1 / 21

The Holy Grail or SOX for Business Continuity - PowerPoint PPT Presentation

  • Uploaded on

PUBLIC LAW 110-53 “IMPLEMENTING RECOMMENDATIONS OF THE 9/11 COMMISSION ACT OF 2007” TITLE IX. Post-9/11. Sarbanes-Oxley Act of 2002 HIPAA, Final Security Rule FFIEC BCP Handbook -2003/ 2008 Fair Credit Reporting Act NASD Rule 3510 NERC Security Guidelines FERC Security Standards

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'The Holy Grail or SOX for Business Continuity' - Pat_Xavi

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg





Slide2 l.jpg


Sarbanes-Oxley Act of 2002

HIPAA, Final Security Rule

FFIEC BCP Handbook -2003/ 2008

Fair Credit Reporting Act

NASD Rule 3510

NERC Security Guidelines

FERC Security Standards

NAIC Standard on BCP

NIST Contingency Planning Guide

FRB-OCC-SEC Guidelines for

Strengthening the Resilience of US

Financial System

NYSE Rule 446

California SB 1386

Australia Standards BCM Handbook

GAO Potential Terrorist Attacks


Federal and Legislative BC

Requirements for IRS

Basel Capital Accord

MAS Proposed BCP Guidelines


NFA Compliance Rule 2-38

FSA Handbook (UK)

BCI Standard, PAS 56 (UK)

Civil Contingencies Bill (UK)

FPC 65

NYS Circular Letter 7


State of NY FIRM White Paper on CP

NISCC Good Practices (Telecomm)

Australian Prudential Standard on BCM






CA Z1600

ISO/PAS 22399


Consumer Credit Protection Act

OMB Circular A-130

FEMA Guidance Document

Paperwork Reduction Act

FFIEC BCP Handbook

Computer Security Act

12 CFR Part 18

Presidential Decision Directive 67

FDA Guidance on Computerized Systems

used in Clinical Trials

ANSI/NFPA Standard 1600

Turnbull Report (UK)

ANAO Best Practice Guide (Australia)

SEC Rule 17 a-4





Title IX – 110-53

1991 - 2001

2002 2008

The holy grail or sox for business continuity l.jpg
The Holy Grail or SOX for Business Continuity

  • The Program Was Called For In Title IX Of "The Implementing The 9/11 Commission Recommendations Act Of 2007“ (Public Law 110-53) Which Addresses A Diversity Of Other National Security Issues As Well. It Was Signed Into Law By The President On August 3, 2007.

  • Intent – To Implement The Findings Of The 9/11 Commission

    • “Like” NFPA 1600 Was Recommendation Of Commission For Standard

    • DRII’s Professional Practices Are The Basis For BCP In NFPA 1600

  • Will It Become A “Standard”????

    • Voluntary

    • Non-punitive

    • Unsuccessful Attempts By Federal Government To Address Private Sector BCM

  • Overcome Investments By Private Sector

  • Strain On Small And Medium Sized Businesses In Supply Chain

Title ix 110 53 l.jpg
Title IX – 110-53

a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs.  The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification.  b.  The program will be voluntary.c.  Key stakeholders are invited to participate in the development of the program.  Consultation with a variety of organizations and various sectors is required by the legislation.  Program development will likely include involvement by a diversity of private sector advisory groups and others.d.  The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs.e.  One or more preparedness standards can be designated.  NFPA 1600 is reference by example.f.  Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated.g.  Special consideration will be made for small business.h.  Proprietary and confidential information is to be protected.

Defining the standard l.jpg
Defining “The Standard”

  • Process Used By Sloan Interdisciplinary Team

    • Representatives of:

      • ASIS, DRI International, NFPA, RIMS

  • Review Existing Regulations


    • NERC

    • HIPAA

  • Provide “Credit” for Work Already Done

    • Reduce Start From Scratch Opposition

    • Create Core Elements for Standard

Core elements are those basic components that, when implemented within an organization’s unique governance and culture, provide the underlying framework to enable the organization to sustain itself in spite of a disruptive event (i.e., the “common set of criteria for preparedness, disaster management, emergency management, and business continuity programs...." called for under the law.)

