SM19 Update: Global Standards in Business Continuity Presentation to CPM 2009 West

Paul Kirvan, FBCI, CBCP, CISSP Paul Kirvan Associates [email protected] Member of the Board, The Business Continuity Institute

Agenda

„ „ „ „ „ „ „

Importance of Standards Standards and Regulatory Groups Domestic BC Standards International BC Standards Comparison of Standards Impact on the Profession Summary

2

Importance of Standards

Importance of Standards

„ „ „ „ „

„

Common set of rules, processes Common language Easier to measure performance Easier to audit Coordination with federal, state and local authorities Consistent worldwide

4

Standards and Regulatory Groups

Standards and Regulatory Groups

„

National Institute of Standards and Technology (NIST)

„

Federal Emergency Management Agency (FEMA)

„

National Fire Protection Association (NFPA)

„

National Emergency Management Association (NEMA)

„

National Association of Securities Dealers, Inc. (NASD)

„

ASIS International

„

American National Standards Institute 6

Standards and Regulatory Groups

„

U.S. Department of Homeland Security

„

U.S. Department of Commerce

„

U.S. Department of Health and Human Services

„

Transportation Security Administration

„

Federal Reserve System

„

Comptroller of Currency (Dept of Treasury)

„

Securities and Exchange Commission (SEC)

„

State / Local Governments

7

Standards and Regulatory Groups

„ „ „ „ „ „

„

„ „

Emergency Preparedness Canada Canadian Standards Association British Standards Institution SPRING (Singapore) Standards Australia / New Zealand Ministry of Civil Defence and Emergency Management (NZ) International Organization for Standardization (ISO) Emergency Preparedness Directorates Security Directorates

8

Domestic BC Standards

Domestic BC Standards

„

FEMA –

„

Report #141 Disaster Planning Guide for Business and Industry – 1987

NFPA –

NFPA 1600, Standard on Disaster/Emergency Management and Business Continuity Programs – 2007, 2010

http://www.nfpa.org/aboutthecodes/AboutTheCodes. asp?DocNum=1600&cookie%5Ftest=1 10

Domestic BC Standards

UPDATED !! „

NFPA 1600 –

Reflects 13 program elements identified by FEMA in its Capability Assessment for Readiness (CAR), a self-evaluation tool developed to assess state emergency management programs

–

Endorsed by FEMA, DRII, NEMA, IAEM

–

Latest edition approved as American National Standard on Dec 20, 2006 by ANSI

–

Latest version (2010) in final stages of approval

–

Recommended by 9/11 Commission as national preparedness standard

–

Effective for plan development and auditing

11

Domestic BC Standards

„

NFPA 1600 –

Laws and authorities

–

Hazard identification and risk assessment

–

Hazard management (risk assessment, mitigation strategy, etc)

–

Resource management (performance objectives to include personnel, equipment, training, facilities, funding, expert knowledge, materials)

–

Planning (strategic plan, emergency ops plan, mitigation and recovery plans)

–

Direction, control and coordination (incident management system)

12

Domestic BC Standards

„

NFPA 1600 –

Communications and warning

–

Operations and procedures

–

Logistics and facilities

–

Training

–

Exercise, evaluation and corrective actions

–

Public education and information (including dealing with the media)

–

Finance and administration

13

Domestic BC Standards

UPDATED !! „

NFPA 1600 – What’s New in 2010 Edition –

Introduction of a plan-do-check-act process similar to international standards

–

Increased alignment with risk management, security and loss prevention

–

Increased detail in “what to do” sections

–

Increased focus on “how to” content

14

Domestic BC Standards

„

NIST 800-34 – Contingency Planning Guide for Information

Technology (IT) Systems – 2000 – Provides recommendations for government

IT contingency planning – Supersedes FIPS PUB 87 – Provides guidelines, checklists, tools – http://csrc.nist.gov/publications/nistpubs/

