SM19 Update: Global Standards in Business Continuity Presentation to CPM 2009 West
Paul Kirvan, FBCI, CBCP, CISSP Paul Kirvan Associates
[email protected] Member of the Board, The Business Continuity Institute
Agenda
Importance of Standards Standards and Regulatory Groups Domestic BC Standards International BC Standards Comparison of Standards Impact on the Profession Summary
2
Importance of Standards
Importance of Standards
Common set of rules, processes Common language Easier to measure performance Easier to audit Coordination with federal, state and local authorities Consistent worldwide
4
Standards and Regulatory Groups
Standards and Regulatory Groups
National Institute of Standards and Technology (NIST)
Federal Emergency Management Agency (FEMA)
National Fire Protection Association (NFPA)
National Emergency Management Association (NEMA)
National Association of Securities Dealers, Inc. (NASD)
ASIS International
American National Standards Institute 6
Standards and Regulatory Groups
U.S. Department of Homeland Security
U.S. Department of Commerce
U.S. Department of Health and Human Services
Transportation Security Administration
Federal Reserve System
Comptroller of Currency (Dept of Treasury)
Securities and Exchange Commission (SEC)
State / Local Governments
7
Standards and Regulatory Groups
Emergency Preparedness Canada Canadian Standards Association British Standards Institution SPRING (Singapore) Standards Australia / New Zealand Ministry of Civil Defence and Emergency Management (NZ) International Organization for Standardization (ISO) Emergency Preparedness Directorates Security Directorates
8
Domestic BC Standards
Domestic BC Standards
FEMA –
Report #141 Disaster Planning Guide for Business and Industry – 1987
NFPA –
NFPA 1600, Standard on Disaster/Emergency Management and Business Continuity Programs – 2007, 2010
http://www.nfpa.org/aboutthecodes/AboutTheCodes. asp?DocNum=1600&cookie%5Ftest=1 10
Domestic BC Standards
UPDATED !!
NFPA 1600 –
Reflects 13 program elements identified by FEMA in its Capability Assessment for Readiness (CAR), a self-evaluation tool developed to assess state emergency management programs
–
Endorsed by FEMA, DRII, NEMA, IAEM
–
Latest edition approved as American National Standard on Dec 20, 2006 by ANSI
–
Latest version (2010) in final stages of approval
–
Recommended by 9/11 Commission as national preparedness standard
–
Effective for plan development and auditing
11
Domestic BC Standards
NFPA 1600 –
Laws and authorities
–
Hazard identification and risk assessment
–
Hazard management (risk assessment, mitigation strategy, etc)
–
Resource management (performance objectives to include personnel, equipment, training, facilities, funding, expert knowledge, materials)
–
Planning (strategic plan, emergency ops plan, mitigation and recovery plans)
–
Direction, control and coordination (incident management system)
12
Domestic BC Standards
NFPA 1600 –
Communications and warning
–
Operations and procedures
–
Logistics and facilities
–
Training
–
Exercise, evaluation and corrective actions
–
Public education and information (including dealing with the media)
–
Finance and administration
13
Domestic BC Standards
UPDATED !!
NFPA 1600 – What’s New in 2010 Edition –
Introduction of a plan-do-check-act process similar to international standards
–
Increased alignment with risk management, security and loss prevention
–
Increased detail in “what to do” sections
–
Increased focus on “how to” content
14
Domestic BC Standards
NIST 800-34 – Contingency Planning Guide for Information
Technology (IT) Systems – 2000 – Provides recommendations for government
IT contingency planning – Supersedes FIPS PUB 87 – Provides guidelines, checklists, tools – http://csrc.nist.gov/publications/nistpubs/
15
Domestic BC Standards
NIST 800-30 –
Risk Management Guide for Information Technology Systems – 2002
–
Provides recommendations for incorporating risk management processes into IT planning
–
Addresses issues identified in Computer Security Act of 1987 and Information Management Technology Reform Act of 1996
–
Provides information and guidance on the selection of cost-effective security controls
–
Provides very useful guidelines, checklists, tools
–
http://csrc.nist.gov/publications/nistpubs/
16
Domestic BC Standards
NIST 800-84 –
Guide to Test, Training and Exercise Programs for IT Plans and Capabilities – 2006
–
Provides guidance on designing, developing, conducting, and evaluating training activities
–
Applies to all kinds of plans, including IT
–
Provides very useful guidelines, checklists, tools
–
http://csrc.nist.gov/publications/nistpubs/
17
Domestic BC Standards
Continuity of Operations (COOP) –
Emergency preparedness and contingency planning in the Federal sector
–
Federal Preparedness Circular 65 – 1999, Establish COOP plans for executive branch
–
Presidential Decision Directive 63 – 1998, Ensure security of national critical infrastructures
–
Presidential Decision Directive 67 – 1998, Develop COOP plans for essential operations
–
Executive Order 12656 – 1998, Each federal department head must ensure continuity of essential functions
–
OMB Circular A-130 – 1993, BC plans in place for critical government systems 18
Domestic BC Standards
UPDATED !!
