ABA Homeland Security Law Institute Panel. Two Ounces of Prevention: The SAFETY Act and PS Prep Voluntary Programs to Mitigate Liability

Transcription

1 ABA Homeland Security Law Institute Panel Two Ounces of Prevention: The SAFETY Act and PS Prep Voluntary Programs to Mitigate Liability March 23, 2012 Remarks of Stephen Amitay, Counsel to ASIS International ASIS International is the largest organization for security professionals with more than 37,000 members worldwide. ASIS members are closely involved in overseeing and executing security and preparedness plans at all types and sizes of businesses. ASIS has worked for decades to develop ways for companies and organizations to become better prepared and resilient and ASIS is also an American National Standards Institute (ANSI) Accredited Standards Development Organization (SDO) Relevant to the PS Prep program, ASIS has developed several comprehensive preparedness standards. The most prominent is the 2009 ASIS ANSI Organization Resilience ( OR ) Standard, which was one of the three Standards adopted by DHS in 2010 for the PS Prep Program. 1 The OR Standard takes an ISO management systems approach for security, preparedness, response, mitigation, business/operational continuity and recovery for disruptive incidents resulting in an emergency, crisis, or disaster. In 2010, ASIS and the British Standards Institute developed an ANSI Business Continuity Management Systems Standard which essentially refines and adds an ISO management system approach to the PS Prep adopted BSI BCM Standard. 2 ASIS submitted this ANSI Standard (which will be a model for a future ISO BCM Standard) for adoption by the PS Prep program. ASIS is still waiting to hear back from DHS about its adoption. DHS has said that the goal of the PS Prep program is to promote private sector preparedness, including disaster management, emergency management and business continuity programs. 3 And DHS has also said that Whether your organization is small or large, any efforts to improve preparedness are beneficial. 4 ASIS fully agrees with these statements. In the first comprehensive expert examination of the Prep program put out by the Alfred Sloan Foundation in 2008, the primary recommendation of the document was that It is important for the DHS to recognize that multiple approaches comply with the spirit of Title IX of PL Therefore, greater resiliency success will be achieved if businesses are given the freedom and flexibility to determine how they will improve preparedness in a way that best fits their respective business models. and For the private sector to adequately and voluntarily establish 1 ANSI/ASIS Organizational Resilience: Security, Preparedness, and Continuity Management Systems- Requirements with Guidance for Use ASIS SPC (Mar. 12, 2009). 2 ANSI/ASIS/BSI BCM.01:2010, Business Continuity Management Systems - Requirements with Guidance for Use

2 preparedness programs, it should be given the flexibility to choose from various standards, guidelines and best practices that best meet the respective organization s needs for preparedness. 5 In addition, the Sloan Report recommended that, Organizations that have implemented preparedness management controls, best practices or complementary systems which address the core elements should be recognized and credited as demonstrating preparedness. Regulated industries should be given credit for their compliance with relevant regulations without the need for duplicative systems. 6 As the Sloan Report and others have made clear, business preparedness can be attained in many forms and in stages. However, because of the constraints placed on the PS Prep program by Congress, the use of multiple approaches, recognition for addressing core elements, and credit for compliance with relevant regulations is not a part of the PS Prep program. The program s genesis was in the 9/11 Commission s finding that the private sector remains largely unprepared for a terrorist attack. 7 This finding was quite a general observation, and obviously many companies had dealt with and prepared for natural and man-made disasters before 9/11. What was even more head scratching though was the Commission s statement that we were also advised (by whom) that the lack of a widely embraced private-sector preparedness standard was a principal contributing factor to this lack of preparedness. 8 Consequently (based on a recommendation by the ANSI Homeland Security Standards Panel), the Commission essentially recommended that all organizations should comply with the National Fire Protection Associations Disaster/Emergency Management and Business Continuity Programs (NFPA 1600) and that compliance with the standard should define the standard of care owed by a company to its employees and the public for legal purposes. 9 This recommendation for DHS adopt and promote a one size fits all national Standard based on NFPA 1600 was incorporated into both the House and Senate 9/11 Commission Recommendations bills introduced in early And, for the flexibility and other reasons mentioned in the Sloan Report, the provision was also strenuously objected to by various industry sectors and business groups. In a February 2007 letter to the House and Senate Homeland Security Committees, the Financial Services Sector Coordinating Council, stated The financial services sector has a long and effective history of developing best practices related to business continuity and recovery. The members of FSSCC and our regulators 5 Framework for Voluntary Preparedness: Briefing Regarding Private Sector Approaches to Title IX of H.R. 1 And Public Law Implementing Recommendations of the 9/11 Commission Act of 2007, Prepared for the Alfred P. Sloan Foundation by Representatives of ASIS,, DRII, NFPA and RIMS. January 18, Page 9. 6 Ibid. Page The 9/11 Commission Report: Final Report of the National Commission on Terrorist Attacks Upon the United States (9/11 Report) July 22, Page Ibid. 9 Ibid. 10 H.R. 1 Implementing Recommendations of the 9/11 Commission Act of 2007 / S.4 Improving America s Security Act of