15

Domestic BC Standards

„

NIST 800-30 –

Risk Management Guide for Information Technology Systems – 2002

–

Provides recommendations for incorporating risk management processes into IT planning

–

Addresses issues identified in Computer Security Act of 1987 and Information Management Technology Reform Act of 1996

–

Provides information and guidance on the selection of cost-effective security controls

–

Provides very useful guidelines, checklists, tools

–

http://csrc.nist.gov/publications/nistpubs/

16

Domestic BC Standards

„

NIST 800-84 –

Guide to Test, Training and Exercise Programs for IT Plans and Capabilities – 2006

–

Provides guidance on designing, developing, conducting, and evaluating training activities

–

Applies to all kinds of plans, including IT

–

Provides very useful guidelines, checklists, tools

–

http://csrc.nist.gov/publications/nistpubs/

17

Domestic BC Standards „

Continuity of Operations (COOP) –

Emergency preparedness and contingency planning in the Federal sector

–

Federal Preparedness Circular 65 – 1999, Establish COOP plans for executive branch

–

Presidential Decision Directive 63 – 1998, Ensure security of national critical infrastructures

–

Presidential Decision Directive 67 – 1998, Develop COOP plans for essential operations

–

Executive Order 12656 – 1998, Each federal department head must ensure continuity of essential functions

–

OMB Circular A-130 – 1993, BC plans in place for critical government systems 18

Domestic BC Standards

UPDATED !! „

DRII / DRJ Generally Accepted Principles –

Based on ten core competencies agreed to by DRII and BCI – 2005; latest update 2007

–

In “final stages” of development

–

Provides “how to” in addition to “what to”

–

Includes templates for hot sites, exercises, strategy definition

–

Effective plan development and audit tool

–

www.drj.com/gap

19

Domestic BC Standards

„

Federal Financial Institutions Examination Council (FFIEC) Examination Handbook, Corporate Contingency Planning – 1996, 2003, 2008 –

Provides detailed “what to” for full range of BC activities

–

Financial focus but relevant to all industries

–

Provides detailed examination procedures that can be used for auditing

–

www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_ plan.pdf

20

Domestic BC Standards

„

ASIS International Business Continuity Guideline: A Practical Approach for Emergency Preparedness, Crisis Management and Disaster Recovery – 2004 –

Addresses planning, implementation and maintenance issues

–

Provides detailed “what to” for BC activities

–

BC Guidelines Checklist useful for audit purposes

–

http://www.asisonline.org/guidelines/guidelinesbc.pdf

21

Domestic BC Standards

NEW !! „

ASIS/BSI Joint Standard on Business Continuity – 2009 –

Joint development with ASIS and BSI

–

Initial drafts completed; still in review process

–

Foundation document BS 25999:2007

–

Anticipated completion late 2009

–

Addresses planning, implementation and maintenance issues

–

Provides detailed “what to” for BC activities

–

Incorporates business continuity management system model, similar to other international standards (plan-do-check-act)

–

http://www.asisonline.org

22

Domestic BC Standards

„

NASD Rules 3510 (Clearing Firms) and 3520 (All Firms) - 2004; NYSE Rule 446 – 2003 –

NASD rules approved April 7, 2004; NYSE Sept 2003

–

Require members to create and maintain business continuity plans to use following a business disruption

–

Require members to provide NASD with information to be used by NASD in the event of future disruptions

–

Require members to disclose BC activities to their customers

–

http://www.nasd.com/RulesRegulation/IssueCenter/Busin essContinuityPlanning/index.htm

–

http://www.sec.gov/rules/sro/34-48502.htm

23

Domestic BC Standards

„

Other –

National Credit Union Administration (NCUA) Letter 01-CU-21 Contingency Plan Best Practices

–

ISO 15489 Standard for Records Management

–

ICOR Open for Business Toolkit for small to medium businesses – 2006 www.theicor.org

