Regulations and Standards for Business Resiliency<br />Security, DR, and BC<br />Key USA-specific and International exampl...
Sources and Notes<br />Difference between Regulations and Standards<br />Regulations Review<br />Standards Review<br />Age...
Information based on<br />DRJ’s 2010 Rules and Regulations matrix<br />Internet research<br />Only Regulations and Standar...
Regulation vs. Standard<br />Regulation<br />Standard<br />a: an authoritative rule dealing with details or procedure<br /...
Regulations<br />Common USA or International laws having some component address issues of BR<br />4/21/2010<br />5<br />© ...
USA - Occupational Safety and Health Administration<br />Effective date: 1970 and various dates since<br />Disaster Prepar...
USA – Department of Justice<br />Effective date: 1974 and dates since<br />Requires management to safeguard and to keep th...
International - Common Law - Negligence Liability<br />Effective date: September 2, 1974 and dates since<br />U.S. Code Ti...
USA - US Dept of Justice<br />Effective date: December 1977<br />Policy states that Directors and Officers can be held lia...
USA - Government Accountability Office<br />Effective date: multiple dates<br />Requirements for federal agencies to inclu...
USA - Federal Communications Commission<br />Effective date: April 1996<br />The act was intended to promote competition i...
USA - Internal Revenue Service<br />Effective date: January 1998<br />Legal requirements for computer records containing t...
USA – Securities and Exchange Commission<br />Effective date: March 1999<br />Addresses the collection of EFT information ...
USA - FTC (Federal Trade Commission)<br />Effective date: 2001, et al.<br />Makes it a federal offense to produce, buy, se...
USA – Department of Homeland Security<br />Effective date: October 2001<br />The act includes requirements for records ret...
USA - Public Company Accounting Oversight Board<br />Effective date: January 2002<br />Auditors are increasing scrutiny of...
USA - Public Company Accounting Oversight Board<br />Effective date: January 2002<br />Issuers must disclose information o...
USA – Federal Trade Commission<br />Effective date: December 2002<br />Details requirements to<br />Assess Risk<br />Deter...
USA –American National Standards Institute / Association of Records Managers and Administrators<br />Effective date: March...
USA - Government Accountability Office<br />Effective date: April 2003<br />Proposed contingency plan in effect with data ...
USA - State of California<br />Effective date: July 2003<br />44 other states have similar laws, including Ohio<br />Bill ...
USA - Code of Federal Regulations<br />Effective date: September 2006<br />Continuity of operations for Critical Infrastru...
USA – Department of Homeland Security (DHS)<br />Effective date: February 2008<br />Acknowledges that government operation...
USA - Federal Financial Institutions Examination Council<br />Effective date: March 2008<br />Emphasizes that Business Con...
USA – Securities and Exchange Commission<br />Effective date: October 13, 2009 – latest amendments<br />Without a current ...
USA – Securities and Exchange Commission<br />Effective date: October 13, 2009 – latest amendments<br />Policy addresses c...
USA – Federal Emergency Management Agency (FEMA)<br />Effective date: August 2009, signed into law on August 3, 2007<br />...
Standards<br />Common USA or International criteria having some component address issues of DR / BC<br />4/21/2010<br />28...
USA - Federal Emergency Management Agency<br />Effective date: October 1993<br />Designed to provide guidance for business...
USA – The Business Roundtable<br />Effective date: June 2003<br />The Roundtable examines the unique nature of the terrori...
USA - Financial Services Sector Coordinating Council for Critical Infrastructure Protection<br />Effective date: May 2004<...
COSO Enterprise Risk Management Framework *<br />USA - Committee of Sponsoring Organizations of the Treadway Commission<br...
USA – National Fire Protection Association<br />Effective date: August 2006<br />Standards for protection of business reco...
USA - IT Governance Institute Standards<br />Effective date: May 2007<br />Generally accepted information technology contr...
International - IT Infrastructure Library<br />Effective date: August 2007<br />Global standard in the area of service man...
International - British Standards Institute<br />Effective date: December 2006 / November 2007<br />BS 25999-1 is a BCM co...
ISO/IEC 27005:2008 Information technology - Security techniques - Information security risk management<br />International<...
