ABA Homeland Security Law Institute Panel. Two Ounces of Prevention: The SAFETY Act and PS Prep Voluntary Programs to Mitigate Liability
|
|
- Brett Bennett
- 8 years ago
- Views:
Transcription
1 ABA Homeland Security Law Institute Panel Two Ounces of Prevention: The SAFETY Act and PS Prep Voluntary Programs to Mitigate Liability March 23, 2012 Remarks of Stephen Amitay, Counsel to ASIS International ASIS International is the largest organization for security professionals with more than 37,000 members worldwide. ASIS members are closely involved in overseeing and executing security and preparedness plans at all types and sizes of businesses. ASIS has worked for decades to develop ways for companies and organizations to become better prepared and resilient and ASIS is also an American National Standards Institute (ANSI) Accredited Standards Development Organization (SDO) Relevant to the PS Prep program, ASIS has developed several comprehensive preparedness standards. The most prominent is the 2009 ASIS ANSI Organization Resilience ( OR ) Standard, which was one of the three Standards adopted by DHS in 2010 for the PS Prep Program. 1 The OR Standard takes an ISO management systems approach for security, preparedness, response, mitigation, business/operational continuity and recovery for disruptive incidents resulting in an emergency, crisis, or disaster. In 2010, ASIS and the British Standards Institute developed an ANSI Business Continuity Management Systems Standard which essentially refines and adds an ISO management system approach to the PS Prep adopted BSI BCM Standard. 2 ASIS submitted this ANSI Standard (which will be a model for a future ISO BCM Standard) for adoption by the PS Prep program. ASIS is still waiting to hear back from DHS about its adoption. DHS has said that the goal of the PS Prep program is to promote private sector preparedness, including disaster management, emergency management and business continuity programs. 3 And DHS has also said that Whether your organization is small or large, any efforts to improve preparedness are beneficial. 4 ASIS fully agrees with these statements. In the first comprehensive expert examination of the Prep program put out by the Alfred Sloan Foundation in 2008, the primary recommendation of the document was that It is important for the DHS to recognize that multiple approaches comply with the spirit of Title IX of PL Therefore, greater resiliency success will be achieved if businesses are given the freedom and flexibility to determine how they will improve preparedness in a way that best fits their respective business models. and For the private sector to adequately and voluntarily establish 1 ANSI/ASIS Organizational Resilience: Security, Preparedness, and Continuity Management Systems- Requirements with Guidance for Use ASIS SPC (Mar. 12, 2009). 2 ANSI/ASIS/BSI BCM.01:2010, Business Continuity Management Systems - Requirements with Guidance for Use
2 preparedness programs, it should be given the flexibility to choose from various standards, guidelines and best practices that best meet the respective organization s needs for preparedness. 5 In addition, the Sloan Report recommended that, Organizations that have implemented preparedness management controls, best practices or complementary systems which address the core elements should be recognized and credited as demonstrating preparedness. Regulated industries should be given credit for their compliance with relevant regulations without the need for duplicative systems. 6 As the Sloan Report and others have made clear, business preparedness can be attained in many forms and in stages. However, because of the constraints placed on the PS Prep program by Congress, the use of multiple approaches, recognition for addressing core elements, and credit for compliance with relevant regulations is not a part of the PS Prep program. The program s genesis was in the 9/11 Commission s finding that the private sector remains largely unprepared for a terrorist attack. 7 This finding was quite a general observation, and obviously many companies had dealt with and prepared for natural and man-made disasters before 9/11. What was even more head scratching though was the Commission s statement that we were also advised (by whom) that the lack of a widely embraced private-sector preparedness standard was a principal contributing factor to this lack of preparedness. 8 Consequently (based on a recommendation by the ANSI Homeland Security Standards Panel), the Commission essentially recommended that all organizations should comply with the National Fire Protection Associations Disaster/Emergency Management and Business Continuity Programs (NFPA 1600) and that compliance with the standard should define the standard of care owed by a company to its employees and the public for legal purposes. 9 This recommendation for DHS adopt and promote a one size fits all national Standard based on NFPA 1600 was incorporated into both the House and Senate 9/11 Commission Recommendations bills introduced in early And, for the flexibility and other reasons mentioned in the Sloan Report, the provision was also strenuously objected to by various industry sectors and business groups. In a February 2007 letter to the House and Senate Homeland Security Committees, the Financial Services Sector Coordinating Council, stated The financial services sector has a long and effective history of developing best practices related to business continuity and recovery. The members of FSSCC and our regulators 5 Framework for Voluntary Preparedness: Briefing Regarding Private Sector Approaches to Title IX of H.R. 1 And Public Law Implementing Recommendations of the 9/11 Commission Act of 2007, Prepared for the Alfred P. Sloan Foundation by Representatives of ASIS,, DRII, NFPA and RIMS. January 18, Page 9. 6 Ibid. Page The 9/11 Commission Report: Final Report of the National Commission on Terrorist Attacks Upon the United States (9/11 Report) July 22, Page Ibid. 9 Ibid. 10 H.R. 1 Implementing Recommendations of the 9/11 Commission Act of 2007 / S.4 Improving America s Security Act of