3 recognize that such best practices will differ markedly for the various institutions that comprise our sector. In addition, best practices cannot be frozen in time; they must have the ability to evolve. As a result, we do not believe that any single set of standards will be effective for businesses in many different sectors. 11 In addition, the Senate bill, which became the basis for the final passed language went even further, and in contravention to clearly established norms for Standards compliance, required that all organizations who implement a PS Prep Standard would have to undergo third party certification to obtain recognition or credit by DHS under the program. 12 This requirement of third party certification to a PS Prep Standard greatly threatens to undermine the lofty goal of promoting and recognizing private sector preparedness. First off, while there is no doubt that all three of the currently adopted PS Prep Standards are worthy preparedness standards, as noted in the Sloan Report, there are many other standards, guidelines, best practices, and programs that being used by businesses that foster preparedness. In fact, over 25 different standards, program and best practices related to preparedness were submitted for adoption in the PS Prep program. 13 At the ISO level, there are numerous Standards that are applicable to preparedness and resiliency. There is the ISO series of Standards for security management systems and resilience including for the supply chain with the new ISO Standard. 14 There is also the popular ISO Risk Management Standard, which by the way is a guidance standard and thus cannot be certified too. 15 As mentioned, many critical industries also have their own industry specific preparedness and BC programs and standards in addition to being governed by federal, state and local regulations related to preparedness. Of note is the American Chemical Council s Responsible Care Management System which provides chemical companies with an integrated, structured approach to improve company performance in the following key areas: community awareness and emergency response; security; distribution; employee health and safety; pollution prevention; and process and product safety. According to the ACC, the management system combines Responsible Care with the practices of leading private-sector companies, ISO management systems, and federal regulatory requirements. 16 For smaller and medium sized businesses there is the American Red Cross Ready Rating program, a free, self-guided program designed to help businesses, organizations and schools become better prepared for emergencies. In the program, members complete a 123-point self 11 Letter from the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security to Senators Joe Lieberman and Susan Collins, Senate Homeland Security and Government Affairs Committee. February 15, S.4, Improving America s Security Act of 2007 Sections ISO 28002:2011 Security management systems for the supply chain -- Development of resilience in the supply chain -- Requirements with guidance for use. 15 ISO 31000:2009, Risk management Principles and guidelines

