Examining the Regulatory Landscape - PowerPoint PPT Presentation

Loading...

PPT – Examining the Regulatory Landscape PowerPoint presentation | free to download - id: 3ae600-NTQyY



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Examining the Regulatory Landscape

Description:

Examining the Regulatory Landscape NEDRIX Annual Conference October 20, 2009 Al Berman DRI International * * * * * * * * * * * * * * * * * * * * All Companies Are ... – PowerPoint PPT presentation

Number of Views:77
Avg rating:3.0/5.0
Slides: 57
Provided by: AlanB46
Learn more at: http://www.nedrix.com
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Examining the Regulatory Landscape


1
Examining the Regulatory Landscape
NEDRIX Annual Conference October 20, 2009
  • Al Berman
  • DRI International

2
DRI International Who Are We?
  • A Non-Profit Organization Committed to
  • Promoting a base of common knowledge for the
    continuity management industry
  • Certifying qualified individuals in the
    discipline of Business Continuity
  • Promoting the credibility and professionalism of
    certified individuals
  • Celebrating out Twentieth Anniversary in 2008.
  • The Industrys Premier Education and
    Certification Program Body

3
DRI International Who Are We?
  • DRII has Certified INDIVIDUALS in over 90
    Countries.
  • DRII conducts training courses in over 40
    countries.
  • More individuals choose to maintain their
    certification through us than all other
    organizations in our industry combined (Over
    7,500 active individuals as of 2008)
  • DRII Certifies individuals in English, Spanish,
    French, Japanese, Mandarin (expanding to
    Portuguese and Russian this year, Italian and
    Korean early next year)

4

Post-9/11
Sarbanes-Oxley Act of 2002 HIPAA, Final Security
Rule FFIEC BCP Handbook -2003/ 2008 Fair Credit
Reporting Act NASD Rule 3510 NERC Security
Guidelines FERC Security Standards NAIC Standard
on BCP NIST Contingency Planning
Guide FRB-OCC-SEC Guidelines for Strengthening
the Resilience of US Financial System NYSE Rule
446 California SB 1386 Australia Standards BCM
Handbook GAO Potential Terrorist Attacks
Guideline Federal and Legislative BC
Requirements for IRS Basel Capital Accord MAS
Proposed BCP Guidelines (Singapore) NFA
Compliance Rule 2-38 FSA Handbook (UK) BCI
Standard, PAS 56 (UK) Civil Contingencies Bill
(UK)
FPC 65 NYS Circular Letter 7 ASIS State of NY
FIRM White Paper on CP NISCC Good Practices
(Telecomm) Australian Prudential Standard on
BCM HB221 HB292 BS25999 SS507 SS540 TR19 CA
Z1600 ISO/PAS 22399 HiTech Act of 2009
Pre-9/11
Consumer Credit Protection Act OMB Circular
A-130 FEMA Guidance Document Paperwork Reduction
Act ISO 27002 (Previously ISO17799) FFIEC BCP
Handbook Computer Security Act 12 CFR Part
18 Presidential Decision Directive 67 FDA
Guidance on Computerized Systems used in
Clinical Trials ANSI/NFPA Standard 1600 Turnbull
Report (UK) ANAO Best Practice Guide
(Australia) SEC Rule 17 a-4 FEMA FPC 65 CAR JHACO
DRII
Title IX 110-53
1991 - 2001
2002 ---------------------------------------------
----------2008
5
BCP Standards for Financial Institutions
  • Federal Financial Institutions Examination
    Council (FFIEC) BCP Handbook
  • Business continuity planning is about
    maintaining, resuming, and recovering the
    business, not just the recovery of the
    technology.
  • The planning process should be conducted on an
    enterprise-wide basis.
  • A thorough business impact analysis and risk
    assessment are the foundation of an effective
    BCP.
  • The effectiveness of a BCP can only be validated
    through testing or practical application.
  • The BCP and test results should be subjected to
    an independent audit and reviewed by the board of
    directors.
  • A BCP should be periodically updated to reflect
    and respond to changes in the financial
    institution or its service provider(s).