3 recognize that such best practices will differ markedly for the various institutions that comprise our sector. In addition, best practices cannot be frozen in time; they must have the ability to evolve. As a result, we do not believe that any single set of standards will be effective for businesses in many different sectors. 11 In addition, the Senate bill, which became the basis for the final passed language went even further, and in contravention to clearly established norms for Standards compliance, required that all organizations who implement a PS Prep Standard would have to undergo third party certification to obtain recognition or credit by DHS under the program. 12 This requirement of third party certification to a PS Prep Standard greatly threatens to undermine the lofty goal of promoting and recognizing private sector preparedness. First off, while there is no doubt that all three of the currently adopted PS Prep Standards are worthy preparedness standards, as noted in the Sloan Report, there are many other standards, guidelines, best practices, and programs that being used by businesses that foster preparedness. In fact, over 25 different standards, program and best practices related to preparedness were submitted for adoption in the PS Prep program. 13 At the ISO level, there are numerous Standards that are applicable to preparedness and resiliency. There is the ISO series of Standards for security management systems and resilience including for the supply chain with the new ISO Standard. 14 There is also the popular ISO Risk Management Standard, which by the way is a guidance standard and thus cannot be certified too. 15 As mentioned, many critical industries also have their own industry specific preparedness and BC programs and standards in addition to being governed by federal, state and local regulations related to preparedness. Of note is the American Chemical Council s Responsible Care Management System which provides chemical companies with an integrated, structured approach to improve company performance in the following key areas: community awareness and emergency response; security; distribution; employee health and safety; pollution prevention; and process and product safety. According to the ACC, the management system combines Responsible Care with the practices of leading private-sector companies, ISO management systems, and federal regulatory requirements. 16 For smaller and medium sized businesses there is the American Red Cross Ready Rating program, a free, self-guided program designed to help businesses, organizations and schools become better prepared for emergencies. In the program, members complete a 123-point self 11 Letter from the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security to Senators Joe Lieberman and Susan Collins, Senate Homeland Security and Government Affairs Committee. February 15, S.4, Improving America s Security Act of 2007 Sections ISO 28002:2011 Security management systems for the supply chain -- Development of resilience in the supply chain -- Requirements with guidance for use. 15 ISO 31000:2009, Risk management Principles and guidelines
4 assessment of their level of preparedness, gain access to tips and best practices, and commit to improving their score each year to maintain membership. According to the Red Cross, the 123 Assessment has been aligned with the federal government's private sector preparedness standards (PS-Prep). 17 There is also the Insurance Institute for Business and Home Safety Open for Business suite of business continuity tools that is designed to help small to mid-sized business reduce the potential for loss and prepare in advance to reopen. Open for business provides businesses with the process to develop the basics of a customized business continuity plan. 18 Relevant to today s event, the ABA Special Committee on Disaster Response and Preparedness has developed a business continuity guide tailored to law firms called Surviving a Disaster: A Lawyer s Guide to Disaster Planning. It provides a step by step guide for firms to develop a business continuity plan. 19 Secondly, in addition to limiting the PS Prep program to only include preparedness standards that met a new statutory definition of a comprehensive preparedness standard, Congress also made the judgment that only complete implementation of a PS Prep Standard would be sufficient to be deemed prepared by DHS. This requirement showed a lack of understanding of not only the varying needs of organization (where 100% implementation of a standard might not be necessary) but it also ignored the well developed process of phased implementation of a standard. For some businesses to be sufficiently prepared, they don t need to fully implement all elements of a standard. Requiring full implementation to get credit under PS Prep thus leads to unnecessary work and costs. More so, Congress did not allow for any recognition of phased implementation of a Standard. Phase implementation or a maturity model for implementing standards has been successfully used to implement ISO Standards in a way that can clearly demonstrate and document a level of improvement of performance. For a preparedness standard, such as the ASIS OR Standard, a maturity model is a series of steps of implementation of the Standard designed to help an organization evaluated where they currently are with regard to resilience management and preparedness, set goals for where they want to go, benchmark where they are relative to those goals, and plot a business sensible path to get there. Put another way, a maturity model can help an organizations achieve the benefits of resilience management by phasing in a Standard tied to the organization s business needs and economic realities. A maturity model can also provide the basis for a recognition program with progressive steps prior to full certification of the Standard lanning.authcheckdam.pdf 4
5 The lack of a maturity model for PS Prep standard implementation has been widely criticized. ASIS has recommended to DHS that they should consider a phased approach model as part of an awareness and recognition program. While DHS and PS Prep program officials have expressed interest in the maturity model, to allow for such phased implementation would likely require an amendment to the PS Prep Statutory language. 20 Based on a successful phased implementation program of the ASIS OR Standard with a South African hotel chain during the 2010 World Cup, ASIS developed an ANSI Standard that will describe a maturity model for the phased implementation of the ANSI/ASIS.SPC It has been approved by ANSI and will be published soon. 21 Of greatest concern though with the PS Prep Program is the requirement of third party certification. Quite frankly, requiring third party certification distracts attention from the primary goal of the Program to promote better preparedness and shifts a company s focus towards what has to be done (whether helpful or not for the company) to get the external certification. With third party certification as a goal, organizations could base their preparedness actions on what is necessary to get third party certification and not what is necessary to be as best prepared as possible. Adoption or choice of a standard should not be based on pursuing certification, but rather based on what best fits the organization s business mission, objectives and management style to improve its preparedness performance. Certification should only enter into consideration if there is a compelling business case to do so. DHS should not take any steps that turn the PS Prep program into a stimulus program for certification bodies and consultants.. The requirement of third party certification also ignores the fact that first party and second party certification to standards are well established and proven cost-effective means for a company to demonstrate implementation/adherence to a standard in the business community. For