–

IRM / AIRMIC / ALARM Risk Management Standard – 2002

–

ISO 27001 et al – Primarily for information security but they have specific recommendations for business continuity

24

International BC Standards

International BC Standards

„

British Standards Institute BS 25999:2006 Part 1 –

Developed from BCI Good Practice Guidelines and Life Cycle Model

–

Developed by BSI, BCI, and representatives from private sector

–

Part 1 is Code of Practice (what to do); Part 2 is Specifications (how to do it)

–

US $178; UK £90

–

http://www.bsi-global/.com

26

International BC Standards „

British Standards Institute BS 25999 Part 1

Understanding Your Organization

Exercising, BC Program Maintenance Management & Audit

BC Solutions

Develop and Implement BC Plans

27

International BC Standards

„

BS 25999-1 (Code of Practice) –

Introduction

–

Glossary

–

(What is) Business Continuity Management

–

The BC Management System

–

Understanding Your Organization

–

Determining BC Solutions

–

Implementing a BC Response

–

Developing a BC Culture

–

Exercising, Maintenance and Audit

28

International BC Standards

„

Business Continuity Management System – – – – – – –

New term for familiar activities Program office Program development Policy development Project management Daily operations Used in international standards

29

International BC Standards

„

BS 25999:2007 – Part 2 (Specification) – Expands on what is needed; no “how to” – Describes controls – Useful from audit perspective – Includes glossary – www.bsi-global.com

30

International BC Standards

„

BS 25999 – Part 2 (Specification) –

“Provides a specification for use by internal and external parties, including certification bodies, to assess the organization’s ability to meet regulatory, customer, and the organization’s own requirements”

–

“Contains only those requirements that can be effectively audited”

–

Uses the Plan-Do-Check-Act operational model for all aspects of the BC process

31

International BC Standards

Interested Parties

Establish BCMS

Interested Parties

Plan Maintain and Improve the BCMS Business Continuity Requirements and Expectations

Act

Do

Implement and Operate the BCMS

Check Monitor and Review the BCMS

Managed Business Continuity

BS 25999 – Part 2 32

International BC Standards

Outline „

BS 25999 – Part 2 (Specification) – Business Continuity Management Systems – Establishing and Managing the BCMS †

Requirements; Suppliers; BCM Policy; Resources; Training, Awareness and Competency

– Embedding BCM in the Culture †

Management and Training

– BCMS Documentation and Records †

Document Specs; Records Management

33

International BC Standards

Outline „

BS 25999 – Part 2 (Specification) – Implement and Operate the BCMS †

Understand the Organization; Risk Assessment; BC Strategy; Developing a BC Response; Plans; exercising and Maintaining BCMS

– Monitor and Review the BCMS †

Conduct Reviews; Analyze Inputs and Outputs

– Maintain and Improve the BCMS †

Continual Improvement; Corrective Action; Preventive Action

34

International BC Standards

NEW !! „

Canadian Standards Association Z1600: 2008 –

Based on NFPA 1600

–

Addresses emergency response

–

Addresses business continuity and disaster recovery

35

International BC Standards

„

Business Continuity Guidelines, Central Disaster Management Council, Government of Japan – 2005

„

Core topics –

Need for business continuity

–

BC plan content and good practice

–

Plan structure and content

36

International BC Standards

NEW !! „

SPRING Singapore SS 540:2008 Business Continuity Management –

Collaboration between Singapore Business Federation (SBF) and SPRING Singapore

–

Precursor was TR-19

–

New national standard for business continuity management

–

Recommends use of business continuity management system

–

http://www.thebci.org/singapore.htm

37

International BC Standards

„

Standards Australia / Standards New Zealand BCM Standards – 2004 / 2006 –

HB 221:2004 – Business Continuity Management Handbook

–

HB 292:2006 – A Practitioner’s Guide to BCM

–

HB 293:2006 – Executive Guide to BCM

38

International BC Standards

„

HB 221 Handbook of Business Continuity Management – 2004 –

Part 1 - What is BCM? (Definitions)

–

Part 2 - The BCM Manual (Processes)

–

Consistent with AS/NZS 4360 Risk Management standard

–

Links RM and BCM !!