USA – American Society for Industrial Security<br />Effective date: March 2009<br />A comprehensive management systems app...
USA – National Fire Protection Association<br />Effective date: June 2009, supersedes previous<br />Applies to electrical ...
USA - National Institute of Standards and Technology<br />Effective date: July 2002, new draft October 2009<br />Details t...
USA – National Fire Protection Association<br />Effective date: December 2009<br />Establishes minimum criteria for disast...
USA - American Institute of Certified Public Accountants<br />Effective date: October 1958 – June 2010<br />Represents tha...
International - Disaster Recovery Institute International<br />Effective date: in current draft review<br />Professional p...
Upcoming SlideShare
Loading in...5
×

Regulations And Standards For DR

511

Published on

A highlight of the various US regulations and standards for Disaster Recovery, Security, and Business Continuity that are in place for companies. This presentation was given to the Contingency Planners of Ohio North region on April 21, 2010.

Published in: Health & Medicine, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
511
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Regulations And Standards For DR

  1. 1. Regulations and Standards for Business Resiliency<br />Security, DR, and BC<br />Key USA-specific and International examples<br />4/21/2010<br />1<br />© 2010 TPComps LLC<br />
  2. 2. Sources and Notes<br />Difference between Regulations and Standards<br />Regulations Review<br />Standards Review<br />Agenda<br />4/21/2010<br />2<br />© 2010 TPComps LLC<br />
  3. 3. Information based on<br />DRJ’s 2010 Rules and Regulations matrix<br />Internet research<br />Only Regulations and Standards applicable across most industry categories is included here<br />Industry categories covered: <br />Banking and Finance<br />Public Health & Healthcare<br />Transportation & Shipping<br />Energy<br />Industry<br />Agriculture, Food Supply & Water<br />Information Distribution & Communications<br />Government & Public Agencies *<br />Sources and Notes<br />4/21/2010<br />3<br />© 2010 TPComps LLC<br />* Indicates a non-applicable regulation or standard<br />
  4. 4. Regulation vs. Standard<br />Regulation<br />Standard<br />a: an authoritative rule dealing with details or procedure<br />b: a rule or order issued by an executive authority or regulatory agency of a government and having the force of law<br />Enforceable with potential penalties for noncompliance<br />Tells you what you have to do but not how to do it, generally<br />a: something established by authority, custom, or general consent as a model or example<br />b: something set up and established by authority as a rule for the measure of quantity, weight, extent, value, or quality<br />General guideline or framework<br />Tells you how to do what you have to do, generally<br />4/21/2010<br />4<br />© 2010 TPComps LLC<br />
  5. 5. Regulations<br />Common USA or International laws having some component address issues of BR<br />4/21/2010<br />5<br />© 2010 TPComps LLC<br />
  6. 6. USA - Occupational Safety and Health Administration<br />Effective date: 1970 and various dates since<br />Disaster Preparedness is addressed in 29 CFR 1910.38 subpart E<br />OSHA requires that all businesses with more than 10 employees have a written Emergency Contingency Plan (ECP).<br />For businesses with 10 or less, a written plan is not mandated but recommended.<br />Invocation @ Incident (I) Likely to be invoked or brought to bear as a result of an “incident” occurring involving your organization<br />http://www.osha.gov/SLTC/emergencypreparedness/index.html<br />OSHA - Occupational Safety and Health Administration *<br />4/21/2010<br />6<br />© 2010 TPComps LLC<br />
  7. 7. USA – Department of Justice<br />Effective date: 1974 and dates since<br />Requires management to safeguard and to keep the information accurate and current to protect the individual.<br />Damage awards start at $1,000 in addition to “the costs of the action together with reasonable attorney fees as determined by the court”<br />Invocation @ Incident (I) Likely to be invoked or brought to bear as a result of an “incident” occurring involving your organization<br />http://www.justice.gov/opcl/privstat.htm<br />Privacy Act of 1974 (5 U.S.C.§552a) *<br />4/21/2010<br />7<br />© 2010 TPComps LLC<br />