large organizations that have teams of RABQSA and IRCA certified Internal Lead Auditors, there would be little incentive to seek third party certification under the PS-Prep program. Such organizations not only have an internal mechanism for continual improvement of preparedness, but the internal auditors have greater knowledge of the business, and likely greater knowledge of the Standard in use. In addition, bringing in third party certifiers creates the risk of an organization s internal risk assessments, impact analysis and other proprietary information getting out. In the Standards arena, third party certification is the exception, not the rule. The number of companies who are third party certified to even the most widely used standards such as ISO 9000 and IS is still a miniscule percentage. In the US only about 25,000 companies are certified to the most popular ISO 9001 standard (Quality Management). More so, studies of ISO third party certification to ISO 9001 have shown that a pre-existing high performance in a company, rather certification itself, is what leads to higher quality performance post certification See Question Six. Federal Register / Vol. 74, No. 199 / Friday, October 16, 2009 / Notices 21 ANSI/ASIS Organizational Resilience Maturity Model - Phased Implementation (2012) 22 Probing the Limits: ISO 9001 Proves Ineffective, Scott Dalgeleish, Quality Magazine, April 1,
6 Many companies also use their own auditor to measure conformance by their suppliers second party certification --- which is a more effective and efficient process than relying on a third party. Indeed, second party certification that is contractually enforced has significant advantages over external third party certification, particularly for small and medium sized enterprises. Accordingly, in addition to the maturity model Standard to complement the ASIS OR Standard, ASIS is also developing an ANSI Standard that will create guidance on establishing a credible auditing program and methodology for first, second and third party attestation of conformance to the Standard. 23 In addition, another problem with third party certification is quality. There is a concern that businesses may be ill-served by consultants, training organizations, and certification bodies willing to pursue ways to a quick certification rather than continual improvement of preparedness. Already a potential issue is the quality of auditors and Lead Auditor Training under PS Prep. ASIS believes that the PS Prep approach to third party certification should be identical to that used by the existing and accepted market practices for ISO standards with strict adherence to ISO conformity assurance standards and internationally recognized programs (such as RABQSA International) for Lead Auditor certification. Under a RABQSA Lead Auditor Training program, the instructor must demonstrate competence in management systems, standards auditing, as well as subject matter expertise. 24 This is not a requirement for Lead Auditor Training under ANSI CAP training programs which are allowed for PS Prep. 25 No other ISO Management System certification program allows for ANSI CAP Lead Auditor training as the subject matter and management standard experience requirements for ANSI CAP lead auditor trainers is much less stringent than that of RABQSA. Unless a compliance auditor is properly trained and has practical auditing experience, in addition to knowledge of the standard, and knowledge of the industry sector, the benefits of third party certification are questionable. DHS (or Congress) should consider modifying the program to encourage improvement of preparedness performance by recognizing first and second party certification. In fact, the PS Prep program does allow for first party certification for small businesses. 26 However, small businesses often have less internal auditing/self-certifying capabilities. Why is self-certification considered only adequate for small businesses but not for larger organizations? Finally, a more general problem with PS Prep certification is what constitutes company certification if only one division of a company gets certified? 23 ASIS Auditing Management Systems For Security, Preparedness And Continuity Management With Guidance For Application Standard (201X) The 9/11 Act contains a provision, now codified at 6 U.S.C. 321m(b)(2)(D), which requires the PS-Prep Program to establish separate classifications and methods of certification for small business concerns... First-party or self-declaration of certification is an acceptable method for small businesses. Federal Register / Vol. 75, No. 190 / Friday, October 1, 2010 / Notices 6
7 Earlier this week, Dan Stoneking, Director of the FEMA Private Sector Division, sent out a notice to the private sector community about AT&T s recent third party certification to the BS25999 Standard. He said that Certification will enable businesses to: develop a plan of action; minimize potential impact to essential operations; protect data and information; increase reliability; protect market share and minimize financial losses, and gain industry recognition by promoting preparedness with suppliers and clients alike. 27 Actually, these are arguments for using a preparedness management system standard, and they are all benefits that can accrue to a company who uses such a standard --- independent of certification. In addition, PC Magazine had this to say about AT&T s PS Prep certification in a recent article, The wireless carrier is the first company to be certified by DHS as part of the agency's voluntary Private Sector Preparedness Program (PS-Prep) to assess and validate organizations' business continuity and preparedness capabilities. By giving AT&T its stamp-of-approval, DHS has certified that, in the event of any disaster, the carrier will be able to resume network traffic, field customer calls and queries, and service the communities in which it operates. 28 Really, DHS has certified that AT&T will be able to resume network traffic after a disaster? The goal of PS Prep program to promote private sector preparedness and the implementation of comprehensive preparedness standards is one way for companies to get better prepared. However, the Program should not in any way restrict businesses from having the freedom and flexibility to determine how they will improve preparedness. Adoption or choice of a standard should not be based on pursuing certification, but rather based on what best fits the organization s business mission, objectives and management style. ASIS will continue to work with DHS and the PS Prep program to support better preparedness, but unfortunately, Congress put some obstacles in the way Angela Moscaritolo. AT&T Certified by DHS in Disaster Preparedness. PC Magazine, March 14,
Business Continuity Standards A Primer
INTELLIGENT NOTIFICATION Alphabet Soup: Making Sense of BC/DR Standards Part 1: Business Continuity Standards A Primer Why all the attention now? One of the hottest topics in BC/DR these days is standards.
