Al Berman Certification Presentation 9-8-10 to ACP

8/6/2019 Al Berman Certification Presentation 9-8-10 to ACP

http://slidepdf.com/reader/full/al-berman-certification-presentation-9-8-10-to-acp 1/32

1

Boston ACP ± September 8, 2010



` A Non-Profit Organization Committed to:

Promoting a base of common knowledge for the continuity management industry

Certifying qualified individuals in the discipline of Business Continuity

Promoting the credibility and professionalism of certified individuals

` Founded in 1988.

` The Industrys Premier Education and Certification Program Body



DRII has Certified INDIVIDU ALS in over 95 Countries.

DRII conducts training courses in over 45 countries.

More individuals choose to maintain their certification through us

than all other organizations in our industry combined (Over 7,500 active individuals as of 2009)

DRII Certifies individuals in English, Spanish, French, Japanese,Mandarin and Russian

DRI International teaches in English, French, Spanish,Portuguese, Mandarin, Japanese, Italian and Russian

In 2009 DRII taught more classes outside the US than within the US.



Government Organizations

�Chaired the Alfred P. Sloan Committee that drafted the Framework for

Preparedness that has been the foundation for the Title IX Implementation.

�Member U.S. Chamber of Commerce Homeland Security Task Force

�Member of the Council of Experts for ANSI-ANAB who will set thecredentialing standard for certifying bodies for PS-Prep

�Member of FEMA National Advisory Council Private Sector Subcommittee

�Member of Advisory Committee for Congressionally funded Project for

National Security Reform

�Meeting with Special Assistant to The President for Homeland SecurityStandards Policy



Non-Government Organization

�Member of the NFPA 1600 Technical Committee

�Member of the BS25999 ± ASIS Technical Committee

�Participant RIMS (Risk Insurance Managers Society) PERK ( Professional

Exchange of Risk Knowledge) Program

�Cooperative Education Credit Sharing with ISACA (Information Systems Audit and Control Association)

�Cooperative Education Credit Sharing with IC2

� Audit Course Development and Training for Auditors with NFPA (NationalFire Prevention Association)

�Developing Joint Program with Red Cross



` Greater Marketplace Recognition Job Pre-Requisites

Distinguishes Candidate

HR Key Wordsx CBCP, ABCP

` Financial Gain ± certification is correlated

with higher wages

6



7



8Courtesy ± BC Management ± 2008 Survey



` Employer Benefit ± confirms for the employer, the employee has a high

level of knowledge of standard industry practices andprocesses ± AND CONTINUES TO M AINTAINCURRENT KINOWLEDGE

Provides consistency of knowledge for multi-nationals

9



10



` What Are We Trying to Accomplish? PREPAREDNESS

x Emergency Management

x Disaster management

x Business Continuity

` Is this New? Regulations

Standards Guidances

11



Recommendation: We endorse the American National StandardsInstitutes recommended standard for private preparedness. We were

encouraged by Secretary Tom Ridges praise of the standard, and urge

the Department of Homeland Security to promote its adoption. We

also encourage the insurance and credit-rating industries to look

closely at a companys compliance with the ANSI standard in assessingits insurability and creditworthiness. We believe that compliance

with the standard should define the standard of care owed by a

company to its employees and the public for legal purposes. Private-

sector preparedness is not a luxury; it is a cost of doing business in

the post-9/11 world.

12



13

Consumer Credit Protection ActConsumer Credit Protection ActOMB Circular AOMB Circular A--130130

FEMA Guidance DocumentFEMA Guidance DocumentPaperwork Reduction ActPaperwork Reduction ActISO 27002 (Previously ISO17799)ISO 27002 (Previously ISO17799)FFIEC BCP HandbookFFIEC BCP Handbook

Computer Security ActComputer Security Act12 CFR Part 1812 CFR Part 18Presidential Decision Directive 67Presidential Decision Directive 67FDA Guidance on Computerized SystemsFDA Guidance on Computerized Systemsused in Clinical Trialsused in Clinical Trials

ANSI/NFPA Standard 1600 ANSI/NFPA Standard 1600Turnbull Report (UK)Turnbull Report (UK)

ANAO Best Practice Guide (Australia) ANAO Best Practice Guide (Australia)SEC Rule 17 aSEC Rule 17 a--44FEMA FPC 65FEMA FPC 65

CARCARJHACOJHACO

SarbanesSarbanes--Oxley Act of 2002Oxley Act of 2002HIPAA, Final Security RuleHIPAA, Final Security RuleFFIEC BCP HandbookFFIEC BCP Handbook --2003/ 20082003/ 2008Fair Credit Reporting ActFair Credit Reporting ActNASD Rule 3510NASD Rule 3510NERC Security GuidelinesNERC Security GuidelinesFERC Security StandardsFERC Security Standards