  8. 8. International - Common Law - Negligence Liability<br />Effective date: September 2, 1974 and dates since<br />U.S. Code Title 29, Chapter 18, subchapter I, subtitle B, part 4, § 1104<br />As per the Uniform Commercial Code, legal standard used to determine whether appropriate action was taken in a particular situation.<br />Directors, senior management, officers and agents, when working for an organization, are considered to be in a position of fiduciary responsibility<br />Uniform Commercial Code:<br />Any company, regardless of its industry, is expected to exercise due-care to implement and maintain security mechanisms and practices that protect the company, its employees, customers, and partners., Due-Care can be compared to the "prudent man" concept. <br />A prudent man is seen as responsible, careful, cautious, and practical. A company practicing due-care is seen in the same light by State and Federal Courts.<br />Invocation @ Incident (I) Likely to be invoked or brought to bear as a result of an “incident” occurring involving your organization<br />http://www.law.cornell.edu/uscode/html/uscode29/usc_sec_29_00001104----000-.html<br />Prudent Man Concept * <br />4/21/2010<br />8<br />© 2010 TPComps LLC<br />
  9. 9. USA - US Dept of Justice<br />Effective date: December 1977<br />Policy states that Directors and Officers can be held liable for “failure to enact standards of care” and should they fail to document their assessment processing determining not to develop a contingency plan.<br />Civil penalties can range from $5,000 to $100,000 for individuals and from $50,000 to $500,000 for business entities<br />Criminal sanctions may be imposed against anyone who knowingly violates the statute: up to $2-million in fines for businesses and up to $100,00 for others with 5 years imprisonment<br />Invocation @ Incident (I) Likely to be invoked or brought to bear as a result of an “incident” occurring involving your organization<br />http://www.justice.gov/criminal/fraud/fcpa/docs/fcpa-english.pdf<br />Foreign Corrupt Practices Act of 1977 and Public Law 95-213 Section 13(b)(2) *<br />4/21/2010<br />9<br />© 2010 TPComps LLC<br />
  10. 10. USA - Government Accountability Office<br />Effective date: multiple dates<br />Requirements for federal agencies to include the requirement for contingency plans in contracts with private sector organizations providing data processing services<br />Will apply to all organizations providing suppliers or services to GAO or Federal Agencies<br />Enforced (E) Most frequently enforced for compliance purposes<br />http://www.gao.gov<br />GAO Supplier Requirements <br />4/21/2010<br />10<br />© 2010 TPComps LLC<br />
  11. 11. USA - Federal Communications Commission<br />Effective date: April 1996<br />The act was intended to promote competition in the telecommunications industry.<br />Section 256 gives the FCC the right to oversee that telecommunications networks “seamlessly and transparently transmit and receive information between and across telecommunications networks.”<br />The FCC’s Network Reliability and Interoperability Council provides best practices for business continuity and disaster recovery in the telecommunications industry. (www.nric.org)<br />Enforced (E) Most frequently enforced for compliance purposes <br />www.fcc.gov/telecom.html<br />Telecommunications Act of 1996, an Amendment of the FCC Telecommunications Act of 1934<br />4/21/2010<br />11<br />© 2010 TPComps LLC<br />
  12. 12. USA - Internal Revenue Service<br />Effective date: January 1998<br />Legal requirements for computer records containing tax information.<br />Requires off-site protection and documentation of computer records maintaining tax information<br />Invocation @ Incident (I) Likely to be invoked or brought to bear as a result of an “incident” occurring involving your organization<br />http://www.uiowa.edu/~fusrmp/irsruling98-25.html<br />IRS Procedure 98-25(Supersedes IRS Procedure 91-59 and 86-19) *<br />4/21/2010<br />12<br />© 2010 TPComps LLC<br />
  13. 13. USA – Securities and Exchange Commission<br />Effective date: March 1999<br />Addresses the collection of EFT information through the contract process for vendors providing goods and services to the Federal Government<br />Subpart 32.1104<br />Enforced (E) Most frequently enforced for compliance purposes <br />http://www.fms.treas.gov/eft/regulations/fareft.txt<br />Federal Acquisition Regulation; Electronic Funds Transfer Final Rule *<br />4/21/2010<br />13<br />© 2010 TPComps LLC<br />