More informationIs Business Continuity Certification Right for Your Organization?
2008-2013 AVALUTION CONSULTING, LLC ALL RIGHTS RESERVED i This white paper analyzes the business case for pursuing organizational business continuity certification, including what it takes to complete
More informationOn the New Voluntary Corporate Preparedness Accreditation and Certification Program
On the New Voluntary Corporate Preparedness Accreditation and Certification Program Dr. Matt Statler International Center for Enterprise Preparedness New York University (NYU) Overview A new business preparedness
More informationsecurity standards and guidelines development
ASIS INTERNATIONAL The worldwide leader in security standards and guidelines development > ASIS Standards and Guidelines bring together volunteers and seek out views of persons who have an interest in
More informationAngie M. Santiago President, CPAC Triangle Chapter
Public Policy & Regulatory Trends in Business Continuity Management Title IX - A Primer Angie M. Santiago President, CPAC Triangle Chapter 1 Agenda PL 110 53 History Governance structure Major Stakeholders
More informationThe ABA s Path to Business Continuity Certification
The ABA s Path to Business Continuity Certification George Huff & Diana Gilbert A Business Case American Bar Association 2 / 9 /2013 This Business Case is authored by George Huff, a Member of the Special
More informationISO 22301: Societal Security Terminology ISO 22313: BCMS Guidance ISO 22398: Exercises and Testing - Guidance
The Impact of ISO 22301 Moving Your BCM Program to a Management System Implementing the Newly Approved International Business Continuity Management System Standard & Guidance Documents ISO 22301: Societal
More informationBusiness Continuity Trends, Requirements and Expectations in 2009. Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting
Business Continuity Trends, Requirements and Expectations in 2009 Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting Overview What Is Business Continuity? The Value Proposition What
More informationBusiness Continuity for the New Professional. Britt Corra Enterprise BCM Erika Voss Senior BCM
Business Continuity for the New Professional Britt Corra Enterprise BCM Erika Voss Senior BCM New to Business Continuity? Agenda & Experience 3-5 years experience? Seasoned veteran? What is BCM Tool Kit?
More informationJOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.
JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President
More informationWorkshop on BCP Standards and ISO Auditing:
Workshop on BCP Standards and ISO Auditing: An Introduction to the PS Prep Program April 2011 Donald Byrne dbyrne@grcsllc.com 603.714.4206 (Cell) Copyright 2011 All Rights Reserved Session Goals And Topics
More informationeet Business continuity and disaster recovery Enhancing enterprise resiliency for the power and utilities industry Power and Utilities Fact Sheet
Power and Utilities Fact Sh Business continuity and disaster recovery Enhancing enterprise resiliency for the power and utilities industry A holistic approach to business resiliency and disaster recovery
More informationTraining Catalogue. Ace Service Training Catalogue Ver 7.0. Ace Services
Catalogue 1 Ace Services TRAINING CATALOGUE Contents Introduction... 3 areas... 3 About the Trainer... 4 Integrated Risk Management... 5 Information Risk Management... 6 Business Continuity Management...
More informationBusiness Continuity Management Governance. Frank Higgins Abu Dhabi March 2015
Business Continuity Management Governance Frank Higgins Abu Dhabi March 2015 Different Names Same Concept BCM (Business Continuity Management) BSI 25999 IPOCM (Incident Preparedness & Operational Continuity
More informationBusiness Continuity and Disaster Recovery Planning 3/16/2011. Lee Goldstein CPCP, MBCI President Business Contingency Group
Business Continuity and Disaster Recovery Planning 3/16/2011 Lee Goldstein CPCP, MBCI President Business Contingency Group Business Continuity/Disaster Recovery Planning to ensure the continuation/recovery
More informationEvaluating and Improving Your Business Continuity Plan
Evaluating and Improving Your Business Continuity Plan As presented to the Northeast Florida IIA Chapter January 23, 2015 Contact Information Karen Weir, MAC, CISA, CBCP Manager kweir@accretivesolutions.com
More informationMoving from BS 25999-2 to ISO 22301. The new international standard for business continuity management systems. Transition Guide
Transition Guide Moving from BS 25999-2 to ISO 22301 The new international standard for business continuity management systems Extract from The Route Map to Business Continuity Management: Meeting the
More informationOPTIONS FOR EDUCATION AND TRAINING...3 LEARNING RESOURCES...5 TABLE TOP EXERCISE: POWER OUTAGE SCENARIO...7
CONTENTS INTRODUCTION...2 AWARENESS EDUCATION... 2 TRAINING AND EXERCISING... 2 OPTIONS FOR EDUCATION AND TRAINING...3 LEARNING RESOURCES...5 TABLE TOP EXERCISE: POWER OUTAGE SCENARIO...7 DISCUSSION QUESTIONS...
