Upload
buitram
View
215
Download
0
Embed Size (px)
Citation preview
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 1
Deciphering Overlapping Standards and Requirements, Using the BCP Genome™
Disaster Recovery Journal Webinar Series
February 13, 2013
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 2
Today’s Presenter
Frank Perlmutter, CBCP, MBCI [email protected]
• President & Co-Founder of Strategic BCP®, creators of ResilienceONE® BCM Software
• 17+ years of experience in Business Continuity (BC) and Risk Management (RM)
• Former consultant with the Big 4 + Manager of DR/COOP (BCP) and Risk Manager for the U.S. Department of the Treasury
• Directed BCP and strategic projects for 75+ clients at the C-level; 20+ for federal government
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 3
Background
• Strategic BCP® established in 2004
– Purpose: Elevate the productivity and relevance of business continuity professionals
– ResilienceONE® introduced as a milestone in using technology to streamline the process of creating and maintaining programs for:
• Business continuity
• Disaster recovery
• Business impact analysis/Risk assessment
• Crisis management
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 4
Webinar Focus Areas
• The Impact of Regulations, Standards & Best Practices
• Process Behind the BCP Genome™ Developed by Strategic BCP®
• Lessons Learned to Set up Your Own Framework
• Comparing and Selecting Appropriate Regulations, Standards & Best Practices
• Getting to a Gold Standard: Q&A & Wrap-up
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 5
The Impact of Regulations, Standards & Best Practices
Disaster Recovery Journal Webinar Series
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 6
Definitions
• Regulations
– “Mandatory authoritative rules dealing with details or procedures having the force of law, that are issued by an authority or government”
• Standards and Best Practices
– “Voluntary criteria, voluntary guidelines, and best practices used to enhance the quality, performance, reliability, and consistency of products, services and/or processes”
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 7
Why Care?
• You are OBLIGATED
– Regulations mandate/require compliance
– There are penalties if you chose not to comply
• You NEED guidance
– Standards, regulations, and best practices can provide guidance for your Business Continuity Program as follows: • Initiating it
• Providing a process for developing and delivering it
• Managing it
• Monitoring it
• Evaluating/auditing it
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 8
Webinar Goals
• Apply lessons from how we mapped the BCP Genome™ in developing your own Gold Standard Framework
• Assess strengths and weaknesses of the specific standards, regulations, and best practices to determine which ones to include in your Framework
• Evaluate current/potential tools and methodologies to implement or fine-tune your Business Continuity Management (BCM) program
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 9
Process Behind the BCP Genome™ Developed by Strategic BCP®
Disaster Recovery Journal Webinar Series
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 10
The Inception of the BCP Genome™
• Mission
– The BCP Genome project started in 2006
– Goal: Develop a “Gold Standard” framework based on the business continuity industry’s collective thought leadership
• Starting
– Seek out the best standards, regulations, and best practices in terms of ability to implement the content contained within each of them practically—regardless of industry popularity
• Rule #1
– Do NOT interpret the standards, regulations, and best practices; SYNTHESIZE them
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 11
Mapping the BCP Genome™
• Selected (9) standards, regulations, and best practices to establish the original framework
• Diligently went point-by-point through each of them; mapping the original framework
• After (4) standards, the core framework was developed
• The (5) remaining standards were 95% redundant to the points mapped
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 12
The Result
• 101 points of a resilient Business Continuity Program mapped across (8) major categories:
1. Program Organization, Management, and Training
2. Business Impact Analysis (BIA)
3. Emergency Response and Crisis Management
4. Emergency Facilities
5. Business and IT Disaster Recovery
6. Testing
7. Maintenance
8. Auditing and General Policy
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 13
The BCP Genome Today
• Initial $300k investment over 10 months converging BC/DR insights
• The original framework has withstood the test of time as the additional (6) standards mapped since then—along with (25) others that have been examined—have conformed to the original framework with only minor alterations to the original points
