Angie M. Santiago President, CPAC Triangle Chapter

Transcription

1 Public Policy & Regulatory Trends in Business Continuity Management Title IX - A Primer Angie M. Santiago President, CPAC Triangle Chapter 1

2 Agenda PL History Governance structure Major Stakeholders Standards under consideration Concerns Opportunities 2

3 Title IX History January 2004 ANSI HSSP Workshop Discuss the feasibility and desirability of recommending to the 9/11 Commission a high level national standard on emergency management and business continuity Focus on voluntary consensus standard Would not require business to apply specific system or approach 3

4 History Cont d ANSI HSSP recommendation to 9/11 Commission As an ANSI standard NFPA is recognized as a framework for private sector preparedness and urges DHS to promote its adoption. Reference Intelligence Reform & Terrorism Prevention Act of 2004 PL Private Sector Preparedness 4

5 Title IX is Born Implementation Recommendation of 9/11 Commission Act of 2007 Public Law Signed into Law August 3, page bill 7 pages directly affects us 523 Guidance & Recommendations 524 Voluntary Private Sector Preparedness Accreditation & Certification Program Implemented by February

6 PL Title I: Homeland Security Grants Title II: EM Performance Grants EOC construction Title III: Communications Interoperability Title IV: Strengthening ICS Capability inventory, credentialing, typing Title V: Info Sharing & Intel Improvements Title VI: Congressional Oversight of V Declassification Board 6

7 PL Travel VII: Terrorist Travel Border security, human smuggling Title VIII: Privacy & Civil Liberties Title IX: Private Sector Preparedness Title X: Critical Infrastructure Security Ntl. Asset database, levees Title XI: WMD Defenses Bio-surveillance, nuclear, radiological 7

8 Private Sector Preparedness Council Michael Chertoff, Secretary, DHS R. David Paulison, Administrator FEMA Jay Cohen, Under Sec. Science & Technology Directorate Al Martinez Fonts Asst. Sec Private Sector Office Robert Stephan Asst. Sec Office of Infrastructure Protection 8

9 523 Identify best practices to assist or foster action by the private sector in assist or foster action by the private sector in (1) identifying potential hazards and assessing risks and impacts; (2) mitigating the impact of a wide variety of hazards, including weapons of mass destruction; (3) managing necessary emergency preparedness and response resources; (4) developing mutual aid agreements; (5) developing and maintaining emergency preparedness and response plans, and associated operational procedures; (6) developing and conducting training and exercises to support and evaluate emergency preparedness and response plans and operational procedures; (7) developing and conducting training programs for security guards to implement emergency preparedness and response plans and operations procedures; and (8) developing procedures to respond to requests for information from the media or the public. 9

10 524 Provides a method to independently certify the emergency preparedness of private sector organizations. Includes disaster/emergency management and business continuity programs. Certify businesses and other private sector entities, not individual professionals. All-hazards preparedness and not on terrorism. The program is voluntary. Key stakeholders are invited to participate in the development of the program. The federal government will not run the certification program. One or more preparedness standards can be designated. NFPA 1600 is referenced as one example. Existing industry efforts, certifications and reporting in this area will be recognized and integrated. Special consideration will be made for small businesses. Proprietary and confidential information is to be protected. 10

11 ANSI HSSP Plenary Session Oct 2, US Chamber of Commerce Well attended by: Insurance, Utilities, Consulting Firms, Petroleum, Transportation, Telecommunications, Financial, Postal, Mental Health, IBHS, ACP, CPAC, NFPA, CSA, Building Security Council, DRII, FSTC Academia, Healthcare, Gartner, DHS, HSI, FEMA, US Senate, ANSI, 911 Commission, NIST 11

12 12

13 Stakeholders - Public Agency DHS ANSI AQ Private Sector Voluntary Preparedness Certification Program Establish a common set of criteria in disaster and emergency management, and business continuity Designate an organizational body to act as the accrediting body DHS signs agreement with ANSI AQ National Accreditation Board (ANAB) National Accreditation Board (ANAB) - Oversees development, implementation, management of program Accrediting third parties to carry out certification of private sector entities DHS Private Sector Preparedness Council Select program standards Define and promote business case to participate Update Congress 13

14 Target Common Criteria 3. Identify hazards and threats including cyber and human security...insider threats 14

15 The Sloan Report Framework for Voluntary Preparedness ASIS International Association for security professionals Disaster Recovery Institute International Administers industry s educational and certification programs worldwide National Fire Protection Association Standards development organization with over 300 codes and standards Risk and Insurance Management Society Professional disciple that protects physical, financial, and human resources 15

