24
© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 1 Deciphering Overlapping Standards and Requirements, Using the BCP Genome™ Disaster Recovery Journal Webinar Series February 13, 2013

Deciphering Overlapping Standards and Requirements, Using ...€¦ · © 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 1 Deciphering Overlapping Standards and

  • Upload
    buitram

  • View
    215

  • Download
    0

Embed Size (px)

Citation preview

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 1

Deciphering Overlapping Standards and Requirements, Using the BCP Genome™

Disaster Recovery Journal Webinar Series

February 13, 2013

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 2

Today’s Presenter

Frank Perlmutter, CBCP, MBCI [email protected]

• President & Co-Founder of Strategic BCP®, creators of ResilienceONE® BCM Software

• 17+ years of experience in Business Continuity (BC) and Risk Management (RM)

• Former consultant with the Big 4 + Manager of DR/COOP (BCP) and Risk Manager for the U.S. Department of the Treasury

• Directed BCP and strategic projects for 75+ clients at the C-level; 20+ for federal government

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 3

Background

• Strategic BCP® established in 2004

– Purpose: Elevate the productivity and relevance of business continuity professionals

– ResilienceONE® introduced as a milestone in using technology to streamline the process of creating and maintaining programs for:

• Business continuity

• Disaster recovery

• Business impact analysis/Risk assessment

• Crisis management

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 4

Webinar Focus Areas

• The Impact of Regulations, Standards & Best Practices

• Process Behind the BCP Genome™ Developed by Strategic BCP®

• Lessons Learned to Set up Your Own Framework

• Comparing and Selecting Appropriate Regulations, Standards & Best Practices

• Getting to a Gold Standard: Q&A & Wrap-up

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 5

The Impact of Regulations, Standards & Best Practices

Disaster Recovery Journal Webinar Series

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 6

Definitions

• Regulations

– “Mandatory authoritative rules dealing with details or procedures having the force of law, that are issued by an authority or government”

• Standards and Best Practices

– “Voluntary criteria, voluntary guidelines, and best practices used to enhance the quality, performance, reliability, and consistency of products, services and/or processes”

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 7

Why Care?

• You are OBLIGATED

– Regulations mandate/require compliance

– There are penalties if you chose not to comply

• You NEED guidance

– Standards, regulations, and best practices can provide guidance for your Business Continuity Program as follows: • Initiating it

• Providing a process for developing and delivering it

• Managing it

• Monitoring it

• Evaluating/auditing it

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 8

Webinar Goals

• Apply lessons from how we mapped the BCP Genome™ in developing your own Gold Standard Framework

• Assess strengths and weaknesses of the specific standards, regulations, and best practices to determine which ones to include in your Framework

• Evaluate current/potential tools and methodologies to implement or fine-tune your Business Continuity Management (BCM) program

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 9

Process Behind the BCP Genome™ Developed by Strategic BCP®

Disaster Recovery Journal Webinar Series

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 10

The Inception of the BCP Genome™

• Mission

– The BCP Genome project started in 2006

– Goal: Develop a “Gold Standard” framework based on the business continuity industry’s collective thought leadership

• Starting

– Seek out the best standards, regulations, and best practices in terms of ability to implement the content contained within each of them practically—regardless of industry popularity

• Rule #1

– Do NOT interpret the standards, regulations, and best practices; SYNTHESIZE them

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 11

Mapping the BCP Genome™

• Selected (9) standards, regulations, and best practices to establish the original framework

• Diligently went point-by-point through each of them; mapping the original framework

• After (4) standards, the core framework was developed

• The (5) remaining standards were 95% redundant to the points mapped

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 12

The Result

• 101 points of a resilient Business Continuity Program mapped across (8) major categories:

1. Program Organization, Management, and Training

2. Business Impact Analysis (BIA)

3. Emergency Response and Crisis Management

4. Emergency Facilities

5. Business and IT Disaster Recovery

6. Testing

7. Maintenance

8. Auditing and General Policy

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 13

The BCP Genome Today

• Initial $300k investment over 10 months converging BC/DR insights

• The original framework has withstood the test of time as the additional (6) standards mapped since then—along with (25) others that have been examined—have conformed to the original framework with only minor alterations to the original points

• Proven to be a stable basis for expansion over the years

• It still guides the continuous refinement of our ResilienceONE® BCM software, audit methodology, and consulting practice

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 14

Lessons Learned to Set up Your Own Framework

Disaster Recovery Journal Webinar Series

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 15

The Path to Developing a Framework

Step 1: Start with regulations that you HAVE TO follow internally or because of clients