More informationDepartment of Homeland Security Campus Resilience Pilot Program Opportunity Overview and Proposal Instructions OVERVIEW INFORMATION
U.S. Department of Homeland Security Washington, DC 20528 Department of Homeland Security Campus Resilience Pilot Program Opportunity Overview and Proposal Instructions OVERVIEW INFORMATION Issued By U.S.
More informationChapter I: Fundamentals of Business Continuity Management
Chapter I: Fundamentals of Business Continuity Management Objectives Define Business Continuity Management (BCM) Define the relationship between BCM and risk management Review BCM responsibilities Identify
More informationRESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES
RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES Purpose and Scope The purpose of the Security Code of Management Practices is to help protect people, property, products, processes, information and
More informationMANAGEMENT SYSTEMS Occupational Health and Safety: The Road Ahead
MANAGEMENT SYSTEMS Occupational Health and Safety: The Road Ahead Executive Summary Occupational Health and Safety Management Systems are an emerging trend in business and in the health and safety field.
More informationBusiness Continuity & Disaster Recovery
Business Continuity & Disaster Recovery Safety First Quality Every Time 1 Business Continuity & Disaster Recovery Planning Who here has a formal Business Continuity & Disaster Recovery plan? The purpose
More informationBUSINESS CONTINUITY POLICY
BUSINESS CONTINUITY POLICY Last Review Date Approving Body n/a Audit Committee Date of Approval 9 th January 2014 Date of Implementation 1 st February 2014 Next Review Date February 2017 Review Responsibility
More informationTestimony of. Doug Johnson. New York Bankers Association. New York State Senate Joint Public Hearing:
Testimony of Doug Johnson On behalf of the New York Bankers Association before the New York State Senate Joint Public Hearing: Cybersecurity: Defending New York from Cyber Attacks November 18, 2013 Testimony
More informationHow To Plan A Crisis Management Program
Building a Security Conscious Business Continuity Management (BCM) Program Sam Stahl, CBCP, MBCI EMC Global Professional Services Program Manager stahl_samuel@emc.com ASIS Singapore, 2014 Agenda Overview
More informationAmerican National Standards. value of the ANS designation
American National Standards value of the ANS designation accreditation and approval The American National Standards Institute (ANSI) coordinates, facilitates, and promotes the development of voluntary
More informationfghjklzxcvbnmqwertyuiopasdfghj
qwertyuiopasdfghjklzxcvbnmqwe fghjklzxcvbnmqwertyuiopasdfghj qwertyuiopasdfghjklzxcvbnmqwe fghjklzxcvbnmqwertyuiopasdfghj qwertyuiopasdfghjklzxcvbnmqwe Development of an Accreditation Program fghjklzxcvbnmqwertyuiopasdfghj
More informationBUSINESS CONTINUITY PLANNING
Policy 8.3.2 Business Responsible Party: President s Office BUSINESS CONTINUITY PLANNING Overview The UT Health Science Center at San Antonio (Health Science Center) is committed to its employees, students,
More informationThe Dow Chemical Company. statement for the record. David E. Kepler. before
The Dow Chemical Company statement for the record of David E. Kepler Chief Sustainability Officer, Chief Information Officer, Business Services and Executive Vice President before The Senate Committee
More informationManagement Systems Occupational Health and Safety: The Road Ahead
Industrial Accident Prevention Association Management Systems Occupational Health and Safety: The Road Ahead A member of the IAPA Family of Quality Services Industrial Accident Prevention Association Management
More informationPrinciples for BCM requirements for the Dutch financial sector and its providers.
Principles for BCM requirements for the Dutch financial sector and its providers. Platform Business Continuity Vitale Infrastructuur Financiële sector (BC VIF) Werkgroep BCM requirements 21 September 2011
More informationHow To Write A National Cybersecurity Act
ROCKEFELLER SNOWE CYBERSECURITY ACT SUBSTITUTE AMENDMENT FOR S.773 March 17, 2010 BACKGROUND & WHY THIS LEGISLATION IS IMPORTANT: Our nation is at risk. The networks that American families and businesses
More informationGlobal Statement of Business Continuity
Business Continuity Management Version 1.0-2014 Date October 18, 2014 Status Author Business Continuity Management (BCM) Page 1 of 8 Table of Contents 1. Credit Suisse Business Continuity Statement 3 2.
More informationBusiness Continuity Plan Toolkit
Business Continuity Plan Toolkit March 2015 1 Contents The Template instructions for use... 2 Introduction... 3 What is the purpose of this toolkit?... 3 Why do you need a Business Continuity Plan?...