DRII / DRJ Generally Accepted Principles –
Based on ten core competencies agreed to by DRII and BCI – 2005; latest update 2007
–
In “final stages” of development
–
Provides “how to” in addition to “what to”
–
Includes templates for hot sites, exercises, strategy definition
–
Effective plan development and audit tool
–
www.drj.com/gap
19
Domestic BC Standards
Federal Financial Institutions Examination Council (FFIEC) Examination Handbook, Corporate Contingency Planning – 1996, 2003, 2008 –
Provides detailed “what to” for full range of BC activities
–
Financial focus but relevant to all industries
–
Provides detailed examination procedures that can be used for auditing
–
www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_ plan.pdf
20
Domestic BC Standards
ASIS International Business Continuity Guideline: A Practical Approach for Emergency Preparedness, Crisis Management and Disaster Recovery – 2004 –
Addresses planning, implementation and maintenance issues
–
Provides detailed “what to” for BC activities
–
BC Guidelines Checklist useful for audit purposes
–
http://www.asisonline.org/guidelines/guidelinesbc.pdf
21
Domestic BC Standards
NEW !!
ASIS/BSI Joint Standard on Business Continuity – 2009 –
Joint development with ASIS and BSI
–
Initial drafts completed; still in review process
–
Foundation document BS 25999:2007
–
Anticipated completion late 2009
–
Addresses planning, implementation and maintenance issues
–
Provides detailed “what to” for BC activities
–
Incorporates business continuity management system model, similar to other international standards (plan-do-check-act)
–
http://www.asisonline.org
22
Domestic BC Standards
NASD Rules 3510 (Clearing Firms) and 3520 (All Firms) - 2004; NYSE Rule 446 – 2003 –
NASD rules approved April 7, 2004; NYSE Sept 2003
–
Require members to create and maintain business continuity plans to use following a business disruption
–
Require members to provide NASD with information to be used by NASD in the event of future disruptions
–
Require members to disclose BC activities to their customers
–
http://www.nasd.com/RulesRegulation/IssueCenter/Busin essContinuityPlanning/index.htm
–
http://www.sec.gov/rules/sro/34-48502.htm
23
Domestic BC Standards
Other –
National Credit Union Administration (NCUA) Letter 01-CU-21 Contingency Plan Best Practices
–
ISO 15489 Standard for Records Management
–
ICOR Open for Business Toolkit for small to medium businesses – 2006 www.theicor.org
–
IRM / AIRMIC / ALARM Risk Management Standard – 2002
–
ISO 27001 et al – Primarily for information security but they have specific recommendations for business continuity
24
International BC Standards
International BC Standards
British Standards Institute BS 25999:2006 Part 1 –
Developed from BCI Good Practice Guidelines and Life Cycle Model
–
Developed by BSI, BCI, and representatives from private sector
–
Part 1 is Code of Practice (what to do); Part 2 is Specifications (how to do it)
–
US $178; UK £90
–
http://www.bsi-global/.com
26
International BC Standards
British Standards Institute BS 25999 Part 1
Understanding Your Organization
Exercising, BC Program Maintenance Management & Audit
BC Solutions
Develop and Implement BC Plans
27
International BC Standards
BS 25999-1 (Code of Practice) –
Introduction
–
Glossary
–
(What is) Business Continuity Management
–
The BC Management System
–
Understanding Your Organization
–
Determining BC Solutions
–
Implementing a BC Response
–
Developing a BC Culture
–
Exercising, Maintenance and Audit
28
International BC Standards
Business Continuity Management System – – – – – – –
New term for familiar activities Program office Program development Policy development Project management Daily operations Used in international standards
29
International BC Standards
BS 25999:2007 – Part 2 (Specification) – Expands on what is needed; no “how to” – Describes controls – Useful from audit perspective – Includes glossary – www.bsi-global.com
30
International BC Standards
BS 25999 – Part 2 (Specification) –
“Provides a specification for use by internal and external parties, including certification bodies, to assess the organization’s ability to meet regulatory, customer, and the organization’s own requirements”
–
“Contains only those requirements that can be effectively audited”
–
Uses the Plan-Do-Check-Act operational model for all aspects of the BC process
31
International BC Standards
Interested Parties
Establish BCMS
Interested Parties
Plan Maintain and Improve the BCMS Business Continuity Requirements and Expectations
Act
Do
Implement and Operate the BCMS
Check Monitor and Review the BCMS
Managed Business Continuity
BS 25999 – Part 2 32
International BC Standards
Outline
BS 25999 – Part 2 (Specification) – Business Continuity Management Systems – Establishing and Managing the BCMS
Requirements; Suppliers; BCM Policy; Resources; Training, Awareness and Competency
– Embedding BCM in the Culture
Management and Training
– BCMS Documentation and Records
Document Specs; Records Management
33
International BC Standards
Outline
BS 25999 – Part 2 (Specification) – Implement and Operate the BCMS
Understand the Organization; Risk Assessment; BC Strategy; Developing a BC Response; Plans; exercising and Maintaining BCMS
– Monitor and Review the BCMS
Conduct Reviews; Analyze Inputs and Outputs
– Maintain and Improve the BCMS
Continual Improvement; Corrective Action; Preventive Action
34
International BC Standards
NEW !!