  14. 14. USA - FTC (Federal Trade Commission)<br />Effective date: 2001, et al.<br />Makes it a federal offense to produce, buy, sell or transfer a credit card or other access devices that are counterfeit, forged, lost or stolen; or to produce, buy, sell, transfer or process equipment used to produce such fraudulent access devices.<br />Section 1030(e) speaks of data and storage<br />Enforced (E) Most frequently enforced for compliance purposes <br />http://www.panix.com/~eck/computer-fraud-act.html<br />Computer Fraud and Abuse Act *<br />4/21/2010<br />14<br />© 2010 TPComps LLC<br />
  15. 15. USA – Department of Homeland Security<br />Effective date: October 2001<br />The act includes requirements for records retention for compliance with section 326 on Customer Identification Programs.<br />Imposes stiff prison terms for those who violate computer security or use computers in criminal or terrorist acts<br />Enforced (E) Most frequently enforced for compliance purposes <br />http://www.epic.org/privacy/terrorism/hr3162.html<br />USA Patriot Act of 2001:(P.L. 107-56 2001 HR 3162) *<br />4/21/2010<br />15<br />© 2010 TPComps LLC<br />
  16. 16. USA - Public Company Accounting Oversight Board<br />Effective date: January 2002<br />Auditors are increasing scrutiny of all areas of internal control, including security and business continuity controls<br />Potential for data loss (ability to identify and rebuild lost transactions and source documentation)<br />Vital records creation and maintenance<br />Non-complying organizations may receive qualified opinions on their internal controls from their external auditors.<br />Enforced (E) Most frequently enforced for compliance purposes <br />http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf<br />Sarbanes-Oxley Act of 2002: (P.L. 107-204 2002 HR 3763) - Section 404 <br />4/21/2010<br />16<br />© 2010 TPComps LLC<br />
  17. 17. USA - Public Company Accounting Oversight Board<br />Effective date: January 2002<br />Issuers must disclose information on material changes in financial condition on a regular basis<br />Areas assessed include:<br />Potential for data loss (ability to identify and rebuild lost transactions and source documentation)<br />Vital records creation<br />If IT processing disruption results in lost data, officers and external auditors may not be able to sign off on quarterly or annual SOX disclosure and internal control operating effectiveness certifications/opinion.<br />Enforced (E) Most frequently enforced for compliance purposes <br />http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf<br />Sarbanes-Oxley Act of 2002: Section 409 <br />4/21/2010<br />17<br />© 2010 TPComps LLC<br />
  18. 18. USA – Federal Trade Commission<br />Effective date: December 2002<br />Details requirements to<br />Assess Risk<br />Determine levels of security necessary to protect such information<br />Periodically test and evaluate information security controls and techniques<br />Develop plans and procedures to ensure continuity of operations<br />May apply to organizations and institutions communicating with, performing work for, on behalf of a federal agency<br />H.R. 2548-48, Title III, sec 301<br />Enforced (E) Most frequently enforced for compliance purposes <br />http://csrc.nist.gov/drivers/documents/FISMA-final.pdf<br />FISMA: Federal Information Security Management Act *<br />4/21/2010<br />18<br />© 2010 TPComps LLC<br />
  19. 19. USA –American National Standards Institute / Association of Records Managers and Administrators<br />Effective date: March 2003<br />Addresses the development and implementation of a vital records program within the context of a formal records management program.<br />Vital records are defined as records containing information essential to the survival of an organization in the event of a disaster, since they document an organization's legal and financial position and preserve the rights of employees, customers and stockholders.<br />Specific procedures addressed include: vital records analysis and selection, records protection methods, and the overall administration of a vital records program.<br />Enforced (E) Most frequently enforced for compliance purposes <br />http://webstore.ansi.org/RecordDetail.aspx?sku=ANSI%2FARMA+5-2003<br />ANSI/ARMA 5-2003 Vital Records Programs <br />4/21/2010<br />19<br />© 2010 TPComps LLC<br />