Core elements 13 become 8 l.jpg
Core Elements 13 Become 8

  • Policy statement and management commitment - Scope, program roles, responsibilities, and resources

  • Risk identification, assessments and criticality impact analyses, including legal and other requirements

  • Prevention and Mitigation Evaluation and Planning

  • Incident management (procedures and controls before, during and after a disruption, including emergency management of people, business operations and technology) includes communications

  • Recovery Planning - May be considered to include rebuilding, repairing, and / or restoring

  • Awareness and training

  • Exercises and testing

  • Program revision and improvement

Standards crosswalk l.jpg
Standards Crosswalk

  • NFPA 1600:2007 Standard on Disaster/ Emergency Management and Business Continuity Programs

  • CSA Z1600 Standard on Emergency Management and Business Continuity Programs

  • DRII/BCI Professional Practices for Business Continuity Planners

  • BS 25999-2: 2007 Business Continuity Management – Part 2: Specification

  • ASIS International - Organizational Resilience: Preparedness and Continuity Management - Best Practices Standard

  • TR19:2005 Technical Reference for Business Continuity Management (BCM)



Flexibility within a framework l.jpg
Flexibility Within A Framework

  • Existing Industry Efforts

    • Regulations

      • FFIEC – NYSE – SEC – HIPAA – NERC –

    • Standards

      • ISO, ANSI, BSI

NOT Sarbanes-Oxley

Slide11 l.jpg

Process For Implementation of Title IX

1.  DHS will designate one or more organizations to act as the accrediting body, and oversee the certification process, and to accredit qualified third parties to carry out the certification program.

2.  DHS will separately designate one or more standards for assessingprivate sector preparedness.

3.  DHS will provide information and promote the business case forvoluntary compliance with preparedness standards.

4.  DHS will monitor the effectiveness program on an on-going basis.

Process for implementation of title ix l.jpg
Process For Implementation of Title IX

  • Appointment by DHS of Designated Officer October 1, 2007

    • Ashley Moore– FEMA

  • Enter into Agreement for standard February 28, 2008

Marcus Pollock- FEMA

Implications l.jpg

  • Certification

    • Benefit To Passing Certification

    • If You Can’t Pass Don’t Start

  • Legal

    • Litigation Standard

    • “Voluntary Negligence”

  • No Teeth

  • Non-Punitive

Will it meet customer requirements?

What we know right now l.jpg
What We Know Right Now

  • Title IX of PL 110-53 is an unfunded effort, there are no tangible rewards; e.g., tax reductions in the form of deductions or tax credits to use as an incentive. While there are ongoing efforts to provide some insurance relief for business continuity planning, at this time no such incentives are available – Sloan Foundation Report

  • FEMA has been designated to lead the effort

  • ANSI – ANAB -will oversee the certification process

    • Manage Accreditation

    • Accredit third parties to carry out certification

    • Collaborate to develop procedures and requirements for certification and accreditation

Now for the misinformation l.jpg
Now For The Misinformation

Although voluntary right now, these standards could soon be federal mandatesfor all private industry.- Not To Be Named Consulting Firm in advertising for their webinar

Will share their best practices to meet the new "national preparedness standard" known as NFPA 1600 – Not To Be Named Consulting Firm

  • This voluntary program offers a number of potential benefits to the certified organization, including: 

    • Possible insurance premium advantages

    • Enhanced credit ratings

    • Competitive differentiation - Not To Be Named Consulting Firm

Assessing the business continuity process l.jpg
Assessing The Business Continuity Process

  • DRII Evaluates Planning Process, Implementation and Testing Across The 10 Professional Practices – MAPS TO CORE ELEMENTS

    • Includes Subcategories

    • Ability To Weight Each Category

  • Utilizes The Same Scoring As It Does For Certifying Professionals

  • Questions Require a Yes Or No

  • Recommendations Are Provided When a “No” Answer Is Provided

  • May Be Customized For Industry, Country Or Regulatory Considerations

  • Will Contribute To a Worldwide Database

The treaty of orlando l.jpg

  • 10% ACP Members for all DRII Courses

  • 5% “Sponsorship Fee” To ACP Chapter Hosting a DRII Course

  • Contact: Russell Wooldridge – 202-962-3930