Canadian Standards Association Z1600: 2008 –
Based on NFPA 1600
–
Addresses emergency response
–
Addresses business continuity and disaster recovery
35
International BC Standards
Business Continuity Guidelines, Central Disaster Management Council, Government of Japan – 2005
Core topics –
Need for business continuity
–
BC plan content and good practice
–
Plan structure and content
36
International BC Standards
NEW !!
SPRING Singapore SS 540:2008 Business Continuity Management –
Collaboration between Singapore Business Federation (SBF) and SPRING Singapore
–
Precursor was TR-19
–
New national standard for business continuity management
–
Recommends use of business continuity management system
–
http://www.thebci.org/singapore.htm
37
International BC Standards
Standards Australia / Standards New Zealand BCM Standards – 2004 / 2006 –
HB 221:2004 – Business Continuity Management Handbook
–
HB 292:2006 – A Practitioner’s Guide to BCM
–
HB 293:2006 – Executive Guide to BCM
38
International BC Standards
HB 221 Handbook of Business Continuity Management – 2004 –
Part 1 - What is BCM? (Definitions)
–
Part 2 - The BCM Manual (Processes)
–
Consistent with AS/NZS 4360 Risk Management standard
–
Links RM and BCM !!
–
Supported by DRII
To Order…. http://www.saiglobal.com/shop/script/Details.asp?DocN=AS0733762506AT
39
International BC Standards
HB 292 A Practitioner’s Guide to BCM – 2006 –
Provides overview of selected “generally accepted practices” in OZ, UK and US
–
Builds and expands on HB 221:2004
–
Consistent with NFPA 1600, BCI Good Practice Guidelines, Singapore SPRING, and DRII/DRJ GAP
–
Advocates close linkage with risk mgmt
–
Provides excellent templates, checklists
To Order… http://www.saiglobal.com/shop/script/Details.asp?DocN=AS0733774725AT 40
International BC Standards
HB 293 Executive Guide for BCM – 2006 –
Designed as a senior management guide to BCM
–
Summary and navigational guide to HB 292
To Order… http://www.saiglobal.com/shop/script/Details.asp?DocN=AS0733774881AT
41
International BC Standards
NEW !!
New AS/NZS Standards on Business Continuity – 2009 – – –
–
–
–
Replace ANZ 221, 292, 293 In process of final revisions AS/NZS 5050.1:200X (probably 2009) – BC management system specification AS/NZS 5050.2:200X – BC management practice standard AS/NZS 5050.3:200X – BC management audit and assurance standard Provide an organizational framework for BC
To Order… http://www.saiglobal.com/shop/ 42
International BC Standards
Other Global Standards –
Hong Kong – Monetary Authority TM-G-2 Standard for BCM
–
Indonesia – 7/25/PBI/2005 Risk Management Certification for Banks
–
Malaysia – The BCM Standard Working Committee of the Standard & Research Institute Malaysia (SIRIM) is developing a proposed standard for Malaysian business entities
–
Pakistan – State Bank of Pakistan published the Risk Management Guidelines for Commercial Banks
–
Thailand – Bank of Thailand Guideline on BCM
43
Legislation
P.L. 110-53 – Implementing Recommendations of the 9/11 Commission Act of 2007
Amends the Homeland Security Act of 2002 –
“…by providing information to the private sector regarding voluntary national preparedness standards and the business justification for preparedness and promoting to the private sector the adoption of voluntary national preparedness standards
–
“…promotes voluntary national preparedness standards to the private sector;
–
“…assists the private sector in adopting voluntary national preparedness standards; and
–
“…develops and implements an accreditation and certification program”
45
P.L. 110-53 – Implementing Recommendations of the 9/11 Commission Act of 2007
Discussion Points – – – –
– –
–
–
Presence of “business continuity” in legislation Adoption of “voluntary” standards Increased private sector focus Development of “voluntary” accreditation and certification programs for private sector Certification not mandatory, but… ANAB to be management group to oversee the certification organizations FEMA has held public meetings to obtain public comment No decision on which standard(s) will be the standard! 46
International BC Legislation
UK Civil Contingencies Act –
Approved as law Nov 18, 2004
–
Part 1 addresses local arrangements for civil protection
–
Part 2 addresses conditions and scope of necessary emergency powers by the gov’t
–
Category 1 responders – Emergency service agencies
–
Category 2 responders – Private sector firms, e.g., utilities, transportation, healthcare
–