not just the recovery of the technology
6
BCP Standards for Financial Institutions
  • NASD Rule 3510
  • Rule 3510 will require a business continuity plan
    that addresses, at a minimum
  • Data back-up and recovery (hard copy and
    electronic)
  • Mission critical systems
  • Financial and operational assessments
  • Alternate communications between customers and
    the firm
  • Alternate communications between the firm and
    its employees
  • Business constituent, bank and counter-party
    impact
  • Regulatory reporting
  • Communications with regulators

7
BCP Standards for Financial Institutions
  • NYSE Rule 446
  • National Association of Insurance Commissioners
    (NAIC)
  • National Futures Association Compliance Rule 2-38
  • (a) Members and member organizations must develop
    and maintain a written business continuity and
    contingency plan establishing procedures to be
    followed in the event of an emergency or
    significant business disruption. Members and
    member organizations must make such plan
    available to the Exchange upon request.
  • (b) Members and member organizations must conduct
    a yearly review of their business continuity and
    contingency plan to determine whether any
    modifications are necessary in light of changes
    to the member's or member organization's
    operations, structure, business or location.

(a) Each Member must establish and maintain a
written business continuity and disaster recovery
plan that outlines procedures to be followed in
the event of an emergency or significant business
disruption. The plan shall be reasonably designed
to enable the Member to continue operating, to
reestablish operations, or to transfer its
business to another Member with minimal
disruption to its customers, other Members, and
the commodity futures markets.
8
BCP Standards for Financial Institutions
  • Electronic Funds Transfer Act - held that banks
    were liable for actual damages caused by failing
    to transfer funds in a timely fashion. This
    required the establishment of contingency plans
    to meet the standard of reasonable standard of
    care (the care that a reasonable man would
    exercise under the circumstances the standard
    for determining legal duty.)
  • Basel Committees Capital Accords and Sound
    Practices for the Management and Supervision of
    Operational Risk - Banks should have in place
    contingency and business continuity plans to
    ensure their ability to operate on an ongoing
    basis and limit losses in the event of severe
    business disruption. Seventh Principle in
    Sound Practices for Management and Supervision of
    Operational Risk
  • Reserve Bank of India - Operational Risk
    Management - Business Continuity Planning -
    Business Continuity planning is a key
    pre-requisite for minimising the adverse effects
    of one of the important areas of operational risk
    business disruption and system failures.

9
FINRA (Financial Industry Regulatory Authority)
  • Business Continuity Planning
  • NASD Rules 3510 and 3520 require firms to create
    and maintain business continuity plans (BCP) to
    use in the event of a significant business
    disruption.
  • Rule filings associated with Business Continuity
    Planning (SR-NASD-2002-108) 
  • FINRAs Business Continuity Plan
  • Small Firm Emergency Partner Program A Voluntary
    Addition to a Firm's BCP
  • Securities and Exchange Commission / Board of
    Governors of the Federal Reserve System / Office
    of the Comptroller of the Currency Joint White
    Paper on Business Continuity Planning
  •  The Disaster Recovery Institute
  •  Financial Services Sector Coordinating Council
    for Critical Infrastructure Protection and
    Homeland Security

10
BCP Standards for the Healthcare/Life Science
Industries
  • Health Insurance Portability and Accountability
    Act of 1996 (HIPAA), Final Security Rule
  • 7. Contingency Plan ( 164.308(a)(7)(i))
  • We proposed that a contingency plan must be in
    effect for responding to system emergencies. The
    plan would include an applications and data
    criticality analysis, a data backup plan, a
    disaster recovery plan, an emergency mode
    operation plan, and testing and revision
    procedures.
  • In this final rule, we make the implementation
    specifications for testing and revision
    procedures and an applications and data
    criticality analysis addressable, but otherwise
    require that the contingency features proposed be
    met.