  20. 20. USA - Government Accountability Office<br />Effective date: April 2003<br />Proposed contingency plan in effect with data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures and Applications and data Criticality Analysis.<br />Includes specific BCM points<br />Applies to any organization<br />Section 1177 establishes penalties for any person that knowingly uses, obtains, or discloses individually identifiable health information in violation of the part. The penalties include:<br />Fines from <$50,000 to <$250,000 and/or imprisonment of <1 to <10 years, depending on the offense<br />Watch List (W) Participating members should be looking for the presence of this item within the coming months/years<br />http://www.nchica.org/HIPAAResources/Security/rule.htm<br />HIPAA (Health Insurance Portability and Accountability Act). Security and Contingency Plans 164.308(a) <br />4/21/2010<br />20<br />© 2010 TPComps LLC<br />
  21. 21. USA - State of California<br />Effective date: July 2003<br />44 other states have similar laws, including Ohio<br />Bill requires all agencies, persons, or businesses that conduct business in California that owns or licenses computerized data containing personal information to notify the owner or licensee of the information of any breach of security of the data.<br />Enforced (E) Most frequently enforced for compliance purposes <br />http://www.legalarchiver.org/sb1386.htm<br />California SB 1386 - Security of Non-Encrypted Customer Information *<br />4/21/2010<br />21<br />© 2010 TPComps LLC<br />
  22. 22. USA - Code of Federal Regulations<br />Effective date: September 2006<br />Continuity of operations for Critical Infrastructure<br />Disclosure of critical information to the government<br />Watch List (W) Participating members should be looking for the presence of this item within the coming months/years<br />http://ecfr.gpoaccess.gov<br />6 CFR Part 29: Procedures for Handling Critical Infrastructure Information<br />4/21/2010<br />22<br />© 2010 TPComps LLC<br />
  23. 23. USA – Department of Homeland Security (DHS)<br />Effective date: February 2008<br />Acknowledges that government operations / services “cannot be performed without the robust involvement of [Non-Federal Governments] and the private sector.”<br />FCD 1 provides direction for the development of continuity plans and programs for the Federal Executive branch.<br />FCD 2 provides additional guidance for the Departments and Agencies in identifying their Mission Essential Functions (MEFs) and potential P/MEFs along with direction for Departments and Agencies conducting Business Process Analysis (BPAs), and Business Impact Analysis (BIAs).<br />Watch List (W) Participating members should be looking for the presence of this item within the coming months/years<br />http://www.fema.gov/news/newsrelease.fema?id=45287<br />Federal Continuity Directives (FCD) 1 & 2<br />4/21/2010<br />23<br />© 2010 TPComps LLC<br />
  24. 24. USA - Federal Financial Institutions Examination Council<br />Effective date: March 2008<br />Emphasizes that Business Continuity planning is about maintaining, resuming and recovering the whole Business<br />planning should occur for a BCP<br />BIAs and RAs are encouraged as the foundation of an effective BCP<br />Testing is needed<br />Ineffective or incomplete BCPs may lead to qualified examination reports and loss of trust by regulators and financial markets<br />Enforced (E) Most frequently enforced for compliance purposes <br />http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bcp_00.html<br />FFIEC BCP Handbook: Business Continuity Planning “IT Examination Handbook” *<br />4/21/2010<br />24<br />© 2010 TPComps LLC<br />
  25. 25. USA – Securities and Exchange Commission<br />Effective date: October 13, 2009 – latest amendments<br />Without a current Service Auditor's Report, a service organization may have to entertain multiple audit requests from its customers and their respective auditors.<br />Multiple visits from user auditors can place a strain on the service organization's resources.  <br />A Service Auditor's Report ensures that all user organizations and their auditors have access to the same information and in many cases this will satisfy the user auditor's requirements.<br />Enforced (E) Most frequently enforced for compliance purposes <br />http://www.sec.gov/about/laws/sea34.pdf<br />http://www.sec.gov/about/laws.shtml#secexact1934<br />Securities and Exchange Act of 1934:(15 U.S.C.A78A) Rule 17a-4 *<br />4/21/2010<br />25<br />© 2010 TPComps LLC<br />
