Evaluating/Applying Relevant BCM Standards: Which is the Best One to Follow?

Transcription

1 Evaluating/Applying Relevant BCM Standards: Which is the Best One to Follow? September 23, Strategic BCP, Inc. All rights reserved. strategicbcp.com 1

2 Today s Presenter Frank Perlmutter, CBCP, MBCI Fperlmutter@strategicbcp.com President & Co-Founder of Strategic BCP, creators of ResilienceONE BCM Software 17+ years of experience in Business Continuity (BC) and Risk Management (RM) Former consultant with the Big 4 + Manager of DR/COOP (BCP) and Risk Manager for the U.S. Department of the Treasury Has directed BCP and strategic projects for 75+ clients at the C-level; 20+ for federal government 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 2

3 Background Strategic BCP established in 2004 Purpose: Elevate the productivity and relevance of business continuity professionals ResilienceONE introduced as a milestone in using technology to streamline the process of creating and maintaining plans for: Business continuity Disaster recovery Business impact analysis/risk assessment Crisis management 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 3

4 Area of Focus The Impact of Regulations, Standards & Best Practices Process Behind the BCP Genome Developed by Strategic BCP Lessons Learned to Set up Your Own Framework Comparing and Selecting Appropriate Regulations, Standards & Best Practices Getting to a Gold Standard: Q&A & Wrap-up 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 4

5 The Impact of Regulations, Standards & Best Practices 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 5

6 Definitions Regulations Mandatory authoritative rules dealing with details or procedures having the force of law, that are issued by an authority or government Standards and Best Practices Voluntary criteria, voluntary guidelines, and best practices used to enhance the quality, performance, reliability, and consistency of products, services and/or processes 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 6

7 Why Care? You are OBLIGATED Regulations mandate/require compliance There are penalties if you chose not to comply You NEED guidance Standards, regulations, and best practices can provide guidance for your Business Continuity Program as follows: Initiating it Providing a process for developing and delivering it Managing it Monitoring it Evaluating/auditing it 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 7

8 Goals Apply lessons from how we mapped the BCP Genome in developing your own Gold Standard Framework Assess strengths and weaknesses of the specific standards, regulations, and best practices to determine which ones to include in your Framework Evaluate current/potential tools and methodologies to implement or fine-tune your Business Continuity Management (BCM) program 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 8

9 Process Behind the BCP Genome Developed by Strategic BCP 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 9

10 The Inception of the BCP Genome Mission The BCP Genome project started in 2006 Goal: Develop a Gold Standard framework based on the business continuity industry s collective thought leadership Starting Seek out the best standards, regulations, and best practices in terms of ability to implement the content contained within each of them practically regardless of industry popularity Rule #1 Do NOT interpret the standards, regulations, and best practices; SYNTHESIZE them 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 10

11 Mapping the BCP Genome Selected (9) standards, regulations, and best practices to establish the original framework Diligently went point-by-point through each of them; mapping the original framework After (4) standards, the core framework was developed The (5) remaining standards were 95% redundant to the points mapped 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 11

12 The Result 101 points of a resilient Business Continuity Program mapped across (8) major categories: 1. Program Organization, Management, and Training 2. Business Impact Analysis (BIA) 3. Emergency Response and Crisis Management 4. Emergency Facilities 5. Business and IT Disaster Recovery 6. Testing 7. Maintenance 8. Auditing and General Policy 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 12

13 The BCP Genome Today Initial $300k investment over 10 months converging BC/DR insights The original framework has withstood the test of time as the additional (6) standards mapped since then along with (25) others that have been examined have conformed to the original framework with only minor alterations to the original points Proven to be a stable basis for expansion over the years It still guides the continuous refinement of our ResilienceONE BCM software, audit methodology, and consulting practice 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 13

14 Lessons Learned to Set up Your Own Framework 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 14

15 The Path to Developing a Framework Step 1: Start with regulations that you HAVE TO follow internally or because of clients Step 2: Determine the Business Continuity Management (BCM) program AREAS that you want to address Step 3: Determine if you WANT TO enhance your Business Continuity Program Framework Step 4: Select the BEST standards, regulations, and best practices Step 5: Map them to a CONSISTENT framework 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 15

16 Lesson #1: Look for Practical Guidance Many of the standards focus on program policies and procedures not program content (e.g. How to set up a planning structure vs. how to do a plan) Framework Bread Framework Meat Program Organization, Management, and Training Maintenance Auditing and General Policy Business Impact Analysis (BIA) Emergency Response and Crisis Management Emergency Facilities Business and IT Disaster Recovery Testing 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 16

17 Swimming in a Sea of Standards, Regulations, and Best Practices International Organization for Standardization (ISO) 22301:2012 Federal Financial Institutions Examination Council (FFIEC) BCP Workprogram Disaster Recovery Institute International (DRI) Professional Practices Business Continuity Institute (BCI) Good Practice Guidelines National Fire Protection Association (NFPA) 1600 Standard on Disaster/Emergency Management and Business Continuity Programs The Healthcare Insurance Portability and Accountability Act (HIPAA) Security Rule The Institute of Internal Auditors (IIA) Global Technology Audit Guide (GTAG) for Business Continuity Management National Institute of Standards & Technology (NIST) Special Publication (SP) Contingency Planning Guide for Information Technology Systems Federal Emergency Management Agency (FEMA-64) Guidelines for Dam Safety Federal Energy Regulatory Commission (FERC) Guidelines for Recovery Plan Format Control Objectives for Information and Related Technology (COBIT) Committee of Sponsoring Organizations of the Treadway Commission (COSO) ASIS SPC Plus many, many, many, many, more Basel II and III 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 17

18 Lesson #2: Beware of Jumping on the HOT Standard NFPA NFPA NFPA BS NFPA PS Prep 1600 NFPA ISO The HOT standard changes every year or two Creates a moving target (i.e. if you try to conform to a standard one year, it might not be valid the next) Corollary: Don t single thread your framework by only using ONE standard 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 18

19 Lesson #3: Don t Get Overwhelmed Many of the regulations, standards, and best practices are redundant in content You don t need all of them Select regulations with which you must comply Put its points into your framework Fill in the holes with other ones Coming Up: Which regulations, standards, and best practices fit best 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 19

20 Comparing and Selecting Appropriate Regulations, Standards & Best Practices 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 20

21 FFIEC NFPA 1600 NIST FERC GTAG ISO HIPAA TOTAL PROGRAM ORGANIZATION, MANAGEMENT & TRAINING BUSINESS IMPACT ANALYSIS (BIA) EMERGENCY RESPONSE & CRISIS MANAGEMENT EMERGENCY FACILITIES BUSINESS & SUPPORT COMPONENT RECOVERY TESTING MAINTENANCE AUDIT & GENERAL POLICY TOTAL Strategic BCP, Inc. All rights reserved. strategicbcp.com 21

22 Seek Outside Assistance DRJ has an excellent list of regulations, standards, and best practices on their website Some BCM software has it built into their methodology; ensure it s not just a marketing claim Have them show you how the software meets the different parts of regulations, standards, and best practices 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 22

23 Questions? 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 23

24 Wrap-Up For more insights and opportunities: Request a Live Demo of the BCP Genome in ResilienceONE BCM Software at Contact Frank Perlmutter, CBCP, MBCI Fperlmutter@strategicbcp.com 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 24