Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Hospitality Management

SM19 Update: Global Standards in Business Continuity

advertisement 
SM19 Update: Global Standards
in Business Continuity
Presentation to CPM 2009 West
Paul Kirvan, FBCI, CBCP, CISSP
Paul Kirvan Associates
pkirvan@msn.com
Member of the Board, The Business Continuity Institute
Agenda
„
„
„
„
„
„
„
Importance of Standards
Standards and Regulatory Groups
Domestic BC Standards
International BC Standards
Comparison of Standards
Impact on the Profession
Summary
2
Importance of Standards
Importance of Standards
„
„
„
„
„
„
Common set of rules, processes
Common language
Easier to measure performance
Easier to audit
Coordination with federal, state and local
authorities
Consistent worldwide
4
Standards and Regulatory Groups
Standards and Regulatory Groups
„
National Institute of Standards and Technology
(NIST)
„
Federal Emergency Management Agency (FEMA)
„
National Fire Protection Association (NFPA)
„
National Emergency Management Association
(NEMA)
„
National Association of Securities Dealers, Inc.
(NASD)
„
ASIS International
„
American National Standards Institute
6
Standards and Regulatory Groups
„
U.S. Department of Homeland Security
„
U.S. Department of Commerce
„
U.S. Department of Health and Human Services
„
Transportation Security Administration
„
Federal Reserve System
„
Comptroller of Currency (Dept of Treasury)
„
Securities and Exchange Commission (SEC)
„
State / Local Governments
7
Standards and Regulatory Groups
„
„
„
„
„
„
„
„
„
Emergency Preparedness Canada
Canadian Standards Association
British Standards Institution
SPRING (Singapore)
Standards Australia / New Zealand
Ministry of Civil Defence and Emergency
Management (NZ)
International Organization for Standardization
(ISO)
Emergency Preparedness Directorates
Security Directorates
8
Domestic BC Standards
Domestic BC Standards
„
FEMA
–
„
Report #141 Disaster Planning Guide for Business
and Industry – 1987
NFPA
–
NFPA 1600, Standard on Disaster/Emergency
Management and Business Continuity Programs –
2007, 2010
http://www.nfpa.org/aboutthecodes/AboutTheCodes.
asp?DocNum=1600&cookie%5Ftest=1
10
Domestic BC Standards
UPDATED !!
„
NFPA 1600
–
Reflects 13 program elements identified by FEMA in its
Capability Assessment for Readiness (CAR), a self-evaluation
tool developed to assess state emergency management
programs
–
Endorsed by FEMA, DRII, NEMA, IAEM
–
Latest edition approved as American National Standard on Dec
20, 2006 by ANSI
–
Latest version (2010) in final stages of approval
–
Recommended by 9/11 Commission as national preparedness
standard
–
Effective for plan development and auditing
11
Domestic BC Standards
„
NFPA 1600
–
Laws and authorities
–
Hazard identification and risk assessment
–
Hazard management (risk assessment, mitigation
strategy, etc)
–
Resource management (performance objectives to
include personnel, equipment, training, facilities,
funding, expert knowledge, materials)
–
Planning (strategic plan, emergency ops plan,
mitigation and recovery plans)
–
Direction, control and coordination (incident
management system)
12
Domestic BC Standards
„
NFPA 1600
–
Communications and warning
–
Operations and procedures
–
Logistics and facilities
–
Training
–
Exercise, evaluation and corrective actions
–
Public education and information (including
dealing with the media)
–
Finance and administration
13
Domestic BC Standards
UPDATED !!