  26. 26. USA – Securities and Exchange Commission<br />Effective date: October 13, 2009 – latest amendments<br />Policy addresses criminal liability of Directors and officers for failure to:<br />Protect computerized information<br />Document process used to assess risks of information loss<br />Exercise “duty of care”<br />Burden of proof lies with the Directors and Officers<br />Potential fines imposed include personal fines up to $5,000,000 and/or imprisonment up to 20 years and corporate fines up to $25,000,000.<br />Enforced (E) Most frequently enforced for compliance purposes <br />http://www.law.uc.edu/CCL/34Act/sec32.html<br />Securities and Exchange Act of 1934,Sections 32(a) and (b) *<br />4/21/2010<br />26<br />© 2010 TPComps LLC<br />
  27. 27. USA – Federal Emergency Management Agency (FEMA)<br />Effective date: August 2009, signed into law on August 3, 2007<br />Designed to encourage private businesses to develop their resiliency plans<br />Establish a common set of criteria for private sector preparedness, including<br />disaster management<br />emergency management<br />business continuity programs<br />The goal of this voluntary program is to enhance nationwide resilience in an all hazards environment by improving private sector preparedness.<br />Ambiguous (A) Further clarification regarding strong ties with Business Continuity need to happen<br />Watch List (W) Participating members should be looking for the presence of this item within the coming months/years<br />http://www.fema.gov/news/newsrelease.fema?id=45287<br />Private Sector Preparedness Accreditation and Certification Program (PS-Prep)Title IX of US Public Law 110-53<br />4/21/2010<br />27<br />© 2010 TPComps LLC<br />
  28. 28. Standards<br />Common USA or International criteria having some component address issues of DR / BC<br />4/21/2010<br />28<br />© 2010 TPComps LLC<br />
  29. 29. USA - Federal Emergency Management Agency<br />Effective date: October 1993<br />Designed to provide guidance for business and industry officials to plan for, respond to, and recover from disasters.<br />A step-by-step approach to emergency planning, response and recovery for companies of all sizes.<br />Includes information on specific hazards<br />Watch List (W) Participating members should be looking for the presence of this item within the coming months/years<br />http://www.fema.gov/pdf/business/guide/bizindst.pdf<br />http://www.fema.gov/business<br />FEMA 141: Disaster Planning Guide for Business and Industry <br />4/21/2010<br />29<br />© 2010 TPComps LLC<br />
  30. 30. USA – The Business Roundtable<br />Effective date: June 2003<br />The Roundtable examines the unique nature of the terrorist threat, as well as the strengths and weaknesses of both government and business in addressing that threat.<br />Recommends various tools and procedures for government to use when regulating and outlines the difficulty of allocating the costs of security.<br />Watch List (W) Participating members should be looking for the presence of this item within the coming months/years<br />http://www.abanet.org/adminlaw/conference/2003/NewFrontier/Newfrontierprogram.html<br />Terrorism: Real Threats, Real Costs, Joint Solutions<br />4/21/2010<br />30<br />© 2010 TPComps LLC<br />
  31. 31. USA - Financial Services Sector Coordinating Council for Critical Infrastructure Protection<br />Effective date: May 2004<br />Ensuring the resiliency of the nation to minimize the damage and expedite the recovery from attacks that do occur.<br />Watch List (W) Participating members should be looking for the presence of this item within the coming months/years<br />https://www.fsscc.org/fsscc/reports/2006/Bank_Finance_SSP_061213.pdf<br />http://digital.library.unt.edu/govdocs/crs/permalink/meta-crs-7844:1<br />http://www.sifma.org/services/business_continuity/pdf/NationalStrategy.pdf<br />Homeland Security Strategy for Critical Infrastructure Protection in Financial Services Sector<br />4/21/2010<br />31<br />© 2010 TPComps LLC<br />
  32. 32. COSO Enterprise Risk Management Framework *<br />USA - Committee of Sponsoring Organizations of the Treadway Commission<br />Effective date: September 2004<br />Defines essential enterprise risk management (ERM) components<br />Discusses key ERM principles and concepts<br />Suggests a common ERM language<br />Provides clear direction and guidance for enterprise risk management.<br />Cross compatibility with SOX and other legislation<br />Enforced (E) Most frequently enforced for compliance purposes <br />http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf<br />4/21/2010<br />32<br />© 2010 TPComps LLC<br />