–

Supported by DRII

To Order…. http://www.saiglobal.com/shop/script/Details.asp?DocN=AS0733762506AT

39

International BC Standards

„

HB 292 A Practitioner’s Guide to BCM – 2006 –

Provides overview of selected “generally accepted practices” in OZ, UK and US

–

Builds and expands on HB 221:2004

–

Consistent with NFPA 1600, BCI Good Practice Guidelines, Singapore SPRING, and DRII/DRJ GAP

–

Advocates close linkage with risk mgmt

–

Provides excellent templates, checklists

To Order… http://www.saiglobal.com/shop/script/Details.asp?DocN=AS0733774725AT 40

International BC Standards

„

HB 293 Executive Guide for BCM – 2006 –

Designed as a senior management guide to BCM

–

Summary and navigational guide to HB 292

To Order… http://www.saiglobal.com/shop/script/Details.asp?DocN=AS0733774881AT

41

International BC Standards

NEW !! „

New AS/NZS Standards on Business Continuity – 2009 – – –

–

–

–

Replace ANZ 221, 292, 293 In process of final revisions AS/NZS 5050.1:200X (probably 2009) – BC management system specification AS/NZS 5050.2:200X – BC management practice standard AS/NZS 5050.3:200X – BC management audit and assurance standard Provide an organizational framework for BC

To Order… http://www.saiglobal.com/shop/ 42

International BC Standards

„

Other Global Standards –

Hong Kong – Monetary Authority TM-G-2 Standard for BCM

–

Indonesia – 7/25/PBI/2005 Risk Management Certification for Banks

–

Malaysia – The BCM Standard Working Committee of the Standard & Research Institute Malaysia (SIRIM) is developing a proposed standard for Malaysian business entities

–

Pakistan – State Bank of Pakistan published the Risk Management Guidelines for Commercial Banks

–

Thailand – Bank of Thailand Guideline on BCM

43

Legislation

P.L. 110-53 – Implementing Recommendations of the 9/11 Commission Act of 2007 „

Amends the Homeland Security Act of 2002 –

“…by providing information to the private sector regarding voluntary national preparedness standards and the business justification for preparedness and promoting to the private sector the adoption of voluntary national preparedness standards

–

“…promotes voluntary national preparedness standards to the private sector;

–

“…assists the private sector in adopting voluntary national preparedness standards; and

–

“…develops and implements an accreditation and certification program”

45

P.L. 110-53 – Implementing Recommendations of the 9/11 Commission Act of 2007 „

Discussion Points – – – –

– –

–

–

Presence of “business continuity” in legislation Adoption of “voluntary” standards Increased private sector focus Development of “voluntary” accreditation and certification programs for private sector Certification not mandatory, but… ANAB to be management group to oversee the certification organizations FEMA has held public meetings to obtain public comment No decision on which standard(s) will be the standard! 46

International BC Legislation

„

UK Civil Contingencies Act –

Approved as law Nov 18, 2004

–

Part 1 addresses local arrangements for civil protection

–

Part 2 addresses conditions and scope of necessary emergency powers by the gov’t

–

Category 1 responders – Emergency service agencies

–

Category 2 responders – Private sector firms, e.g., utilities, transportation, healthcare

–

Officially legitimizes BC in the UK

47

Professional Practices

Professional Practices

„

Ten Competencies Endorsed by DRII 1. Project Initiation and Management 2. Risk Evaluation and Control 3. Business Impact Analysis 4. Developing Continuity Strategies 5. Emergency Response and Operations 6. Developing and Implementing the BCP 7. Awareness and Training Programs 8. Maintaining and Exercising the BCP 9. Public Relations and Crisis Communication 10. Coordination with Public Authorities www.drii.org 49