4 assessment of their level of preparedness, gain access to tips and best practices, and commit to improving their score each year to maintain membership. According to the Red Cross, the 123 Assessment has been aligned with the federal government's private sector preparedness standards (PS-Prep). 17 There is also the Insurance Institute for Business and Home Safety Open for Business suite of business continuity tools that is designed to help small to mid-sized business reduce the potential for loss and prepare in advance to reopen. Open for business provides businesses with the process to develop the basics of a customized business continuity plan. 18 Relevant to today s event, the ABA Special Committee on Disaster Response and Preparedness has developed a business continuity guide tailored to law firms called Surviving a Disaster: A Lawyer s Guide to Disaster Planning. It provides a step by step guide for firms to develop a business continuity plan. 19 Secondly, in addition to limiting the PS Prep program to only include preparedness standards that met a new statutory definition of a comprehensive preparedness standard, Congress also made the judgment that only complete implementation of a PS Prep Standard would be sufficient to be deemed prepared by DHS. This requirement showed a lack of understanding of not only the varying needs of organization (where 100% implementation of a standard might not be necessary) but it also ignored the well developed process of phased implementation of a standard. For some businesses to be sufficiently prepared, they don t need to fully implement all elements of a standard. Requiring full implementation to get credit under PS Prep thus leads to unnecessary work and costs. More so, Congress did not allow for any recognition of phased implementation of a Standard. Phase implementation or a maturity model for implementing standards has been successfully used to implement ISO Standards in a way that can clearly demonstrate and document a level of improvement of performance. For a preparedness standard, such as the ASIS OR Standard, a maturity model is a series of steps of implementation of the Standard designed to help an organization evaluated where they currently are with regard to resilience management and preparedness, set goals for where they want to go, benchmark where they are relative to those goals, and plot a business sensible path to get there. Put another way, a maturity model can help an organizations achieve the benefits of resilience management by phasing in a Standard tied to the organization s business needs and economic realities. A maturity model can also provide the basis for a recognition program with progressive steps prior to full certification of the Standard lanning.authcheckdam.pdf 4

5 The lack of a maturity model for PS Prep standard implementation has been widely criticized. ASIS has recommended to DHS that they should consider a phased approach model as part of an awareness and recognition program. While DHS and PS Prep program officials have expressed interest in the maturity model, to allow for such phased implementation would likely require an amendment to the PS Prep Statutory language. 20 Based on a successful phased implementation program of the ASIS OR Standard with a South African hotel chain during the 2010 World Cup, ASIS developed an ANSI Standard that will describe a maturity model for the phased implementation of the ANSI/ASIS.SPC It has been approved by ANSI and will be published soon. 21 Of greatest concern though with the PS Prep Program is the requirement of third party certification. Quite frankly, requiring third party certification distracts attention from the primary goal of the Program to promote better preparedness and shifts a company s focus towards what has to be done (whether helpful or not for the company) to get the external certification. With third party certification as a goal, organizations could base their preparedness actions on what is necessary to get third party certification and not what is necessary to be as best prepared as possible. Adoption or choice of a standard should not be based on pursuing certification, but rather based on what best fits the organization s business mission, objectives and management style to improve its preparedness performance. Certification should only enter into consideration if there is a compelling business case to do so. DHS should not take any steps that turn the PS Prep program into a stimulus program for certification bodies and consultants.. The requirement of third party certification also ignores the fact that first party and second party certification to standards are well established and proven cost-effective means for a company to demonstrate implementation/adherence to a standard in the business community. For large organizations that have teams of RABQSA and IRCA certified Internal Lead Auditors, there would be little incentive to seek third party certification under the PS-Prep program. Such organizations not only have an internal mechanism for continual improvement of preparedness, but the internal auditors have greater knowledge of the business, and likely greater knowledge of the Standard in use. In addition, bringing in third party certifiers creates the risk of an organization s internal risk assessments, impact analysis and other proprietary information getting out. In the Standards arena, third party certification is the exception, not the rule. The number of companies who are third party certified to even the most widely used standards such as ISO 9000 and IS is still a miniscule percentage. In the US only about 25,000 companies are certified to the most popular ISO 9001 standard (Quality Management). More so, studies of ISO third party certification to ISO 9001 have shown that a pre-existing high performance in a company, rather certification itself, is what leads to higher quality performance post certification See Question Six. Federal Register / Vol. 74, No. 199 / Friday, October 16, 2009 / Notices 21 ANSI/ASIS Organizational Resilience Maturity Model - Phased Implementation (2012) 22 Probing the Limits: ISO 9001 Proves Ineffective, Scott Dalgeleish, Quality Magazine, April 1,