  33. 33. USA – National Fire Protection Association<br />Effective date: August 2006<br />Standards for protection of business records, archives and records centers.<br />Addresses record types with storage requirements<br />Vital, Important, Archival, Permanent, Active, Inactive, and Unscheduled<br />Addresses salvage and post-incident procedures<br />Cross compatibility with ANSI/ARMA 5 and UL 72 & 155<br />Watch List (W) Participating members should be looking for the presence of this item within the coming months/years<br />http://www.nfpa.org/aboutthecodes/AboutTheCodes.asp?DocNum=232<br />NFPA 232: Standard on Protection of Records <br />4/21/2010<br />33<br />© 2010 TPComps LLC<br />
  34. 34. USA - IT Governance Institute Standards<br />Effective date: May 2007<br />Generally accepted information technology control objectives for information technology.<br />Domains include:<br />Planning and Organization<br />Acquisition and Implementation<br />Delivery and Support<br />Monitoring and Evaluation Areas reviewed for compliance<br />Cross compatibility with ITIL v3, NISTSP800-53, CMMIv1.2, ISO/IEC 17799:2005, PMBOK, PRINCE2, SEICMM, and TOGAF8.1<br />Enforced (E) Most frequently enforced for compliance purposes <br />http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/COBIT6/Obtain_COBIT/CobiT4.1_Brochure.pdf<br />CobiT-Control Objectives for Information and related Technology v4.1<br />4/21/2010<br />34<br />© 2010 TPComps LLC<br />
  35. 35. International - IT Infrastructure Library<br />Effective date: August 2007<br />Global standard in the area of service management.<br />ITIL® (IT Infrastructure Library®) is the most widely accepted approach to IT service management in the world.<br />Provides a cohesive set of best practice, drawn from the public and private sectors internationally.<br />Contains comprehensive publicly accessible specialist documentation on the planning, provision and support of IT services<br />Cross compatibility with BS 15000 & ISO/IEC 20000<br />Watch List (W) Participating members should be looking for the presence of this item within the coming months/years<br />http://www.ogc.gov.uk/guidance_itil.asp<br />ITIL v3 - IT Infrastructure Library <br />4/21/2010<br />35<br />© 2010 TPComps LLC<br />
  36. 36. International - British Standards Institute<br />Effective date: December 2006 / November 2007<br />BS 25999-1 is a BCM code of practice, replaces PAS56<br />BS25999-2 is a specification for business continuity management.<br />NOTE: The BS25999 standard is a standard that must be purchased.<br />Follows the Plan-Do-Check-Act methodology<br />Possible use with PS-Prep<br />Cross compatibility with ISO 17021, NFPA 1600<br />Enforced (E) Most frequently enforced for compliance purposes <br />http://www.w3j.com/xml<br />BS (British Standard) 25999, parts 1 and 2<br />4/21/2010<br />36<br />© 2010 TPComps LLC<br />
  37. 37. ISO/IEC 27005:2008 Information technology - Security techniques - Information security risk management<br />International<br />Effective date: June 2008<br />Continuation of ISO 27000 series standard The purpose of ISO/IEC 27005 is to provide guidelines for information security risk management<br />Cross compatibility with ISO/IEC 27001<br />Revises and supersedes the Management of Information and Communications Technology Security (MICTS) standards ISO/IECTR 13335-3:1998 plus ISO/IECTR 13335-4:2000<br />Watch List (W) Participating members should be looking for the presence of this item within the coming months/years<br />http://www.iso27001security.com/html/27005.html<br />http://www.27000.org<br />4/21/2010<br />37<br />© 2010 TPComps LLC<br />
  38. 38. USA – American Society for Industrial Security<br />Effective date: March 2009<br />A comprehensive management systems approach for Organizational Resilience: Security, Preparedness, and Continuity Management Systems<br />Includes guidance for response, mitigation, business / operational continuity, and recovery for disruptive incidents resulting from an emergency, crisis or disaster.<br />Cross compatibility with ISO 9001:2000, ISO 14001:2004, ISO/IEC 27001:2005, and PDCA Model<br />Watch List (W) Participating members should be looking for the presence of this item within the coming months/years<br />http://www.asisonline.org/guidelines/ASIS_SPC.1-2009_Item_No._1842.pdf<br />ASIS American National Standard (SPC 1.2009)Organizational Resilience <br />4/21/2010<br />38<br />© 2010 TPComps LLC<br />