Professional Practices „

Six Competencies Endorsed by BCI 1. BC Policy and Program Management 2. Understanding the Organization • Risk assessment, threat assessment, vulnerability assessment and BIA 3. Determining Business Continuity Strategies 4. Developing and Implementing BCM Response • Incident response management, BC plan development, coordination with authorities 5. Exercising Maintenance and Review • Auditing 6. Embedding BCM Within the Organization’s Culture • Awareness and training www.thebci.org

50

Professional Practices

„

Business Continuity Maturity Model TM –

–

–

Objective means of measuring effectiveness of business continuity implementations Defines evolutionary path that BC implementations follow as they mature over time coupled with baseline data on BCM maturity of firms across industry, geography, etc. www.virtual-corp.net

51

Professional Practices

ƒ FSTC Resiliency Maturity Model (RMM) – 2005 - Develop a common way for financial institutions and their partners to evaluate themselves - Determine how and where investments should be made to improve resilience and meet industry standards - Help organizations identify a level of adequate resiliency, attain it and learn to sustain it - Provide a continuous improvement process to drive down cost and improve efficiency - consistently http://www.fstc.org/advisory/business_continuity.php

52

Professional Practices

ƒ BCI Good Practice Guidelines – 2008, 2010 - Foundation for BC standards in UK - Supports BS 25999 Parts 1 and 2 - Defines BCM life cycle - Supports existing standards, e.g., NFPA 1600 - Details process, or “how to” activities http://www.thebci.org/gpg.htm

53

Professional Practices

BC Life Cycle BCI Good Practice Guidelines

www.thebci.org Chapter 1 Program management

Chapter 6 Embed BC into company culture

Chapter 5 – Exercising, maintaining and reviewing plans

Chapter 2 Understand the business

Chapter 3 Define BC strategies

Chapter 4 – Develop and implement BC responses 54

Comparison of Standards

Comparison of Standards

ƒ Points for Comparison - What to do versus how to do it (should vs. shall) - Support for competencies of BCI/DRII - Support for other disciplines beside BC, e.g., emergency response, risk management, security - Advancing the profession - Potential for recognition as global standard

56

How to do it (shall)

„

Support for competencies of BCI/DRII

„

Support for other disciplines beside BC, e.g., emergency response, risk management, security

„

Advancing the profession

„

Potential for recognition as global standard

NIST 800-34

BS 25999-2

FFIEC

„

ASIS

What to do (should)

DRII GAP

„

BS 25999-1

NFPA 1600

Comparison of Standards

y n y y

y n y y

y n y y

y y y y

y n n y

y y n n n n y y

y y

y y

y y

y n

y y

y n

y n

57

Comparison of Standards

Is there a single universally accepted standard for business continuity?

Not yet…

58

Impact on the Profession

Impact on the Profession

There is a lot of interest in BC, and it’s growing But… There are too many “standards” There are too many “good/better/best practices” There are too many “models” There are too many biases, personal agendas There are too many special interests

What’s the End Game? 60

Impact on the Profession

„

„

Our profession needs –

Global standard = legitimate profession

–

Real legislation

–

Standardized terminology, e.g., continuity, resilience, recovery, contingency, ad nauseum

–

Recognition in the academic community

–

Recognition everywhere else

–

Leadership

So we can –

Get on with the profession of business continuity

61

Summary

Summary

„

Continued development of BC standards and practices, domestic and worldwide

„

New legislation advocates role of BC

„

Continuing emphasis on homeland security and emergency management legislation, regulations

„

Growing focus on information security, cyber security, data protection issues

„

Growing academic community, public and private sector participation

Thank you… 63

Paul Kirvan, FBCI, CBCP, CISSP Paul Kirvan Associates [email protected] +1 908-902-1545

64