„
NFPA 1600 – What’s New in 2010 Edition
–
Introduction of a plan-do-check-act process similar
to international standards
–
Increased alignment with risk management,
security and loss prevention
–
Increased detail in “what to do” sections
–
Increased focus on “how to” content
14
Domestic BC Standards
„
NIST 800-34
– Contingency Planning Guide for Information
Technology (IT) Systems – 2000
– Provides recommendations for government
IT contingency planning
– Supersedes FIPS PUB 87
– Provides guidelines, checklists, tools
– http://csrc.nist.gov/publications/nistpubs/
15
Domestic BC Standards
„
NIST 800-30
–
Risk Management Guide for Information Technology
Systems – 2002
–
Provides recommendations for incorporating risk
management processes into IT planning
–
Addresses issues identified in Computer Security Act
of 1987 and Information Management Technology
Reform Act of 1996
–
Provides information and guidance on the selection of
cost-effective security controls
–
Provides very useful guidelines, checklists, tools
–
http://csrc.nist.gov/publications/nistpubs/
16
Domestic BC Standards
„
NIST 800-84
–
Guide to Test, Training and Exercise Programs for IT
Plans and Capabilities – 2006
–
Provides guidance on designing, developing,
conducting, and evaluating training activities
–
Applies to all kinds of plans, including IT
–
Provides very useful guidelines, checklists, tools
–
http://csrc.nist.gov/publications/nistpubs/
17
Domestic BC Standards
„
Continuity of Operations (COOP)
–
Emergency preparedness and contingency planning in
the Federal sector
–
Federal Preparedness Circular 65 – 1999, Establish
COOP plans for executive branch
–
Presidential Decision Directive 63 – 1998, Ensure
security of national critical infrastructures
–
Presidential Decision Directive 67 – 1998, Develop
COOP plans for essential operations
–
Executive Order 12656 – 1998, Each federal
department head must ensure continuity of essential
functions
–
OMB Circular A-130 – 1993, BC plans in place for
critical government systems
18
Domestic BC Standards
UPDATED !!
„
DRII / DRJ Generally Accepted Principles
–
Based on ten core competencies agreed to by DRII
and BCI – 2005; latest update 2007
–
In “final stages” of development
–
Provides “how to” in addition to “what to”
–
Includes templates for hot sites, exercises, strategy
definition
–
Effective plan development and audit tool
–
www.drj.com/gap
19
Domestic BC Standards
„
Federal Financial Institutions Examination Council
(FFIEC) Examination Handbook, Corporate
Contingency Planning – 1996, 2003, 2008
–
Provides detailed “what to” for full range of BC activities
–
Financial focus but relevant to all industries
–
Provides detailed examination procedures that can be
used for auditing
–
www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_
plan.pdf
20
Domestic BC Standards
„
ASIS International Business Continuity Guideline: A
Practical Approach for Emergency Preparedness,
Crisis Management and Disaster Recovery – 2004
–
Addresses planning, implementation and maintenance issues
–
Provides detailed “what to” for BC activities
–
BC Guidelines Checklist useful for audit purposes
–
http://www.asisonline.org/guidelines/guidelinesbc.pdf
21
Domestic BC Standards
NEW !!
„
ASIS/BSI Joint Standard on Business Continuity –
2009
–
Joint development with ASIS and BSI
–
Initial drafts completed; still in review process
–
Foundation document BS 25999:2007
–
Anticipated completion late 2009
–
Addresses planning, implementation and maintenance issues
–
Provides detailed “what to” for BC activities
–
Incorporates business continuity management system model,
similar to other international standards (plan-do-check-act)
–
http://www.asisonline.org
22
Domestic BC Standards
„
NASD Rules 3510 (Clearing Firms) and 3520 (All
Firms) - 2004; NYSE Rule 446 – 2003
–
NASD rules approved April 7, 2004; NYSE Sept 2003
–
Require members to create and maintain business
continuity plans to use following a business disruption
–
Require members to provide NASD with information to be
used by NASD in the event of future disruptions
–
Require members to disclose BC activities to their
customers
–
http://www.nasd.com/RulesRegulation/IssueCenter/Busin
essContinuityPlanning/index.htm
–
http://www.sec.gov/rules/sro/34-48502.htm
23
Domestic BC Standards
„
Other
–
National Credit Union Administration (NCUA) Letter
01-CU-21 Contingency Plan Best Practices