• Proven to be a stable basis for expansion over the years
• It still guides the continuous refinement of our ResilienceONE® BCM software, audit methodology, and consulting practice
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 14
Lessons Learned to Set up Your Own Framework
Disaster Recovery Journal Webinar Series
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 15
The Path to Developing a Framework
Step 1: Start with regulations that you HAVE TO follow internally or because of clients
Step 2: Determine the Business Continuity Management (BCM) program AREAS that you want to address
Step 3: Determine if you WANT TO enhance your Business Continuity Program Framework
Step 4: Select the BEST standards, regulations, and best practices
Step 5: Map them to a CONSISTENT framework
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 16
Lesson #1: Look for Practical Guidance
• Many of the standards focus on program policies and procedures—not program content (e.g. How to set up a planning structure vs. how to do a plan)
“Framework Bread” “Framework Meat”
• Program Organization, Management, and Training
• Maintenance
• Auditing and General Policy
• Business Impact Analysis (BIA)
• Emergency Response and Crisis Management
• Emergency Facilities
• Business and IT Disaster Recovery
• Testing
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 17
Swimming in a Sea of Standards, Regulations, and Best Practices • International Organization for Standardization
(ISO) 22301:2012
• Federal Financial Institutions Examination Council (FFIEC) BCP Workprogram
• Disaster Recovery Institute International (DRI) Professional Practices
• Business Continuity Institute (BCI) Good Practice Guidelines
• National Fire Protection Association (NFPA) 1600 Standard on Disaster/Emergency Management and Business Continuity Programs
• The Healthcare Insurance Portability and Accountability Act (HIPAA) Security Rule
• The Institute of Internal Auditors (IIA) Global Technology Audit Guide (GTAG) for Business Continuity Management
• Basel II and III
• National Institute of Standards & Technology (NIST) Special Publication (SP) 800-34 Contingency Planning Guide for Information Technology Systems
• Federal Emergency Management Agency (FEMA-64) Guidelines for Dam Safety
• Federal Energy Regulatory Commission (FERC) Guidelines for Recovery Plan Format
• Control Objectives for Information and Related Technology (COBIT)
• Committee of Sponsoring Organizations of the Treadway Commission (COSO)
• American Society for Industrial Security (ASIS) SPC 1-2009 Organizational Resilience Standard
• Plus many, many, many, many, more
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 18
Lesson #2: Beware of Jumping on the “HOT” Standard
• The HOT standard changes every year or two
• Creates a moving target (i.e. if you try to conform to a standard one year, it might not be valid the next)
• Corollary: Don’t single thread your framework by only using ONE standard
NFPA 1600
NFPA 1600 NFPA 1600 BS25999
NFPA 1600 PS Prep
NFPA 1600
ISO 22301
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 19
Lesson #3: Don’t Get Overwhelmed
• Many of the regulations, standards, and best practices are redundant in content
• You don’t need all of them
– Select regulations with which you must comply
– Put its points into your framework
– Fill in the holes with other ones
• Coming Up: Which regulations, standards, and best practices fit best
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 20
Comparing and Selecting Appropriate Regulations, Standards & Best Practices
Disaster Recovery Journal Webinar Series
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 21
FFIEC NFPA 1600 NIST FERC GTAG ISO 22301 HIPAA TOTAL
PROGRAM ORGANIZATION, MANAGEMENT & TRAINING
8 12 7 3 5 10 0 12
BUSINESS IMPACT ANALYSIS (BIA)
6 4 8 4 8 7 3 9
EMERGENCY RESPONSE & CRISIS MANAGEMENT
18 26 19 19 16 16 1 31
EMERGENCY FACILITIES
12 6 3 1 5 1 0 12
BUSINESS & SUPPORT COMPONENT RECOVERY
14 7 8 4 8 5 3 16
TESTING
13 14 13 1 10 8 1 14
MAINTENANCE
3 0 3 1 2 4 1 4
AUDIT & GENERAL POLICY
2 0 2 0 1 3 0 3
TOTAL
76 69 63 33 55 54 9 101
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 22
Seek Outside Assistance
• DRJ has an excellent list of regulations, standards, and best practices on their website
• Some BCM software has it built into their methodology; ensure it’s not just a marketing claim
– Have them show you how the software meets the different parts of regulations, standards, and best practices
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 24
Wrap-Up
For more insights and opportunities:
• Request a Live Demo of the BCP Genome™ in ResilienceONE® BCM Software at www.strategicBCP.com
• Contact Frank Perlmutter, CBCP, MBCI [email protected]
• Attend Frank’s presentation on “Enhancing BC Outcomes Through Risk Management Objectivity” Mar. 19 @ DRJ Spring World Conference, Orlando