Regulations, Best Practices and Standards How do Current Standards Measure Up? ACP Garden State Chapter April 2, 2009 Tom Martin

2 4/02/09Agenda Review of Regulations, Best Practices & Standards Review of Recent Events Specific Focus on BS & NFPA1600 –Compare & Contrast The Two Standards How to Quantify a Standards Assessment?

3 4/02/09 Level Setting Definitions Standards (Source: International Standards Organization - ISO) Documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines or definitions of characteristics, to ensure that materials, products, processes and services are fit for their purpose. Regulations (Source: Georgetown Law School) A type of "delegated legislation" promulgated by a state, federal or local administrative agency given authority to do so by the appropriate legislature. Regulations generally are very specific in nature, they are also referred to as "rules" or simply "administrative law." Best Practices (Source: Business Dictionary.COM) Methods and techniques that have consistently shown results superior than those achieved with other means, and which are used as benchmarks to strive for. There is, however, no practice that is best for everyone or in every situation, and no best practice remains best for very long as people keep on finding better ways of doing things.

4 4/02/09 How Do Companies Measure the Performance of their BCM Program today? 71.7% Business Continuity Plan Exercises 51.8% Audit Findings 31.8% Benchmarking to Industry Norms 30.6% Metrics Program 22.7% Performance Reviews 16.6% Technology Recovery Test Results 15.1% Maturity Modeling 14% We do not Measure BCM Performance 13.8% Service Level Monitoring 8.7% Review of Program Capabilities vs. Standards Source: 2008 CI/KPMG BCM Benchmark Survey

5 4/02/09 Regulations, Best Practices & Standards Regulatory (US)  FFIEC - Federal Financial Institutions Examination Council  OCC - Office of the Controller of the Currency  FINRA - The Financial Industry Regulatory Authority  SEC - Securities and Exchange Commission  HIPAA - Health Insurance Portability and Accountability Act  SOX - Sarbanes-Oxley  + Others Regulatory (International)  FSA - Financial Services Authority (UK)  MAS - Monetary Authority of Singapore  Basel II – G10 Countries (Basel, Switzerland – June 2004) Basel II attempts to provide regulations about how much capital banks need to put aside to guard against the types of financial and operational risks banks face by setting up rigorous risk and capital management requirements designed to ensure that a bank holds capital reserves appropriate to the risk the bank exposes itself to through its lending and investment practices. Generally speaking, these rules mean that the greater risk to which the bank is exposed, the greater the amount of capital the bank needs to hold to safeguard its solvency and overall economic stability.solvency National regulators indicated they were to implement Basel II, in some form or another, by 2015.

6 4/02/09 Regulations, Best Practices & Standards Best Practices  ASIS International - Preparedness & Continuity Management Best Practice Standard  DRII/BCI - Professional Practices for Business Continuity Planners  BCI - The BCI Good Practice Guidelines 2007 (United Kingdom)  DRJ/DRII - Generally Accepted Practices (GAP)  Basel Committee on Banking Supervision - High Level Principles for Business Continuity (2006)

7 4/02/09 Regulations, Best Practices & Standards Standards  NFPA Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/US)  BS Business Continuity Management (BSI/UK)  -1 Code of Practice  -2 Specification  CSA Z Standard on Emergency Management and Business Continuity Programs (Canada)  HB 292: A Practitioners Guide to Business Continuity Management (Australia)  TR19: BCM Framework & Technical Reference (Singapore)  SI 24001: Security & Continuity Management Systems (Israel)  ISO/PAS Incident Preparedness & Continuity Management (ISO/International)  ISO – Guide for Information and Communications Technology for Disaster Recovery (ISO/International)  Title IX – PL Voluntary Certification against yet to be Announced Standards (US )

8 4/02/09 Recent Events July 2008 –Repligen Corp. (biopharmaceutical) becomes the first US firm to be certified in BS –BSI Certification Status 22 firms certified worldwide 160 active applications –Standard & Poor’s announced they will enhance their ratings process for nonfinancial companies through an enterprise risk management review (creating a more systematic framework for an inherently subjective topic) August 2008 –BS introduced – Code of Practice for Information and Communications Technology Continuity Similar to ISO – Guide for ICT and DR –DHS signed agreement with ANSI-ASQ National Accreditation Board (ANAB) – to establish and oversee the implementation and accreditation of Title IX