NAIC Standard on BCPNAIC Standard on BCPNIST Contingency Planning GuideNIST Contingency Planning GuideFRBFRB--OCCOCC--SEC Guidelines for SEC Guidelines for

Strengthening the Resilience of USStrengthening the Resilience of USFinancial SystemFinancial System

NYSE Rule 446NYSE Rule 446California SB 1386California SB 1386

Australia Standards BCM Handbook Australia Standards BCM HandbookGAO Potential Terrorist AttacksGAO Potential Terrorist AttacksGuidelineGuideline

Federal and Legislative BCFederal and Legislative BCRequirements for IRSRequirements for IRS

Basel Capital AccordBasel Capital AccordMAS Proposed BCP GuidelinesMAS Proposed BCP Guidelines(Singapore)(Singapore)

NFA Compliance Rule 2NFA Compliance Rule 2--3838FSA Handbook (UK)FSA Handbook (UK)BCI Standard, PAS 56 (UK)BCI Standard, PAS 56 (UK)Civil Contingencies Bill (UK)Civil Contingencies Bill (UK)

PostPost--9/119/11

PrePre--9/119/11

1991 - 2001 2002 -------------------------------------------------------2010

2002 Safety Act2002 Safety ActFCDFCD--1/21/2

NYS Circular Letter 7NYS Circular Letter 7 ASIS ASIS

State of NY FIRM White Paper on CPState of NY FIRM White Paper on CPNISCC Good Practices (Telecomm)NISCC Good Practices (Telecomm)

Australian Prudential Standard on BCM Australian Prudential Standard on BCMHB221HB221HB292HB292

BS25999BS25999SS507SS507 ± ± SS540SS540

TR19TR19CA Z1600CA Z1600

ISO/PAS 22399ISO/PAS 22399HiTechHiTechAct of 2009 Act of 2009

DRIIDRII

Title IXTitle IX ± ± 110110--5353

Business Continuity Regulations and Standards



14

a.G

oal of the new program is to provide a method to independently certify theemergency preparedness of private sector organizations, including their disaster /emergency management and business continuity programs. The program focuses oncertifying the preparedness of businesses and other private sector entities, and does notinvolve any individual professional certification.b. The program will be voluntary.

c. Key stakeholders are invited to participate in the development of the

program. Consultation with a variety of organizations and various sectors is required bythe legislation. Program development will likely include involvement by a diversity of private sector advisory groups and others.d. The program will be administered outside of government by 3rd party organizationswith experience / expertise in managing and implementing voluntary accreditation andcertification programs.e. One or more preparedness standards can be designated. NFPA 1600 is reference by

example.f. Existing industry efforts, certifications and reporting in this area will not beduplicated or displaced, but rather recognized and integrated.g. Special consideration will be made for small business.

h. Proprietary and confidential information is to be protected.



` A list of Recommended Standards Against Whicha Company May Certify:

` ASIS International SPC.1-2009 Organizational Resilience: Security

Preparedness, and Continuity Management System ± Requirements with

Guidance for use (2009 Edition).

` British Standards Institution 25999 (2007 Edition) - Business Continuity

Management.(BS 25999:2006-1 Code of practice for business continuity

management and BS 25999: 2007-2 Specification for business continuity

management)

` National Fire Protection Association 1600-Standard on Disaster /

Emergency Management and Business Continuity Programs, 2007 and

2010 editions.

15



16

ANSI-ANAB

In progress - ANSI

DHS



`

DRI/NFPA Course is proceeding with ANSI-CAP Accreditation for the Course

` ANSI-CAP follows the accreditation process outlined in the international

standard ISO/IEC 17011, General Requirements for Accreditation Bodies

Accrediting Conformity Assessment Bodies and recognized by ANSI-ANAB

` Passing the Exam will Provide a Certificate of Completion (Because training is a

requirement there can be no examination only)

` This Certificate will Be Required to Seek CBCA/CBCLAs

` DRI International will maintain recertification through continuing education

(RSBSQA requirement)

17



` Created by Government/Industry Regulatory Bodies` Punitive

Fines

Shutdown

` Subject to Annual (Operational/Financial) Audit

` Audit Conducted by Third Party

` Results are Board Issues

`

May Create Vendor Requirements FFIEC

HIPPA



` Voluntary

` Non-Punitive

` Auditable Through First, Second or Third Parties

` State of Flux NFPA 1600 is the ANSI National Standard is in Revised Every 3

years

ASIS/BS25999 are Currently in the Early Stages of Seeking ANSI Accreditation not Due until at Least End of 2009