HiTech Act of 2009 More Reporting of Breaches,
More Oversight
11
HIPAA BCP REQUIREMENTS
  • State privacy laws are NOT preempted by federal
    privacy rules, unless there is a direct conflict
  • If state law is more stringent, or covers an
    area not covered by federal rules, state law
    controls

Is it enough ????
12
BCP Standards for the Healthcare/Life Science
Industries
Manufacturing Laboratory Clinical
  • FDAs GxP Good Practices
  • FDA Guidance on Computerized Systems in Clinical
    Trials

IX. SYSTEM CONTROLS B. Contingency Plans Written
procedures should describe contingency plans for
continuing the study by alternate means in the
event of failure of the computerized system. C.
Backup and Recovery of Electronic Records Backup
and recovery procedures should be clearly
outlined in the SOPs and be sufficient to protect
against data loss. Records should be backed up
regularly in a way that would prevent a
catastrophic loss and ensure the quality and
integrity of the data.
13
BCP Standards for the Energy Industry
  • Federal Electric Reliability Councils (FERC)
    Security Standards for Electric Market
    Participants, July 2002
  • North American Electric Reliability Councils
    (NERC) Security Guidelines for the Electricity
    Sector, June 2002

Business Continuity Every participant operating
a critical electric resource shall have
contingency plans that define roles,
responsibilities and actions for protecting the
rest of the electric grid and market from the
failure of its own critical resources. Those
plans should further define the roles,
responsibilities and actions needed to quickly
recover or reestablish electric grid and market
functions, processes and systems, in the event
that a critical physical or cyber resource fails
or suffers harm or attack. Such plans shall be
tested or exercised regularly.
  • Continuity of Business Processes
  • Reduces the likelihood of prolonged interruptions
    and enhances prompt resumption of operations when
    interruptions occur. Consider flexible plans that
    address key areas such as telecommunications,
    information technology, customer service centers,
    facilities security, operations, generation,
    power delivery, customer remittance and payroll
    processes. It is useful to revise and test plans
    on a regular basis. It also is advisable to train
    personnel so they fully understand their roles
    with respect to the plans.

14
Not Just IT
  • FFIEC March 2008
  • Business continuity planning is about
    maintaining, resuming, and recovering the
    business, not just the recovery of the
    technology. The planning process should be
    conducted on an enterprise-wide basis.
  • Australian Prudential Standard April 2005
  • Business continuity management (BCM) describes
    a whole of business approach to ensure critical
    business functions can be maintained, or restored
    in a timely fashion
  • Monetary Authority of Singapore June 2003
  • Business Continuity Management (BCM) is an
    over-arching framework that aims to minimise the
    impact to businesses due to operational
    disruptions. It not only addresses the
    restoration of information technology (IT)
    infrastructure, but also focuses on the rapid
    recovery and resumption of critical business
    functions for the fulfillment of business
    obligations.

15
Cross-Industry BCP Standards
  • Sarbanes-Oxley Act of 2002

SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL
CONTROLS. (a) RULES REQUIRED.The Commission
shall prescribe rules requiring each annual
report required by section 13(a) or 15(d) of the
Securities Exchange Act of 1934 (15 U.S.C. 78m or
78o(d)) to contain an internal control report,
which shall (1) state the responsibility of
management for establishing and maintaining an
adequate internal control structure and
procedures for financial reporting and (2)
contain an assessment, as of the end of the most
recent fiscal year of the issuer, of the
effectiveness of the internal control structure
and procedures of the issuer for financial
reporting. (b) INTERNAL CONTROL EVALUATION AND
REPORTING.With respect to the internal control
assessment required by subsection (a), each
registered public accounting firm that prepares
or issues the audit report for the issuer shall
attest to, and report on, the assessment made by
the management of the issuer. An attestation made
under this subsection shall be made in accordance
with standards for attestation engagements issued
or adopted by the Board. Any such attestation
shall not be the subject of a separate engagement.
IS THERE BCP IN SARBANES-OXLEY????
16
Is There BCP in Sarbanes-Oxley?
  • PCAOB (Public Company Accounting Oversight Board)