9 4/02/09 Recent Events (cont’d) August 2008 (cont’d) –ASIS announces plans for a new US Business Continuity and Risk standard Solicits the support of ANSI organization –ASIS is an ANSI accredited Standards Development Organization (SDO) DRII protests and rallies others to do the same –Carnegie Mellon – CERT Resiliency Framework Code of Practice Standards Crosswalk (11 standards) published October 2008 –ANSI & Homeland Security Standards Panel discussion Subject was Public law Title XI voluntary standards DHS draft on criteria to be evaluated in standards selection –ASIS hosted stakeholder deliberation meeting and then re- affirms its direction in developing a new ANSI standard

10 4/02/09 Recent Events (cont’d) October 2008 (cont’d) –Singapore (SPRING) launches new certifiable standard SS540 which replaces TR 19:2004 January 2009 –NFPA issues 2010 version of NFPA1600 for public comment –ASIS International holds joint working group meeting to outline new US standard based largely on BS –1 st public feedback session on Title IX sponsored by the DHS –The Business Continuity Institute (BCI) announced the release of an updated version of its business continuity Good Practice Guidelines -- designated as GPG February 2009 –2 nd public feedback session on Title IX sponsored by the DHS Work Continues

11 4/02/09 BS & NFPA1600 Comparison NFPA1600  17 year history  2007 update/2010 draft  ANSI Standard (US)  Not Currently Certifiable  Non ISO structure  16 Element Groupings  ~112 detail points  Available for Free  4 pages BS  7 year history (PAS 56)  releases  BSI Standard (UK)  Certifiable  Follows ISO structure  11 Element Groupings  ~156 detail points  Available for Cost  12 pages (specification)

12 4/02/09 Key Differences NFPA1600  Component/Task Focus  More Reactive in Nature  Flow Applicable to Mitigation/Preparedness/Response/Recovery  Strong on Emergency Planning & Response BS  Process/System Focus  More Proactive in Nature  Flow Applicable to Plan-Do-Check-Act Model (ISO)  Strong on Awareness “Embed into the Culture”  Strong on Documentation, Records & Accountability

13 4/02/09 Core Elements of These and Other Standards A set of voluntary criteria Applicable to any size organization Provides for auditing and validation Are an alternative to regulations May become recognized as industry best practices (are also driven from same) A private sector vs. legislative process Source: Sloan Report “Framework for Voluntary Preparedness” Published February 2008 – compared 7 standards/best practices

14 4/02/09 Common Elements Examined by These Standards Scope & Policy Risk Identification Prevention & Mitigation, Evaluation & Planning Incident Management Recovery Awareness & Training Exercise & Testing Program Revision & Improvement Source: Sloan Report “Framework for Voluntary Preparedness” Any of the existing standards, guidelines, best practices, or regulatory approaches can be used to meet the intent of the Title IX PL What is lacking is the know-how, implementation tools and evaluation metrics to help the private sector, particularly small and medium businesses, successfully select and implement an approach.

15 4/02/09 Why Perform a Program Assessment? Simplify measuring and managing continuity activities Understand how key resiliency competencies map to leading BC practice standards, i.e., NFPA1600, BS 25999, etc. Improve compliance efficiency – streamline and simplify management reporting and/or regulatory efforts Provide an appraisal methodology to benchmark an organization’s resiliency and those of third party suppliers. Establish a sharable common measurement of risk and resiliency Establish a roadmap for implementing a mature resiliency program “If we could first know where we are, and whither we are tending, we could better judge what to do, and how to do it.” - Abraham Lincoln

16 4/02/09 How to Aggregate & Report Results?

17 4/02/09 BS Summary Perspective

18 4/02/09 NFPA 1600 Summary Perspective

19 4/02/09 Grouping of Examination Points

20 4/02/09 Program Maturity

21 4/02/09 Quadrant Placement

22 4/02/09 Thank You