ISO 22399/PAS (Publicly Available Specifications) Interim State

New Australian Standard New Singapore Standard



` A Certification by an Approved Certification Body

No Endorsement by DHS/FEM A or FederalGovernment

x A Distancing by DHS from the Process

x Private Sector Certification Bodies

Available Before PS-Prep

x NFPA 1600

x BS 25999

x SS507 ± SS540

x Private Companies

20



` No Get Out of Jail Free (Safe Harbor) Safety Act of 2002

` No Reduction in Insurance Premiums

` Does Not Exempt Regulatory Compliance

` DHS Cannot Make It Mandatory ± Only Legislative Action Can Highly Unlikely Consider Sarbanes-Oxley

21



` Rewards May Satisfy Customer Inquiries

x Supply Chain

x RFPs

Create Uniformity

x Multi-Nationals

Increase Preparedness

x PS-Prep Raised Awareness of Need to Prepare



` Risks

May Not Provide Legal Protection

x Judge and Jury Decision

x

No Known NFPA1600 Defense

Quality of Auditors

x Proper Training

x No Control

x Precludes ³Any organization that provides preparednessconsulting services to private sector entities´



` Potential Conflictx Financial ± Operational Audit

x Corporate Governance

x Regulation

` Expensivex Think Sarbanes-Oxley

x Initial Expense

x Annual or bi-Annual Review

x REMEDIATION

` Discoverable (Corrective Action Plan)



` Focus on the Regs *

` Broaden Your Viewpoint *

` Keep Your Eyes on Transition *

` Hold Off On (the Actual) Certification *

` Walk Don¶t Run *

` Talk to Your General Counsel (DHS Does)

* The Standards Race

Author:M

ark Carroll



` Let¶s Work On Preparedness Small Steps ± Easily Accomplished



27

�

TheG

reater Tampa Bay Chapter would act as the organizing administrator for the training class, and the participants would pay $1745.50 to ACP ± GTB.

� At the conclusion of the DRI 501 class and exam, ACP ± GTB will file theappropriate paperwork with the State of Florida for an education reimbursement,and the State of Florida would pay ACP ± GTB for 50% of the cost of thistraining / exam program ± or $872.50 per participant.

�GTB ± ACP would then cut a check back to each participant for $872.50. Theeducation grant only covers the cost of training, exams, and administrative feesassociated with the class.

�That would bring the net cost to each participant down to $872.50 which isSIGNIFICANTLY lower than you¶d pay for the program at any of the major BCP /

DR conferences

�Travel, lodging, and meals would be the responsibility of each participant, andwe are working with our event coordinator to find a venue which wouldguarantee a block room rate.



28



29

(1) consistent with keeping PS-Prep a voluntary program, as directed by

Congress, FEMA should expressly and strongly emphasize that neither program participation nor the accreditation or certification standards

establish an enforceable duty, a standard of care or any other basis for

imposing civil liability;

(2) entities that are already subject to comprehensive emergency preparednessregulation under the Pipeline Safety Act, the Chemical Facility Anti-Terrorism

Act, the Marine Transportation Security Act, etc., should be able to obtain

PS-Prep certification solely by documenting their compliance (ING AA addedthat FEM A should do this accrediting the regulating agencies and instructingthem to grant certification once an entity demonstrates its compliance withthe emergency preparedness regulations);

(3) entities with PS-Prep certification should be considered pre-qualified for protection under the Supporting Ant-terrorism by Fostering EffectiveTechnologies (³SAFETY´) Act of 2002, or their SAFETY Act applications

should at least be accorded priority processing; and(4) FEM A should examine and address the economic feasibility and cost

considerations associated with approving the proposed PS-Prep standardsand allowing PS-Prep certification through compliance with currentemergency preparedness regulations.

The Interstate Natural Gas Association of America (³ING AA´)



30



31

� Legal

o Common law precedent would substantiate certification as a way tomitigate potential liability

o Development of statutory guidelines would provide additional legalmotivation to pursue certification

o Some corporations are concerned about possible disincentivesassociated with certification (e.g. identification of shortfalls)

o Allowing multiple standards for certification could be legally problematic

o Using a maturity model (levels of preparedness) may make certificationmore compelling from a legal perspective



32

Some corporations are concerned about possible disincentives

associated with certification.

o There is a potential disincentive pertaining to undertaking

preparedness certification and the related documentation of preparedness actions undertaken by a company, especially with respect

to the identification of risks to the company and its current

vulnerabilities.

o Absent some legal privilege such as attorney-client privilege or work product

privilege, documents generated during the certification process could becomediscoverable and could be used against the company in any future litigation or investigations. That scenario functions as a disincentive to undertaking anddocumenting preparedness actions.

International Center for Enterprise Preparedness th

The Legal Working Group On the Voluntary Business Preparedness Accreditation and Certification Program

International Center for Enterprise Preparedness (InterCEP)

New York University Initial MeetingMarch 7, 2008

Documents

Al Berman Certification Presentation 9-8-10 to ACP