16 Sloan Report Findings This work highlights the commonality of the different perspectives and approaches of these disciplines and their established standards, guidelines and best practices. Depending on the structure of businesses and organizations in the private sector, many are already pursuing elements or complete programs in preparedness based on the viewpoint of one or more of these disciplines. These businesses and organizations need the freedom to develop mature preparedness programs and systems building on their existing models Crosswalk of business continuity principles, practices, and standards currently utilized in the private sector. 16

17 17

18 ASIS International July 2008 ASIS, files an ANSI Project Initiation Notification System (PINS) Form With the intention to develop a business continuity management system standard Partners with BSI Management - Americas Integrate BS25999 into ASIS ISO / TC

19 ASIS International Oct Hosts Stakeholder Meeting Purpose: Discuss ASIS intent to develop a new BCM standard on BS25999 platform Attendees: ASIS International; Association of Contingency Planners; Avalution Consulting; Business Continuity Institute; BSI Management Systems America; Carrier Information Systems; Computer Sciences Corporation; Contingency Planning Association of the Carolinas; Continuity Information Support Services; Danalie Partners; Disaster Recovery Institute International; Emergency Management & Safety Solutions; McDermott Inc.; Navigant Consulting; North River Solutions. Attendees unanimously expressed the need for a new standard that is auditable and scalable Most attendees expressed concerns that a new standard would conflict with NFPA

20 ASIS ISO / TC

21 DRI International Contributed to the Framework for Voluntary Preparedness Sponsored ANSI HSSP Title IX Plenary Session Participated in Plenary Session Panel on Sloan Report Raised concerns of potential conflicts to ASIS BCM standard Principal attendee and leader at ASIS Oct 3 stakeholder meeting Expanding programs internationally Member of NFPA 1600 Technical Panel Member of ASIS BCM Technical Panel 21

22 NFPA 1600 Revising 2007 version 2010 version Publish draft late 2009 Currently recognized as an ANSI standard and quoted by Title IX framers It is not an implementation guide! Specifies essential elements for effective business continuity and emergency management 22

23 NFPA 2010 Addition of management system guidelines Self evaluation checklists Late 2008 open public comments Spring 2009 public comments meeting Publish by late

24 524 Concerns Provides a method to independently certify the emergency preparedness of private sector organizations. Consulting firms building certification practices Includes disaster/emergency management and business continuity programs. Also includes DHS missions with an emphasis on security Certify businesses and other private sector entities, not individual professionals. Private sector is not defined. Business continuity, enterprise risk management, compliance, and security professionals are concerned that the third party certifiers' will not be sufficiently qualified to determine the organizations' risk management decisions. All-hazards preparedness and not on terrorism. The target criteria published by HSI specifies cyber security and insider threats as part of the vulnerability assessment. The program is voluntary. True. Private sector cannot be required to participate even to bid on government contracts. Can be considered de facto standard and recommended by risk managers or legal community to reduce liability. Third party certification is costly. No business case. 24

25 524 Concerns The federal government will not run the certification program. ANAB has been designated One or more preparedness standards can be designated. NFPA 1600 is referenced as one example. Existing industry efforts, certifications and reporting in this area will be recognized and integrated. Special consideration will be made for small businesses. Institute for Business and Home Safety has not been invited to participate, nor has the US Chamber of Commerce or SBA Proprietary and confidential information is to be protected. Of most concern to companies who choose to participate, pay for third party evaluation, but do not feel compelled to submit results. It is voluntary after all 25

26 Resources Document PL Title IX Law FEMA Fact Sheets DRII The Sloan Report Continuity Central ASIS vs. DRII ASIS International Homeland Security Institute s Target Criteria ANSI Documents Links INALREPORT.pdf Management-System-Standards.pdf _Voluntary_Private_Sector_Preparedness.pdf x?rootfolder=%2fsites%2fapdl%2fdocuments%2fstandards%2 0Activities%2fHomeland%20Security%20Standards%20Panel&V iew=%7b21c60355%2dab17%2d4cd7%2da090%2dbabeec5 26 D7C60%7d

27 Resources Cont d Document NFPA Link PA1600.pdf 27

28 Opportunities CPAC BCM Technical Committees NFPA ASIS BCM Title IX Voluntary Private Sector Preparedness Accreditation Certification Awareness Self Assessment / Reporting 28

29 Upcoming Events November December 10 Cary, NC CPAC Annual Symposium Charlotte, NC Elections!!!!! Triad - Triangle Chapter Meeting Install new officers! 29

30 Contact Angie M. Santiago BCM Standards Committee No sales calls please! 30