–
ISO 15489 Standard for Records Management
–
ICOR Open for Business Toolkit for small to medium
businesses – 2006 www.theicor.org
–
IRM / AIRMIC / ALARM Risk Management Standard –
2002
–
ISO 27001 et al – Primarily for information security but
they have specific recommendations for business
continuity
24
International BC Standards
International BC Standards
„
British Standards Institute BS 25999:2006 Part 1
–
Developed from BCI Good Practice Guidelines and Life
Cycle Model
–
Developed by BSI, BCI, and representatives from private
sector
–
Part 1 is Code of Practice (what to do); Part 2 is
Specifications (how to do it)
–
US $178; UK £90
–
http://www.bsi-global/.com
26
International BC Standards
„
British Standards Institute BS 25999 Part 1
Understanding
Your Organization
Exercising,
BC Program
Maintenance
Management
& Audit
BC
Solutions
Develop and
Implement BC
Plans
27
International BC Standards
„
BS 25999-1 (Code of Practice)
–
Introduction
–
Glossary
–
(What is) Business Continuity Management
–
The BC Management System
–
Understanding Your Organization
–
Determining BC Solutions
–
Implementing a BC Response
–
Developing a BC Culture
–
Exercising, Maintenance and Audit
28
International BC Standards
„
Business Continuity Management System
–
–
–
–
–
–
–
New term for familiar activities
Program office
Program development
Policy development
Project management
Daily operations
Used in international standards
29
International BC Standards
„
BS 25999:2007 – Part 2 (Specification)
– Expands on what is needed; no “how to”
– Describes controls
– Useful from audit perspective
– Includes glossary
– www.bsi-global.com
30
International BC Standards
„
BS 25999 – Part 2 (Specification)
–
“Provides a specification for use by internal and external
parties, including certification bodies, to assess the
organization’s ability to meet regulatory, customer, and
the organization’s own requirements”
–
“Contains only those requirements that can be effectively
audited”
–
Uses the Plan-Do-Check-Act operational model for all
aspects of the BC process
31
International BC Standards
Interested
Parties
Establish
BCMS
Interested
Parties
Plan
Maintain and
Improve the
BCMS
Business
Continuity
Requirements
and
Expectations
Act
Do
Implement and
Operate the
BCMS
Check
Monitor and
Review the
BCMS
Managed
Business
Continuity
BS 25999 – Part 2
32
International BC Standards
Outline
„
BS 25999 – Part 2 (Specification)
– Business Continuity Management Systems
– Establishing and Managing the BCMS
†
Requirements; Suppliers; BCM Policy; Resources;
Training, Awareness and Competency
– Embedding BCM in the Culture
†
Management and Training
– BCMS Documentation and Records
†
Document Specs; Records Management
33
International BC Standards
Outline
„
BS 25999 – Part 2 (Specification)
– Implement and Operate the BCMS
†
Understand the Organization; Risk Assessment; BC
Strategy; Developing a BC Response; Plans;
exercising and Maintaining BCMS
– Monitor and Review the BCMS
†
Conduct Reviews; Analyze Inputs and Outputs
– Maintain and Improve the BCMS
†
Continual Improvement; Corrective Action; Preventive
Action
34
International BC Standards
NEW !!
„
Canadian Standards Association Z1600: 2008
–
Based on NFPA 1600
–
Addresses emergency response
–
Addresses business continuity and disaster recovery
35
International BC Standards
„
Business Continuity Guidelines, Central
Disaster Management Council, Government
of Japan – 2005
„
Core topics
–
Need for business continuity
–
BC plan content and good practice
–
Plan structure and content
36
International BC Standards
NEW !!
„
SPRING Singapore SS 540:2008
Business Continuity Management
–
Collaboration between Singapore Business
Federation (SBF) and SPRING Singapore
–
Precursor was TR-19
–
New national standard for business continuity
management
–
Recommends use of business continuity
management system
–
http://www.thebci.org/singapore.htm
37
International BC Standards
„
Standards Australia / Standards New
Zealand BCM Standards – 2004 / 2006
–
HB 221:2004 – Business Continuity
Management Handbook
–
HB 292:2006 – A Practitioner’s Guide to BCM
–
HB 293:2006 – Executive Guide to BCM
38
International BC Standards
„
HB 221 Handbook of Business
Continuity Management – 2004
–
Part 1 - What is BCM? (Definitions)
–
Part 2 - The BCM Manual (Processes)
–
Consistent with AS/NZS 4360 Risk
Management standard
–
Links RM and BCM !!