NO Furthermore, management's plans that could
potentially affect financial reporting in future
periods are not controls. For example, a
company's business continuity or contingency
planning has no effect on the company's current
abilities to initiate, authorize, record,
process, or report financial data.
Therefore, a company's business continuity or
contingency planning is not part of internal
control over financial reporting."
17
Is There BCP in Sarbanes-Oxley?
  • Practitioners

YES
18
Municipal Governments
  • Continuity of Operations (COOP)
  • Continuity of Government (COG)
  • FEMA Federal Preparedness Circular (FPC) 65
  • Originally Issued June 1999 James Lee Witt
  • Revised June 2004 Michael Brown

19
Rating COOP Compliance FEMA 65 Crosswalk
20
Are They A Client?
  • FFIEC Appendix E - Interdependencies
  • THIRD-PARTY PROVIDERS, KEY SUPPLIERS, AND
    BUSINESS PARTNERS
  • outsourcing information, transaction processing,
    and settlement activities
  • Institutions should review and understand service
    providers' BCPs and ensure critical services can
    be restored within acceptable timeframes based
    upon the needs of the institution
  • - If possible the institution should consider
    participating in their providers testing
    process.

HOW FAR DOES THIS EXTEND?????
21
Are They A Client?
  • HIPAA Business Associate (aka Chain of Trust)
  • the business associate must--(1) implement
    safeguards that
  • reasonably and appropriately protect the
    confidentiality,
  • integrity, and availability of the electronic
    protected health
  • information that it creates, receives,
    maintains, or transmits on
  • behalf of the covered entity (2) ensure that
    any agent, including
  • a subcontractor, to whom it provides this
    information agrees to
  • implement reasonable and appropriate safeguards

22
Singapore The Model for the Future?
  • SS 540 Revision to TR19 (PDCA Plan Do Check
    Act) New BCM Framework
  • Standard for Business Continuity / Disaster
    Recovery Service Providers (SS507) - Singapore is
    the first country in the world to introduce a
    Standard and Certification program for BC/DR
    service providers. Developed by the Infocomm
    Development Authority of Singapore and the IT
    Standards Committee (ITSC), the Standard
    specifies the stringent requirements for BC/DR
    service providers. These requirements benchmark
    against the top practices in the region and
    stipulate the operating, monitoring and
    up-keeping of BC/DR services offered.
  • TR19 Technical Reference 19 - aims to help
    Singapore based enterprises build competence,
    capacity, resilience and readiness to respond to
    and recover from events that threaten to disrupt
    normal business operations.
  • PROPOSED BUSINESS CONTINUITY MANAGEMENT
    REQUIREMENTS FOR SGX MEMBERS May 2008

23
China Japan
  • Chinese Business Continuity Management Committee
    (CBCM)
  • Setting Standards for Chinese
  • Emergency Response
  • Business Continuity
  • Still IT Centric (Committee exists under
    technology directorate)
  • Will Greatly Influence its Business Partners
  • Japanese Crisis Management Prepareness
    Organization. (CMPO)
  • Business Continuity Advancement Organization.
    (BCAO)

24
Australia 2008-9
  • Introducing 3 New Standard Handbook to Align
    with ISO 31000 (Risk Management Standard) Due
    for Release in May 2009
  • Management Standard
  • Practice Standard
  • Audit Standard

25
Standards
  • Uniform Commercial Code
  • Preparing for foreseeable business disruption
  • National Institute of Standards and Technology
    (NIST)
  • Contingency Planning Guide for Information
    Technology Systems
  • IT Governance Institute Standards COBIT
  • Control objectives for information and related
    technology

26
ISO Standards and Business Continuity
  • ISO/TS 16949 - Applicable to any supplier to
    automotive original equipment manufacturer
  • ISO 27001 (Previously Designated (ISO17799) -
    Deals with Information Security
  • ISO 9001, Quality Management - Record Retention
    and Data Availability
  • ISO 14001, Environmental Mgt - Emergency
    Preparedness and Response
  • ISO/PAS 22399 Societal Security - Guideline for
    incident preparedness and operational continuity
    management