6 Many companies also use their own auditor to measure conformance by their suppliers second party certification --- which is a more effective and efficient process than relying on a third party. Indeed, second party certification that is contractually enforced has significant advantages over external third party certification, particularly for small and medium sized enterprises. Accordingly, in addition to the maturity model Standard to complement the ASIS OR Standard, ASIS is also developing an ANSI Standard that will create guidance on establishing a credible auditing program and methodology for first, second and third party attestation of conformance to the Standard. 23 In addition, another problem with third party certification is quality. There is a concern that businesses may be ill-served by consultants, training organizations, and certification bodies willing to pursue ways to a quick certification rather than continual improvement of preparedness. Already a potential issue is the quality of auditors and Lead Auditor Training under PS Prep. ASIS believes that the PS Prep approach to third party certification should be identical to that used by the existing and accepted market practices for ISO standards with strict adherence to ISO conformity assurance standards and internationally recognized programs (such as RABQSA International) for Lead Auditor certification. Under a RABQSA Lead Auditor Training program, the instructor must demonstrate competence in management systems, standards auditing, as well as subject matter expertise. 24 This is not a requirement for Lead Auditor Training under ANSI CAP training programs which are allowed for PS Prep. 25 No other ISO Management System certification program allows for ANSI CAP Lead Auditor training as the subject matter and management standard experience requirements for ANSI CAP lead auditor trainers is much less stringent than that of RABQSA. Unless a compliance auditor is properly trained and has practical auditing experience, in addition to knowledge of the standard, and knowledge of the industry sector, the benefits of third party certification are questionable. DHS (or Congress) should consider modifying the program to encourage improvement of preparedness performance by recognizing first and second party certification. In fact, the PS Prep program does allow for first party certification for small businesses. 26 However, small businesses often have less internal auditing/self-certifying capabilities. Why is self-certification considered only adequate for small businesses but not for larger organizations? Finally, a more general problem with PS Prep certification is what constitutes company certification if only one division of a company gets certified? 23 ASIS Auditing Management Systems For Security, Preparedness And Continuity Management With Guidance For Application Standard (201X) The 9/11 Act contains a provision, now codified at 6 U.S.C. 321m(b)(2)(D), which requires the PS-Prep Program to establish separate classifications and methods of certification for small business concerns... First-party or self-declaration of certification is an acceptable method for small businesses. Federal Register / Vol. 75, No. 190 / Friday, October 1, 2010 / Notices 6

7 Earlier this week, Dan Stoneking, Director of the FEMA Private Sector Division, sent out a notice to the private sector community about AT&T s recent third party certification to the BS25999 Standard. He said that Certification will enable businesses to: develop a plan of action; minimize potential impact to essential operations; protect data and information; increase reliability; protect market share and minimize financial losses, and gain industry recognition by promoting preparedness with suppliers and clients alike. 27 Actually, these are arguments for using a preparedness management system standard, and they are all benefits that can accrue to a company who uses such a standard --- independent of certification. In addition, PC Magazine had this to say about AT&T s PS Prep certification in a recent article, The wireless carrier is the first company to be certified by DHS as part of the agency's voluntary Private Sector Preparedness Program (PS-Prep) to assess and validate organizations' business continuity and preparedness capabilities. By giving AT&T its stamp-of-approval, DHS has certified that, in the event of any disaster, the carrier will be able to resume network traffic, field customer calls and queries, and service the communities in which it operates. 28 Really, DHS has certified that AT&T will be able to resume network traffic after a disaster? The goal of PS Prep program to promote private sector preparedness and the implementation of comprehensive preparedness standards is one way for companies to get better prepared. However, the Program should not in any way restrict businesses from having the freedom and flexibility to determine how they will improve preparedness. Adoption or choice of a standard should not be based on pursuing certification, but rather based on what best fits the organization s business mission, objectives and management style. ASIS will continue to work with DHS and the PS Prep program to support better preparedness, but unfortunately, Congress put some obstacles in the way Angela Moscaritolo. AT&T Certified by DHS in Disaster Preparedness. PC Magazine, March 14,