–
Supported by DRII
To Order….
http://www.saiglobal.com/shop/script/Details.asp?DocN=AS0733762506AT
39
International BC Standards
„
HB 292 A Practitioner’s Guide to BCM
– 2006
–
Provides overview of selected “generally
accepted practices” in OZ, UK and US
–
Builds and expands on HB 221:2004
–
Consistent with NFPA 1600, BCI Good
Practice Guidelines, Singapore SPRING,
and DRII/DRJ GAP
–
Advocates close linkage with risk mgmt
–
Provides excellent templates, checklists
To Order…
http://www.saiglobal.com/shop/script/Details.asp?DocN=AS0733774725AT
40
International BC Standards
„
HB 293 Executive Guide for BCM – 2006
–
Designed as a senior management guide to
BCM
–
Summary and navigational guide to HB 292
To Order…
http://www.saiglobal.com/shop/script/Details.asp?DocN=AS0733774881AT
41
International BC Standards
NEW !!
„
New AS/NZS Standards on Business
Continuity – 2009
–
–
–
–
–
–
Replace ANZ 221, 292, 293
In process of final revisions
AS/NZS 5050.1:200X (probably 2009) – BC
management system specification
AS/NZS 5050.2:200X – BC management
practice standard
AS/NZS 5050.3:200X – BC management audit
and assurance standard
Provide an organizational framework for BC
To Order…
http://www.saiglobal.com/shop/
42
International BC Standards
„
Other Global Standards
–
Hong Kong – Monetary Authority TM-G-2 Standard for
BCM
–
Indonesia – 7/25/PBI/2005 Risk Management
Certification for Banks
–
Malaysia – The BCM Standard Working Committee of
the Standard & Research Institute Malaysia (SIRIM) is
developing a proposed standard for Malaysian
business entities
–
Pakistan – State Bank of Pakistan published the Risk
Management Guidelines for Commercial Banks
–
Thailand – Bank of Thailand Guideline on BCM
43
Legislation
P.L. 110-53 – Implementing
Recommendations of the 9/11 Commission
Act of 2007
„
Amends the Homeland Security Act of 2002
–
“…by providing information to the private sector regarding
voluntary national preparedness standards and the
business justification for preparedness and promoting to the
private sector the adoption of voluntary national
preparedness standards
–
“…promotes voluntary national preparedness standards to
the private sector;
–
“…assists the private sector in adopting voluntary national
preparedness standards; and
–
“…develops and implements an accreditation and
certification program”
45
P.L. 110-53 – Implementing
Recommendations of the 9/11 Commission
Act of 2007
„
Discussion Points
–
–
–
–
–
–
–
–
Presence of “business continuity” in legislation
Adoption of “voluntary” standards
Increased private sector focus
Development of “voluntary” accreditation and
certification programs for private sector
Certification not mandatory, but…
ANAB to be management group to oversee the
certification organizations
FEMA has held public meetings to obtain public
comment
No decision on which standard(s) will be the
standard!
46
International BC Legislation
„
UK Civil Contingencies Act
–
Approved as law Nov 18, 2004
–
Part 1 addresses local arrangements for civil
protection
–
Part 2 addresses conditions and scope of
necessary emergency powers by the gov’t
–
Category 1 responders – Emergency service
agencies
–
Category 2 responders – Private sector firms,
e.g., utilities, transportation, healthcare
–
Officially legitimizes BC in the UK
47
Professional Practices
Professional Practices
„
Ten Competencies Endorsed by DRII
1. Project Initiation and Management
2. Risk Evaluation and Control
3. Business Impact Analysis
4. Developing Continuity Strategies
5. Emergency Response and Operations
6. Developing and Implementing the BCP
7. Awareness and Training Programs
8. Maintaining and Exercising the BCP
9. Public Relations and Crisis Communication
10. Coordination with Public Authorities
www.drii.org
49
Professional Practices
„
Six Competencies Endorsed by BCI
1. BC Policy and Program Management
2. Understanding the Organization
• Risk assessment, threat assessment,
vulnerability assessment and BIA
3. Determining Business Continuity Strategies
4. Developing and Implementing BCM
Response
• Incident response management, BC plan
development, coordination with authorities
5. Exercising Maintenance and Review
• Auditing
6. Embedding BCM Within the Organization’s
Culture
• Awareness and training
www.thebci.org
50
Professional Practices
„
Business Continuity Maturity Model TM
–
–
–
Objective means of measuring effectiveness of business
continuity implementations
Defines evolutionary path that BC implementations follow as
they mature over time coupled with baseline data on BCM
maturity of firms across industry, geography, etc.