Section 6.3.2. Contingency Plans The
organization shall prepare contingency plans to
satisfy customer requirements in the event of an
emergency such as a utility interruptions, labor
shortages, key equipment failure, and field
returns.
  • 11 BUSINESS CONTINUITY MANAGEMENT
  • 11.1 ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
  • 11.1.1 Business continuity management process
  • 11.1.2 Business continuity and impact analysis
  • 11.1.3 Writing and implementing continuity plans
  • 11.1.4 Business continuity planning framework
  • 11.1.5 Testing, maintaining and re-assessing
    business continuity plans

27
Legal Standards
  • Liability of Corporations
  • Liability of Corporate Executives
  • Liability to Outside Parties
  • Standard of Negligence
  • Standard of Care
  • Prudent Man Doctrine
  • Exercise same care in managing company affairs as
    in managing own affairs.
  • Informed Business Judgment v. Gross Negligence

28
Case Law Legal Precedence
  • Blake v. Woodford Bank Trust Co. (1977)
    Foreseeable workload failure to prepare
  • Sun Cattle Company, Inc.vs. Miners Bank (1974)
    Computer System Failure Foreseeable Computer
    Failure
  • Uniform Commercial Code Preparing for
    foreseeable business disruption

29
Meeting the Standards
  • US v. Carroll Towing Co. (1947)
  • 1. Probability of Harm (P) the chance that a
    damaging event will occur
  • 2. Magnitude of Harm (M) the amount of financial
    damage that would occur should a disaster happen
  • 3. Cost of Prevention (C) the price of putting
    in place a means of preventing the disasters
    effects
  • P M C

30
Negligent Failure To Plan/Prepare Liability
Pandemics
  • 2003 Canadian Nurses who contracted SARS file
    suit stating that the Government was Negligent in
    not preparing for the second wave of the disease
    after the first wave was identified.
  • Munich Re
  • American Bar Association

31
BS25999
  • Part 1 is an extension of PAS56
  • Guidance
  • Prescriptive
  • Not Performance Based
  • Part 2
  • Certification Body
  • Specification
  • Auditable
  • Create Ability to Demonstrate Compliance
  • Stage 1 Audit Initial Assessment Desktop
    Review
  • Successful Completion Required Before Moving To
    Stage 2
  • Stage 2 -Conformance Audit - Certification Audit
  • Demonstrate Implementation
  • Failure Requires Corrective Action Plan Which
    Must be Agreed Upon
  • Completion of Stage 1 2 Allows for Application
    to BS 25999 Certification Manager for
    Certification
  • Surveillance Audits
  • (To be fair, British standard BS25999introduced
    "Maximum Tolerable Period of Disruption" (MTPD),
    another mind-bender destined for the verbal scrap
    heap, as well.)

32
BS25999 --UPDATE
  • Will be revised and included with ASIS proposed
    standard. The new proposed ISO/ANSI standard
    will also include elements of the Dutch standard.
  • The ANSI PINS (Project Initiation Notification
    System) filing will be reviewed by ANSI by the
    first week in November 2008 which ends the 30 day
    PINS comment period
  • A Technical committee will be formed to help
    create the standard. The technical committee
    will be open to a mixture of experts SDOs, users,
    managers, producers, etc.
  • The new proposed standard may face some
    opposition in that there is an indication that it
    is in conflict with other ANSI standards
  • The same group concluded unanimously that there
    is a compelling reason to have this standard.
  • The effort to create and have the new standard
    approved may take anywhere from 6 months to 2
    years to be approved.