More informationProposal for Business Continuity Plan and Management Review 6 August 2008
Proposal for Business Continuity Plan and Management Review 6 August 2008 2008/8/6 Contents About Newton IT / Quality of our services. BCM & BS25999 Overview 2. BCM Development in line with BS25999 3.
More informationISO/IEC 17021:2011 Conformity assessment Requirements for bodies providing audit and certification of management systems
ISO/IEC 17021:2011 Conformity assessment Requirements for bodies providing audit and certification of management systems The publication of ISO/IEC 17021:2011 introduces some important new requirements
More informationNational Fire Protection Association s Contribution to Business Continuity Strategies
National Fire Protection Association s Contribution to Business Continuity Strategies about me 1. Retired AVP Senior Business Risk Consultant 2. FM Global Trained: 1. 35 Years Service 2. Founder Member
More informationIs securing personal information a priority? Reassure clients and achieve data protection compliance with BS 10012
Is securing personal information a priority? Reassure clients and achieve data protection compliance with BS 10012 Make protection of personal information your priority and safeguard your reputation. Comply
More informationISO 22301:2012 Societal Security Appendix B Business Continuity Management Systems Requirements 347
Appendix B Business Continuity Management Systems Requirements 347 B.3 Format and Structure ISO 22301 is the second published standard to adopt ISO s new high-level structure for management systems standards
More informationISO 27001: Information Security and the Road to Certification
ISO 27001: Information Security and the Road to Certification White paper Abstract An information security management system (ISMS) is an essential part of an organization s defense against cyberattacks
More informationTime Warner Cable s (TWC) Path to Declaring Conformity to ISO 22301
14th Annual Time Warner Cable s (TWC) Path to Declaring Conformity to ISO 22301 A BCM journey from variance to consistency The Road to Resilience Speaker Information Rachelle Loyear Enterprise Director
More informationSelection and use of the ISO 9000 family of standards
Selection and use of the ISO 9000 family of standards ISO and international standardization ISO/TC 176, Quality management and quality assurance ISO is the International Organization for Standardization.
More informationBusiness Continuity Management Policy
Business Continuity Management Policy Business Continuity Policy Version 1.0 1 Version control Version Date Changes Author 0.1 April 13 1 st draft PH 0.2 June 13 Amendments in line with guidance PH 0.3
More informationJOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015
JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement
More informationDISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES
APPENDIX 1 DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES March 2008 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto TABLE OF CONTENTS EXECUTIVE SUMMARY...1
More informationHow Mature Is Your Business Continuity Program? by: Scott Ream Pages: 26-30; January, 2002
Source: Article Title. How Mature Is Your Business Continuity Program? January, 2002: pp 26-30. Reprinted with permission from Witter Publishing Corp. Content contained on www.contingencyplanning.com.
More informationPreparing for the Convergence of Risk Management & Business Continuity
Preparing for the Convergence of Risk Management & Business Continuity Disaster Recovery Journal Webinar Series September 5, 2012 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 1 Today
More informationCENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT
CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14
More informationBusiness Continuity Management
Business Continuity Management Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not
More informationWith the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS
How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning The world has experienced a great deal of natural and man-made upheaval and destruction in the past few years, including tornadoes,
More informationNeed to protect your business from potential disruption? Prepare for the unexpected with ISO 22301.
Need to protect your business from potential disruption? Prepare for the unexpected with. Why BSI? Keep your business running with and BSI. Our knowledge can transform your organization. For more than
More informationNSW Government Digital Information Security Policy
NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core
More informationENVIRONMENTAL, HEALTH & SAFETY MANAGEMENT SYSTEMS MANUAL
September 7, 202 940. General Requirements (ISO 400 4.; OHSAS 800 4.).. Alcoa Fastening Systems Republic Operations (AFS Republic) has established, documented, implemented, maintains, and continuously
More informationThe Role of Internal Audit In Business Continuity Planning
The Role of Internal Audit In Business Continuity Planning Dan Bailey, MBCP Page 0 Introduction Dan Bailey, MBCP Senior Manager Protiviti Inc. dan.bailey@protiviti.com Actively involved in the Information
More informationBCM Data Research within a Business Intelligence Dashboard
BCM Data Research within a Business Intelligence Dashboard A powerful, innovative assessment tool designed exclusively for the Business Continuity Profession Collecting BCM data metrics since 2000. The
More informationSubject Area 9 Public Relations and Crisis Coordination
DRII/BCI Professional Practice Narrative: Develop, coordinate, evaluate, and exercise plans to communicate with internal stakeholders (employees, corporate management, etc.) external stakeholders (customers,
More informationWILTSHIRE POLICE FORCE POLICY
Template v4 WILTSHIRE POLICE FORCE POLICY BUSINESS CONTINUITY MANAGEMENT SYSTEMS (BCMS) Effective from: July 2013 Version: 2.0 Next Review Date: July 2015 POLICY STATEMENT Wiltshire Police has a statutory
More informationCommitted to Environment, Health, & Safety
Committed to Environment, Health, & Safety Environment, Health, and Safety Management System and Policy of W.R. Grace & Co. January 1, 2015 The Grace Environment, Health, and Safety Management System,
More informationAll. Presidential Directive (HSPD) 7, Critical Infrastructure Identification, Prioritization, and Protection, and as they relate to the NRF.