Officially legitimizes BC in the UK
47
Professional Practices
Professional Practices
Ten Competencies Endorsed by DRII 1. Project Initiation and Management 2. Risk Evaluation and Control 3. Business Impact Analysis 4. Developing Continuity Strategies 5. Emergency Response and Operations 6. Developing and Implementing the BCP 7. Awareness and Training Programs 8. Maintaining and Exercising the BCP 9. Public Relations and Crisis Communication 10. Coordination with Public Authorities www.drii.org 49
Professional Practices
Six Competencies Endorsed by BCI 1. BC Policy and Program Management 2. Understanding the Organization • Risk assessment, threat assessment, vulnerability assessment and BIA 3. Determining Business Continuity Strategies 4. Developing and Implementing BCM Response • Incident response management, BC plan development, coordination with authorities 5. Exercising Maintenance and Review • Auditing 6. Embedding BCM Within the Organization’s Culture • Awareness and training www.thebci.org
50
Professional Practices
Business Continuity Maturity Model TM –
–
–
Objective means of measuring effectiveness of business continuity implementations Defines evolutionary path that BC implementations follow as they mature over time coupled with baseline data on BCM maturity of firms across industry, geography, etc. www.virtual-corp.net
51
Professional Practices
FSTC Resiliency Maturity Model (RMM) – 2005 - Develop a common way for financial institutions and their partners to evaluate themselves - Determine how and where investments should be made to improve resilience and meet industry standards - Help organizations identify a level of adequate resiliency, attain it and learn to sustain it - Provide a continuous improvement process to drive down cost and improve efficiency - consistently http://www.fstc.org/advisory/business_continuity.php
52
Professional Practices
BCI Good Practice Guidelines – 2008, 2010 - Foundation for BC standards in UK - Supports BS 25999 Parts 1 and 2 - Defines BCM life cycle - Supports existing standards, e.g., NFPA 1600 - Details process, or “how to” activities http://www.thebci.org/gpg.htm
53
Professional Practices
BC Life Cycle BCI Good Practice Guidelines
www.thebci.org Chapter 1 Program management
Chapter 6 Embed BC into company culture
Chapter 5 – Exercising, maintaining and reviewing plans
Chapter 2 Understand the business
Chapter 3 Define BC strategies
Chapter 4 – Develop and implement BC responses 54
Comparison of Standards
Comparison of Standards
Points for Comparison - What to do versus how to do it (should vs. shall) - Support for competencies of BCI/DRII - Support for other disciplines beside BC, e.g., emergency response, risk management, security - Advancing the profession - Potential for recognition as global standard
56
How to do it (shall)
Support for competencies of BCI/DRII
Support for other disciplines beside BC, e.g., emergency response, risk management, security
Advancing the profession
Potential for recognition as global standard
NIST 800-34
BS 25999-2
FFIEC
ASIS
What to do (should)
DRII GAP
BS 25999-1
NFPA 1600
Comparison of Standards
y n y y
y n y y
y n y y
y y y y
y n n y
y y n n n n y y
y y
y y
y y
y n
y y
y n
y n
57
Comparison of Standards
Is there a single universally accepted standard for business continuity?
Not yet…
58
Impact on the Profession
Impact on the Profession
There is a lot of interest in BC, and it’s growing But… There are too many “standards” There are too many “good/better/best practices” There are too many “models” There are too many biases, personal agendas There are too many special interests
What’s the End Game? 60
Impact on the Profession
Our profession needs –
Global standard = legitimate profession
–
Real legislation
–
Standardized terminology, e.g., continuity, resilience, recovery, contingency, ad nauseum
–
Recognition in the academic community
–
Recognition everywhere else
–
Leadership
So we can –
Get on with the profession of business continuity
61
Summary
Summary
Continued development of BC standards and practices, domestic and worldwide
New legislation advocates role of BC
Continuing emphasis on homeland security and emergency management legislation, regulations
Growing focus on information security, cyber security, data protection issues
Growing academic community, public and private sector participation
Thank you… 63
Paul Kirvan, FBCI, CBCP, CISSP Paul Kirvan Associates
[email protected] +1 908-902-1545
64