33
PUBLIC LAW 110-53   IMPLEMENTING RECOMMENDATIONS
OF THE 9/11 COMMISSION ACT OF 2007   TITLE IX
34
The Holy Grail or SOX for Business Continuity
  • The Program Was Called For In Title IX Of "The
    Implementing The 9/11 Commission Recommendations
    Act Of 2007 (Public Law 110-53) Which Addresses
    A Diversity Of Other National Security Issues As
    Well. It Was Signed Into Law By The President On
    August 3, 2007.
  • Intent To Implement The Findings Of The 9/11
    Commission
  • NFPA 1600 Was Recommendation Of Commission For
    Standard
  • DRIIs Professional Practices Are The Basis For
    BCP In NFPA 1600
  • Will It Become A Standard????
  • Voluntary
  • Non-punitive
  • Unsuccessful Attempts By Federal Government To
    Address Private Sector BCM
  • Overcome Investments By Private Sector
  • Strain On Small And Medium Sized Businesses In
    Supply Chain

35
Title IX 110-53
 a. Goal of the new program is to provide a
method to independently certify the emergency
preparedness of private sector organizations,
including their disaster / emergency management
and business continuity programs.  The program
focuses on certifying the preparedness of
businesses and other private sector entities, and
does not involve any individual professional
certification.  b.  The program will be
voluntary.c.  Key stakeholders are invited to
participate in the development of the program. 
Consultation with a variety of organizations and
various sectors is required by the legislation. 
Program development will likely include
involvement by a diversity of private sector
advisory groups and others.d.  The program will
be administered outside of government by 3rd
party organizations with experience / expertise
in managing and implementing voluntary
accreditation and certification programs.e.  One
or more preparedness standards can be
designated.  NFPA 1600 is reference by
example.f.  Existing industry efforts,
certifications and reporting in this area will
not be duplicated or displaced, but rather
recognized and integrated.g.  Special
consideration will be made for small
business.h.  Proprietary and confidential
information is to be protected.
36
Defining The Standard
  • Process Used By Sloan Interdisciplinary Team
  • Representatives of
  • ASIS, DRI International, NFPA, RIMS
  • Review Existing Regulations
  • FFIEC, NYSE, SEC, NASD
  • NERC
  • HIPAA
  • Provide Credit for Work Already Done
  • Reduce Start From Scratch Opposition
  • Create Core Elements for Standard

Core elements are those basic components that,
when implemented within an organizations unique
governance and culture, provide the underlying
framework to enable the organization to sustain
itself in spite of a disruptive event (i.e., the
common set of criteria for preparedness,
disaster management, emergency management, and
business continuity programs...." called for
under the law.)
37
Core Elements 13 Become 8
  • Policy statement and management commitment -
    Scope, program roles, responsibilities, and
    resources
  • Risk identification, assessments and criticality
    impact analyses, including legal and other
    requirements
  • Prevention and Mitigation Evaluation and Planning
  • Incident management (procedures and controls
    before, during and after a disruption, including
    emergency management of people, business
    operations and technology) includes
    communications
  • Recovery Planning - May be considered to include
    rebuilding, repairing, and / or restoring
  • Awareness and training
  • Exercises and testing
  • Program revision and improvement

38
Process Mapping
39
Standards Crosswalk
  • NFPA 16002007 Standard on Disaster/ Emergency
    Management and Business Continuity Programs
  • CSA Z1600 Standard on Emergency Management and
    Business Continuity Programs
  • DRI International Professional Practices for
    Business Continuity Planners
  • BS 25999-2 2007 Business Continuity Management
    Part 2 Specification
  • ASIS International - Organizational Resilience
    Preparedness and Continuity Management - Best
    Practices Standard Probably Become Part of
    ISO/PAS 22399
  • TR192005 Technical Reference for Business
    Continuity Management (BCM) includes TS507
  • ISO/PAS 223992007 Societal Security Guidelines
    for Incident Preparedness and Operational
    Continuity Management

TO BE REPLACED WITH A NEW PROPOSED ANSI/ISO
STANDARD UNDER DEVELOPMENT
40
Flexibility Within A Framework
  • Existing Industry Efforts
  • Regulations
  • FFIEC NYSE SEC HIPAA NERC
  • Standards
  • ISO, ANSI, BSI

NOT Sarbanes-Oxley
41
Process For Implementation of Title IX
  • 1.  DHS will designate one or more organizations
    to act as the accrediting body, and oversee the
    certification process, and to accredit qualified
    third parties to carry out the certification
    program.
  • 2.  DHS will separately designate one or more
    standards for assessingprivate sector
    preparedness.
  • 3.  DHS will provide information and promote the
    business case forvoluntary compliance with
    preparedness standards.
  • 4.  DHS will monitor the effectiveness program on
    an on-going basis.