www.virtual-corp.net
51
Professional Practices
ƒ FSTC Resiliency Maturity Model (RMM) – 2005
- Develop a common way for financial institutions and
their partners to evaluate themselves
- Determine how and where investments should be made
to improve resilience and meet industry standards
- Help organizations identify a level of adequate resiliency,
attain it and learn to sustain it
- Provide a continuous improvement process to drive
down cost and improve efficiency - consistently
http://www.fstc.org/advisory/business_continuity.php
52
Professional Practices
ƒ BCI Good Practice Guidelines – 2008, 2010
- Foundation for BC standards in UK
- Supports BS 25999 Parts 1 and 2
- Defines BCM life cycle
- Supports existing standards, e.g., NFPA 1600
- Details process, or “how to” activities
http://www.thebci.org/gpg.htm
53
Professional Practices
BC Life Cycle
BCI Good Practice Guidelines
www.thebci.org
Chapter 1 Program
management
Chapter 6 Embed BC into
company culture
Chapter 5 –
Exercising,
maintaining and
reviewing plans
Chapter 2 Understand the
business
Chapter 3 Define BC
strategies
Chapter 4 –
Develop and
implement
BC responses
54
Comparison of Standards
Comparison of Standards
ƒ Points for Comparison
- What to do versus how to do it (should vs. shall)
- Support for competencies of BCI/DRII
- Support for other disciplines beside BC, e.g., emergency
response, risk management, security
- Advancing the profession
- Potential for recognition as global standard
56
How to do it (shall)
„
Support for competencies of BCI/DRII
„
Support for other disciplines beside BC,
e.g., emergency response, risk
management, security
„
Advancing the profession
„
Potential for recognition as global
standard
NIST 800-34
BS 25999-2
FFIEC
„
ASIS
What to do (should)
DRII GAP
„
BS 25999-1
NFPA 1600
Comparison of Standards
y
n
y
y
y
n
y
y
y
n
y
y
y
y
y
y
y
n
n
y
y y
n n
n n
y y
y
y
y
y
y
y
y
n
y
y
y
n
y
n
57
Comparison of Standards
Is there a single universally accepted
standard for business continuity?
Not yet…
58
Impact on the Profession
Impact on the Profession
There is a lot of interest in BC, and it’s growing
But…
There are too many “standards”
There are too many “good/better/best practices”
There are too many “models”
There are too many biases, personal agendas
There are too many special interests
What’s the End Game?
60
Impact on the Profession
„
„
Our profession needs
–
Global standard = legitimate profession
–
Real legislation
–
Standardized terminology, e.g., continuity, resilience,
recovery, contingency, ad nauseum
–
Recognition in the academic community
–
Recognition everywhere else
–
Leadership
So we can
–
Get on with the profession of business continuity
61
Summary
Summary
„
Continued development of BC standards and
practices, domestic and worldwide
„
New legislation advocates role of BC
„
Continuing emphasis on homeland security and
emergency management legislation, regulations
„
Growing focus on information security, cyber
security, data protection issues
„
Growing academic community, public and private
sector participation
Thank you…
63
Paul Kirvan, FBCI, CBCP, CISSP
Paul Kirvan Associates
pkirvan@msn.com
+1 908-902-1545
64
Related documents
Unit 10: Course Summary and Final Exam
Unit 10: Course Summary and Final Exam
Limits and Continuity 1 Review from Calculus 1
Limits and Continuity 1 Review from Calculus 1
Business Continuity Management
Business Continuity Management
AP WORLD HISTORY FREE-RESPONSE QUESTION WORLD HISTORY
AP WORLD HISTORY FREE-RESPONSE QUESTION WORLD HISTORY
MATH 412 Introduction to Analysis I
MATH 412 Introduction to Analysis I
Download
advertisement