Coordinating Agency: Department of Homeland Security Cooperating Agencies: All INTRODUCTION Purpose Scope This annex describes the policies, responsibilities, and concept of operations for Federal incident
More informationThe New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework
The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework Dorothy Gjerdrum, ARM-P, Chair of the ISO 31000 US TAG and Executive Director,
More informationCSA Z1600 Emergency Management and Business Continuity Programs
CSA Z1600 Emergency Management and Business Continuity Programs Presented by: John Lindsay, Brandon University Department of Applied Disaster and Emergency Studies and Z1600 Technical Committee member
More informationReputation. Further excellence. business continuity. risk management. Data security
Reputation competitive advantage speed to market safety Further excellence trust Data security risk management business continuity HOW CAN YOU CREATE AND SECURE SUSTAINABLE BUSINESS? SOLUTIONS FOR MANAGING
More informationWater Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary
Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary May 2007 Environmental Protection Agency Executive Summary
More informationWhy you should adopt the NIST Cybersecurity Framework
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
More informationEMERGENCY PREPAREDNESS POLICY
EMERGENCY PREPAREDNESS POLICY CONTROLLED DOCUMENT CATEGORY: CLASSIFICATION: Policy Emergency Planning PURPOSE This document sets out the strategic framework for the management of emergency preparedness
More informationBy. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd
BS 25999 Business Continuity Management By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd 1 Contents slide BSI British Standards 2006 BS 25999(Business Continuity) 2002 BS 15000
More information1.0 Policy Statement / Intentions (FOIA - Open)
Force Policy & Procedure Reference Number Business Continuity Management D269 Policy Version Date 23 July 2015 Review Date 23 July 2016 Policy Ownership Portfolio Holder Links or overlaps with other policies
More informationEnsuring operational continuity
Certification of BCMS (Business Continuity Management Systems) Standard BS 25999-2 Certification of BCMS (Business Continuity Management System Ensuring operational continuity in the event of interruptions,
More informationThe United States Regulatory Landscape for Business Continuity Management
The United States Regulatory Landscape for Business Continuity Management Presented by Chloe Demrovsky Director of Global Operations, DRI International Mumbai, India January 17, 2011 Agenda The Regulatory
More informationBusiness Emergency Operations Center (VSBEOC)
16th ICCRTS Collective C2 in Multinational Civil-Military Operations Title of Paper Virtual Small Business Emergency Operations Center (VSBEOC): Shared Awareness and Decision Making for Small Business
More informationLoss Control Webcast. Disaster Recovery Planning we re not in Kansas anymore
Loss Control Webcast Disaster Recovery Planning we re not in Kansas anymore May 15, 2013 1 The information presented in this material has been developed from sources believed to be reliable. It is presented
More informationBusiness Continuity and Emergency Preparedness Planning. Vandita Zachariah, MA, MBA, CIA HHSC Internal Audit Division May 21, 2010
Business Continuity and Emergency Preparedness Planning Vandita Zachariah, MA, MBA, CIA HHSC Internal Audit Division May 21, 2010 Overview Define key terms and list essential elements of business continuity
More informationMHA Consulting. Business Continuity Management 101
0 MHA Consulting Business Continuity Management 101 Presented by: Michael Herrera Brandon Magestro MHA Consulting Agenda MHA Consulting Introduction Business Continuity Management (BCM) Defined 2013 Trends
More informationISO/IEC 27018 Safeguarding Personal Information in the Cloud. Whitepaper
ISO/IEC 27018 Safeguarding Personal Information in the Cloud Whitepaper Summary The protection of private information has never been a higher priority. Many national and international bodies, including
More informationH. R. 5005 11 SEC. 201. DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.
H. R. 5005 11 (d) OTHER OFFICERS. To assist the Secretary in the performance of the Secretary s functions, there are the following officers, appointed by the President: (1) A Director of the Secret Service.
More informationDESIGNING A BUSINESS CONTINUITY TRAINING PROGRAM TO MAXIMIZE VALUE & MINIMIZE COST
CONTENTS A Brief Introduction... 3 Where is the Value?... 3 How Can We Control Costs?... 5 The Delivery Mechanism... 7 Strategies to Deliver Training and Awareness... 8 Proving Training/Awareness Program
More informationDisaster Recovery/Business Continuity
CITY AUDITOR'S OFFICE Disaster Recovery/Business Continuity March 6, 2015 AUDIT REPORT NO. 1511 CITY COUNCIL Mayor W.J. Jim Lane Suzanne Klapp Virginia Korte Kathy Littlefield Vice Mayor Linda Milhaven
More informationISO 14001:2015: Key Changes
ISO 14001:2015: Key Changes Susan LK Briggs Convenor, ISO TC207/SC1/WG5 TC207 Workshop, 9/8/15 Topics for Discussion Background on ISO 14001 Revision Highlight of key changes in ISO 14001:2015 Top Management
More informationBusiness continuity management policy
Business continuity management policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSADPN001b S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review
More informationResponse to NAF Consulting Paper
Response to NAF Consulting Paper Author: Tan Chuan Jin Email: chuanjin.tan@atosorigin.com Yeo Chien Jen Email: chienjen.yeo@atosorigin.com Version: 1.3 Document date: 21 September 2008 All rights reserved.