42
Gaining Accreditation
ANSI-ANAB
43
Gaining Accreditation
ANSI-ANAB
DHS
44
NFPA gets new DHS support - PRECURSOR TO A
STANDARDS CHOICE? The US Department of Homeland
Security (DHS) has designated the National Fire
Protection Association (NFPA) codes and standards
development process as a Qualified
Anti-Terrorism Technology (QATT) under the
Support Anti-terrorism by Fostering Effective
Technologies Act of 2002 (SAFETY Act). NFPA is
the first standards development organization to
receive this designation. Under provisions of the
SAFETY Act, NFPAs codes and standards
development process was also certified as an
Approved Product for Homeland Security.
According to DHS, the SAFETY Act encourages the
development and deployment of new and innovative
anti-terrorism products and services by providing
liability protections. Designation as a QATT and
certification as an approved product for homeland
security under the SAFETY Act provides legal
protections for the NFPA codes and standards
development process as applied to
anti-terrorism. NFPA is pleased to have its
codes and standards development process
recognized as an effective anti-terrorism
technology which reflects the openness, balance
and fairness NFPA strives to achieve in its
voluntary codes and standards development
process, said NFPA President James M.
Shannon. Federal protections under the DHS
Designation and Certification are retroactive and
recognize NFPAs technologys first date of
sale as September 11, 2001. Shannon added, The
commitment and involvement of NFPA in
anti-terrorism standards predates the events of
9/11. NFPA has long been committed to making its
codes and standards development process available
for the creation and continual improvement of
standards used to protect first responders and
the public in terrorist events. We believe we
have a world-class system which attracts numerous
experts from diverse fields to develop codes and
standards that mitigate the effects of terrorism
on people and property. All NFPA safety codes
and standards are developed through a process
accredited by the American National Standards
Institute (ANSI). The more than 250 technical
committees responsible for developing and
updating all 300 codes and standards include
approximately 4,000 volunteers, representing
enforcing authorities, installers and
maintainers, labor, research and testing
laboratories, insurers, special experts,
consumers and other users. NFPA was the developer
of the NFPA 1600 Standard on Disaster/Emergency
Management and Business Continuity Programs.
45
TITLE IX UPDATE December 2008
  • At ANSI HSSP (Homeland Security Standards
    Panel ) - DHS unveiled its Voluntary Private
    Sector Preparedness Accreditation and
    Certification Program Proposed Target Criteria
    for Preparedness Standard
  • Internally developed and will be open for comment
    when DHS publishes a notice in the Federal
    Registry
  • December 24, 2008 DHS files notice for comments
    in the Federal Register. We note that the
    designated officer will consider adoption of the
    American National Standards Institute (ANSI)
    National Fire Protection Association (NFPA) 1600
    Standard on Disaster/Emergency Management and
    Business Continuity Programs (ANSI/NFPA 1600)the
    standard specifically mentioned in both the
    statute and the 9/11 Commissions
    recommendationas well as any other private
    sector preparedness standards submitted for
    adoption.

AWAITING DHS FEDERAL REGISTRY FILING OF
APPLICABLE STANDARDS
46
Implications
  • Certification
  • Benefit To Passing Certification
  • If You Cant Pass Dont Start
  • Legal
  • Litigation Standard
  • Voluntary Negligence
  • No Teeth
  • Non-Punitive

Will it meet customer requirements
47
What We Know Right Now
  • Title IX of PL 110-53 is an unfunded effort,
    there are no tangible rewards e.g., tax
    reductions in the form of deductions or tax
    credits to use as an incentive. While there are
    ongoing efforts to provide some insurance relief
    for business continuity planning, at this time no
    such incentives are available Sloan Foundation
    Report
  • FEMA has been designated to lead the effort
  • ANSI will oversee the certification process
  • Manage Accreditation
  • Accredit third parties to carry out certification
  • Collaborate to develop procedures and
    requirements for certification and accreditation