Step 2: Determine the Business Continuity Management (BCM) program AREAS that you want to address

Step 3: Determine if you WANT TO enhance your Business Continuity Program Framework

Step 4: Select the BEST standards, regulations, and best practices

Step 5: Map them to a CONSISTENT framework

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 16

Lesson #1: Look for Practical Guidance

• Many of the standards focus on program policies and procedures—not program content (e.g. How to set up a planning structure vs. how to do a plan)

“Framework Bread” “Framework Meat”

• Program Organization, Management, and Training

• Maintenance

• Auditing and General Policy

• Business Impact Analysis (BIA)

• Emergency Response and Crisis Management

• Emergency Facilities

• Business and IT Disaster Recovery

• Testing

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 17

Swimming in a Sea of Standards, Regulations, and Best Practices • International Organization for Standardization

(ISO) 22301:2012

• Federal Financial Institutions Examination Council (FFIEC) BCP Workprogram

• Disaster Recovery Institute International (DRI) Professional Practices

• Business Continuity Institute (BCI) Good Practice Guidelines

• National Fire Protection Association (NFPA) 1600 Standard on Disaster/Emergency Management and Business Continuity Programs

• The Healthcare Insurance Portability and Accountability Act (HIPAA) Security Rule

• The Institute of Internal Auditors (IIA) Global Technology Audit Guide (GTAG) for Business Continuity Management

• Basel II and III

• National Institute of Standards & Technology (NIST) Special Publication (SP) 800-34 Contingency Planning Guide for Information Technology Systems

• Federal Emergency Management Agency (FEMA-64) Guidelines for Dam Safety

• Federal Energy Regulatory Commission (FERC) Guidelines for Recovery Plan Format

• Control Objectives for Information and Related Technology (COBIT)

• Committee of Sponsoring Organizations of the Treadway Commission (COSO)

• American Society for Industrial Security (ASIS) SPC 1-2009 Organizational Resilience Standard

• Plus many, many, many, many, more

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 18

Lesson #2: Beware of Jumping on the “HOT” Standard

• The HOT standard changes every year or two

• Creates a moving target (i.e. if you try to conform to a standard one year, it might not be valid the next)

• Corollary: Don’t single thread your framework by only using ONE standard

NFPA 1600

NFPA 1600 NFPA 1600 BS25999

NFPA 1600 PS Prep

NFPA 1600

ISO 22301

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 19

Lesson #3: Don’t Get Overwhelmed

• Many of the regulations, standards, and best practices are redundant in content

• You don’t need all of them

– Select regulations with which you must comply

– Put its points into your framework

– Fill in the holes with other ones

• Coming Up: Which regulations, standards, and best practices fit best

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 20

Comparing and Selecting Appropriate Regulations, Standards & Best Practices

Disaster Recovery Journal Webinar Series

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 21

FFIEC NFPA 1600 NIST FERC GTAG ISO 22301 HIPAA TOTAL

PROGRAM ORGANIZATION, MANAGEMENT & TRAINING

8 12 7 3 5 10 0 12

BUSINESS IMPACT ANALYSIS (BIA)

6 4 8 4 8 7 3 9

EMERGENCY RESPONSE & CRISIS MANAGEMENT

18 26 19 19 16 16 1 31

EMERGENCY FACILITIES

12 6 3 1 5 1 0 12

BUSINESS & SUPPORT COMPONENT RECOVERY

14 7 8 4 8 5 3 16

TESTING

13 14 13 1 10 8 1 14

MAINTENANCE

3 0 3 1 2 4 1 4

AUDIT & GENERAL POLICY

2 0 2 0 1 3 0 3

TOTAL

76 69 63 33 55 54 9 101

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 22

Seek Outside Assistance

• DRJ has an excellent list of regulations, standards, and best practices on their website

• Some BCM software has it built into their methodology; ensure it’s not just a marketing claim

– Have them show you how the software meets the different parts of regulations, standards, and best practices

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 23

Questions?

© 2013 Strategic BCP®, Inc. All rights reserved. | strategicBCP.com 24

Wrap-Up

For more insights and opportunities:

• Request a Live Demo of the BCP Genome™ in ResilienceONE® BCM Software at www.strategicBCP.com

• Contact Frank Perlmutter, CBCP, MBCI [email protected]

• Attend Frank’s presentation on “Enhancing BC Outcomes Through Risk Management Objectivity” Mar. 19 @ DRJ Spring World Conference, Orlando