  39. 39. USA – National Fire Protection Association<br />Effective date: June 2009, supersedes previous<br />Applies to electrical feeds from UPS, generators, and external power supplies<br />Some types of UPSs are excluded from this standard<br />Covers installation and maintenance<br />Watch List (W) Participating members should be looking for the presence of this item within the coming months/years<br />http://www.nfpa.org/aboutthecodes/AboutTheCodes.asp?DocNum=111<br />NFPA111:Standard on Stored Electrical Energy Emergency and Standby Power Systems <br />4/21/2010<br />39<br />© 2010 TPComps LLC<br />
  40. 40. USA - National Institute of Standards and Technology<br />Effective date: July 2002, new draft October 2009<br />Details the fundamental planning principles necessary for developing an effective contingency capability.<br />Contingency planning guidance includes preliminary planning, business impact analysis, alternative site selection and recovery strategies.<br />Cross compatibility with P.L. 106-398 & 100-235, IATF, GAO<br />Enforced (E) Most frequently enforced for compliance purposes <br />http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf<br />NIST SP 800-34 Contingency Planning Guide *<br />4/21/2010<br />40<br />© 2010 TPComps LLC<br />
  41. 41. USA – National Fire Protection Association<br />Effective date: December 2009<br />Establishes minimum criteria for disaster management for the private and public sectors in the development of a program for effective disaster mitigation, preparedness, response and recovery.<br />Cross compatibility with DRII, CSA Z1600, FEMA, NIST 800, ANSI/ARMA 5<br />Watch List (W) Participating members should be looking for the presence of this item within the coming months/years<br />http://www.nfpa.org/PDF/nfpa1600.pdf?src=nfpa<br />NFPA Standard 1600 on Disaster/Emergency Management and Business Continuity Programs <br />4/21/2010<br />41<br />© 2010 TPComps LLC<br />
  42. 42. USA - American Institute of Certified Public Accountants<br />Effective date: October 1958 – June 2010<br />Represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. 2 different types of audits: Type I and II<br />Type I is a point in time<br />Type II is a minimum of 6 months of operations<br />Statement on Standards for Attestation Engagements (SSAE) No. 16 will replace SAS 70 in June 2010<br />Enforced (E) Most frequently enforced for compliance purposes <br />http://www.sas70.com<br />Statement on Auditing Standards(SAS) 70 audit reports *<br />4/21/2010<br />42<br />© 2010 TPComps LLC<br />
  43. 43. International - Disaster Recovery Institute International<br />Effective date: in current draft review<br />Professional practice letters include developing business continuity management strategies and other contingency planning<br />Areas reviewed include:<br />Program Initiation and Management<br />Risk Evaluation and Control<br />Business Impact Analysis<br />Business Continuity Strategies<br />Emergency Response and Operations<br />Business Continuity Plans<br />Awareness and Training Programs<br />Business Continuity Plan Exercise, Audit and Maintenance<br />Crisis Communications<br />Coordination with External Agencies<br />Cross compatibility with FEMA 141, HS-1 & SM 170; NCRP 111; NFPA 99, 130; NRT-1; NUREG-0654 & -0849; ARC 33050M; and others<br />Watch List (W) Participating members should be looking for the presence of this item within the coming months/years<br />https://www.drii.org/docs/profprac_details.pdf<br />DRI International – “Ten Professional Practices for Business Continuity Professionals” *<br />4/21/2010<br />43<br />© 2010 TPComps LLC<br />
  44. 44. Thank You Questions, Comments, or Concerns<br />Ted Kozenko,CISM, CISSP, IAM, BCMMA, QGCS<br />TPComps LLC<br />P. O. Box 1303<br />Mentor, OH 44061-1303<br />phone (440) 375-0088<br />fax (440) 354-2527<br />Planning@TPComps.com<br />http://www.tpcomps.com<br />TedKozenko or TPComps<br />TedKozenko or TPComps<br /> TPComps<br />TedKozenko3<br />“Life is thickly sown with thorns, and I know no other remedy than to pass quickly through them. The longer we dwell on our misfortunes, the greater their power to harm us.” –Voltaire<br />4/21/2010<br />44<br />© 2010 TPComps LLC<br />© Scott Adams<br />

×