Chapter would act as the organizing administrator for
the training class, and the participants would pay $1745.50 to ACP – GTB.
•At the conclusion of the DRI 501 class and exam, ACP – GTB will file the
appropriate paperwork with the State of Florida for an education reimbursement,
and the State of Florida would pay ACP – GTB for 50% of the cost of this
training / exam program – or $872.50 per participant.
•GTB – ACP would then cut a check back to each participant for $872.50. The
education grant only covers the cost of training, exams, and administrative fees
associated with the class.
•That would bring the net cost to each participant down to $872.50 which is
SIGNIFICANTLY lower than you’d pay for the program at any of the major BCP /
DR conferences
•Travel, lodging, and meals would be the responsibility of each participant, and
we are working with our event coordinator to find a venue which would
guarantee a block room rate.
27
28
The Interstate Natural Gas Association of America (“INGAA”)
(1) consistent with keeping PS-Prep a voluntary program, as directed by
Congress, FEMA should expressly and strongly emphasize that neither
program participation nor the accreditation or certification standards
establish an enforceable duty, a standard of care or any other basis for
imposing civil liability;
(2) entities that are already subject to comprehensive emergency preparedness
regulation under the Pipeline Safety Act, the Chemical Facility Anti-Terrorism
Act, the Marine Transportation Security Act, etc., should be able to obtain
PS-Prep certification solely by documenting their compliance (INGAA added
that FEMA should do this accrediting the regulating agencies and instructing
them to grant certification once an entity demonstrates its compliance with
the emergency preparedness regulations);
(3) entities with PS-Prep certification should be considered pre-qualified for
protection under the Supporting Ant-terrorism by Fostering Effective
Technologies (“SAFETY”) Act of 2002, or their SAFETY Act applications
should at least be accorded priority processing; and
(4) FEMA should examine and address the economic feasibility and cost
considerations associated with approving the proposed PS-Prep standards
and allowing PS-Prep certification through compliance with current
emergency preparedness regulations.
29
30
• Legal
o Common law precedent would substantiate certification as a way to
mitigate potential liability
o Development of statutory guidelines would provide additional legal
motivation to pursue certification
o Some corporations are concerned about possible disincentives
associated with certification (e.g. identification of shortfalls)
o Allowing multiple standards for certification could be legally problematic
o Using a maturity model (levels of preparedness) may make certification
more compelling from a legal perspective
31
International Center for Enterprise Preparedness th
The Legal Working Group On the Voluntary Business Preparedness
Accreditation and Certification Program
Some corporations are concerned about possible disincentives
associated with certification.
o There is a potential disincentive pertaining to undertaking
preparedness certification and the related documentation of
preparedness actions undertaken by a company, especially with respect
to the identification of risks to the company and its current
vulnerabilities.
o Absent some legal privilege such as attorney-client privilege or work product
privilege, documents generated during the certification process could become
discoverable and could be used against the company in any future litigation or
investigations. That scenario functions as a disincentive to undertaking and
documenting preparedness actions.
International Center for Enterprise Preparedness (InterCEP)
New York University Initial Meeting
March 7, 2008
32
Download