More informationCFIUS and Network Security Agreements 1
CFIUS and Network Security Agreements 1 Mark E. Plotkin 2 David M. Marchick 3 David N. Fagan 4 This memorandum provides an overview of the principal U.S. government national security considerations and
More informationBUSINESS CONTINUITY MANAGEMENT POLICY
BUSINESS CONTINUITY MANAGEMENT POLICY AUTHORISED BY: DATE: Andy Buck Chief Executive March 2011 Ratifying Committee: NHS Rotherham Board Date Agreed: Issue No: NEXT REVIEW DATE: 2013 1 Lead Director John
More informationDepartment of Homeland Security Information Sharing Strategy
Securing Homeland the Homeland Through Through Information Information Sharing Sharing and Collaboration and Collaboration Department of Homeland Security April 18, 2008 for the Department of Introduction
More informationBusiness Continuity Position Description
Position Description February 9, 2015 Position Description February 9, 2015 Page i Table of Contents General Characteristics... 2 Career Path... 3 Explanation of Proficiency Level Definitions... 8 Summary
More informationSouth Norfolk Council Business Continuity Policy
South Norfolk Council Business Continuity Policy 1 Title: Business Continuity Policy Date of Publication: TBC Version: 2 Published by: Emergency Planning Team Review date: April 2014 Document Owner: Document
More informationContinuity of operations for critical infrastructure. Disclosure of critical information to the government.
Regulatory compliance is a significant factor influencing the development of your business resilience strategy. Moreover, while Business Continuity or Disaster Recovery regulations may not apply in every
More informationNational Cyber Security Policy -2013
National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information
More informationPaul Scheihing, U.S. Department of Energy Joe Almaguer, Dow Chemical Company Pamela de los Reyes and Tracy Fisher, Energetics Incorporated
Superior Energy Performance cm : A Roadmap for Continual Improvement in Energy Efficiency Paul Scheihing, U.S. Department of Energy Joe Almaguer, Dow Chemical Company Pamela de los Reyes and Tracy Fisher,
More informationTOTAL QUALITY MANAGEMENT II QUALITY AUDIT
TOTAL QUALITY MANAGEMENT II Chapter 13: QUALITY AUDIT Dr. Shyamal Gomes Introduction: The term audit was defined in the 16th Century as the official examination of the accounts with verification by reference
More informationWEST YORKSHIRE FIRE & RESCUE SERVICE. Business Continuity Management Strategy
WEST YORKSHIRE FIRE & RESCUE SERVICE Business Continuity Management Strategy Date Issued: 12 November 2012 Review Date: 12 November 2015 Version Control Version Number Date Author Comment 0.1 June 2011
More informationBusiness Continuity Management Policy
Governance: Business Committee Policy Owner: Chief Superintendent, Corporate Services Department: Corporate Services Policy Number: 002 Version: 3.0 Policy Writer: Business Continuity Co-ordinator Effective
More informationOpen Certification Framework. Vision Statement
Open Certification Framework Vision Statement Jim Reavis and Daniele Catteddu August 2012 BACKGROUND The Cloud Security Alliance has identified gaps within the IT ecosystem that are inhibiting market adoption
More informationINTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)
INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) Revised: October 2012 i Table of contents Attribute Standards... 3 1000 Purpose, Authority, and Responsibility...
More informationDEPARTMENT OF HOMELAND SECURITY
DEPARTMENT OF HOMELAND SECURITY Funding Highlights: Provides $39.5 billion, a decrease of 0.5 percent or $191 million, below the 2012 enacted level. The Budget continues strong investments in core homeland
More informationBusiness Continuity Planning. Description and Framework. White Paper. Preface. Contents
Comprehensive Consulting Solutions, Inc. Business Savvy. IT Smart. Business Continuity Planning White Paper Published: April 2001 (with revisions) Business Continuity Planning Description and Framework
More informationWhy Should Companies Take a Closer Look at Business Continuity Planning?
whitepaper Why Should Companies Take a Closer Look at Business Continuity Planning? How Datalink s business continuity and disaster recovery solutions can help organizations lessen the impact of disasters
More informationDisaster Preparedness: A Shared Responsibility
Disaster Preparedness: A Shared Responsibility WHITEPAPER 2011 Dun & Bradstreet Executive Summary The damage inflicted by disasters in recent years, whether measured by economic costs, loss of lives, or
More informationIntroduction to Business Continuity Planning
Introduction to Business Continuity Planning Business Continuity and Disaster Resilience Forum May 10, 2012 Rizal Ballroom A, Makati Shangri-la Manila, Philippines Dr Goh Moh Heng President BCM Institute
More informationBUSINESS CONTINUITY POLICY
BUSINESS CONTINUITY POLICY Document Type Corporate Policy Unique Identifier CO-038 Document Purpose To provide a structure through which: i. A comprehensive business continuity management system (BCMS)
More information