48
Now For The Misinformation
Although voluntary right now, these standards
could soon be federal mandates for all private
industry.  - Not To Be Named Consulting Firm in
advertising for their webinar
Will share their best practices to meet the new
"national preparedness standard" known as NFPA
1600 Not To Be Named Consulting Firm
  • This voluntary program offers a number of
    potential benefits to the certified organization,
    including 
  • Possible insurance premium advantages
  • Enhanced credit ratings
  • Competitive differentiation - Not To Be Named
    Consulting Firm

49
Certification Risk/Reward
  • Reward
  • May Satisfy Customer Inquiries
  • Create Uniformity
  • No Insurance/Rating Advantage
  • Risks
  • Discoverable (Corrective Action Plan)
  • May Not Provide Legal Protection
  • Judge and Jury Decision
  • No Known NFPA1600 Defense
  • Quality of Auditors
  • Potential Conflict
  • Financial Operational Audit
  • Corporate Governance
  • Regulation
  • Expensive

50
The Problem
  • Literal Interpretation of Using a Standard
  • Precludes Use of Binding Regulations
  • Standards are General in Nature
  • No One Standard or Combination of Standards Will
    Meet Prescriptive and/or Performance Based
    Standards
  • Standards Are Not Industry Specific
  • Evacuation - NRC vs. NFPA
  • Data Backup HIPAA vs. BS25999
  • Recovery Time SWIFT vs. SS540
  • Failure to Adapt (E) CONSIDERATIONS.--In
    developing and implementing the program under
    this subsection, the designated officer shall
  • (i) consider the unique nature of various
    sectors within the private sector, including
    preparedness standards, business continuity
    standards, or best practices, established--

51
Regulations
  • Created by Government/Industry Regulatory Bodies
  • Punitive
  • Fines
  • Shutdown
  • Subject to (Operational/Financial) Audit
    Annually
  • Audit Conducted by Third Party
  • Results are Board Issues
  • May Create Vendor Requirements
  • FFIEC
  • HIPPA

52
Standards
  • Voluntary
  • Non-Punitive
  • Auditable Through First, Second or Third Parties
  • State of Flux
  • NFPA 1600 is the ANSI National Standard is in
    Revision for 3rd Quarter 2009 Release
  • ASIS/BS25999 are Currently in the Early Stages of
    Seeking ANSI Accreditation not Due until at Least
    End of 2009
  • ISO 22399/PAS (Publicly Available Specifications)
    Interim State
  • New Australian Standard
  • New Singapore Standard
  • ..

53
The Answer
  • Aim is Preparedness
  • Preparedness Elements Are Defined
  • Sloan
  • ANSI-ANAB
  • Pick What is Appropriate
  • Financial Requirements
  • Utility Requirements
  • Satisfy Industry Requirements

54
The Answer
  • Satisfy Industry Requirements
  • Industry Specific
  • One Size Doesnt Fit All
  • Acceptable to Private Sector
  • Meets the Spirit of the Law
  • Cost Effective Single Audit No Audit Conflict
  • Gain Momentum Quick Certification for 1,000s

54
55
Next Steps
  • QUALIFYING CERTIFYING BODY
  • Meet ANSI-ANAB Requirements
  • Designed for SMEs (Emergency/Disaster Management
    and Business Continuity to Understand Audit
    Concepts)
  • Designed for Auditors (To Understand
    Emergency/Disaster Management and Business
    Continuity)
  • Earn a CBCA (Certified Business Continuity
    Auditor) or CBCLA (Certified Business Continuity
    Lead Auditor)
  • Provide Consistency
  • Provide Recognition
  • Help Auditing, Help Professionals
  • Self Assessment
  • Second Party Assessment
  • Third Party Assessment

56
Q A
  • Thank You

Statements concerning legal matters should be
understood to be general observations based
solely on our experience as risk consultants and
should not be relied upon as legal advice, which
we are not authorized to provide. All such
matters should be reviewed with your own
qualified legal advisors in these areas
About PowerShow.com