FO B3 Public Hearing 11-19-03 1 of 2 Fdr- Introduction and Material From APPL- BITS and Contingency Planning Exchange 661

8/14/2019 FO B3 Public Hearing 11-19-03 1 of 2 Fdr- Introduction and Material From APPL- BITS and Contingency Planning Ex…

http://slidepdf.com/reader/full/fo-b3-public-hearing-11-19-03-1-of-2-fdr-introduction-and-material-from-appl- 1/18

1:45 PM M ultimedia Presentation of Initiatives across the United States

Introduction

W e have heard this m orning about the m any public/private sector initiatives that areunderway. There are grass roots efforts underway acrossthe country. The Commissionhas learned about m any of theseefforts in NY City in the course ofstaff discussions w iththe private sector duringour investigation. Some examples include:

• The AP PL program b rings together policeand local businessesto discuss issuesof security in Mid-town Manhattan;

• The New York First Precinct Community Councilhas both a residenceandbusiness council which meetson a monthly basisto discuss securityand crimetrends in the neighbo rhood;

• The BITS Crisis Management Coordinationand Telecommunications WorkingGroup is a private sector partnership working withthe New York Federal Reserveto "improve the recoverability of critical financial services" in the aftermath of theexperience of9-11;

• The Contingency Planning Exchangeis a "forum dedicatedto providing an openexchange of inf orma tion related to all contingency and Business continuitytopics" which has a large membershipand meets regularlyto discuss ke y issues

While it is not possible to highlight all that is going on nationwide, we wanted to heartestimony on some of these im portantefforts. In this regard, we have asked the KingCounty Office of Emergency Management in the State of Washington, and theInternationalAssociation of Assembly Managers in Texas to tell us what they are doingin their public/private sector partnership to promote preparedness. IAA M representativeshere today are Mr. Joseph Floreano of the Rodchester Convention Centerand TurnerMadden.Now we w ill view the videos.



Draf t 11/12/03

1:45 PM Multimedia Presentation of Initiatives across the United States

Introduction

We have heard this morning about the many public/private sector initiatives that areunderway. There are grass roots efforts underway across the country. The Commissionhas learned about many of these efforts in NY City in the course of staff discussions withthe private sector during our investigation. Some examples include:

• The APPL program brings together police and local businesses to discuss issuesof security in Mid-town Manhattan;

• The New York First Precinct Community Council has both a residence andbusiness council which meets on a monthly basis to discuss security and crimetrends in the neighborhood;

• The BITS Crisis Management Coordination and Telecommunications WorkingGroup is a private sector partnership working with the New York Federal Reserve

to "improve the recoverability of critical financial services" in theaftermath

of theexperience of 9-11;• The Contingency Planning Exchange is a "forum dedicated to providing an open

exchange of information related to all contingency and Business continuitytopics" which has a large membership and meets regularly to discuss key issues

While it is not possible to highlight all that is going on nationwide, we wanted to heartestimony on some of these important efforts. In this regard, we have asked the KingCounty Office of Emergency Management in the State of Washington, and theInternational Association of Assembly Managers in Texas to tell us what they are doingin their public/private sector partnership to promote preparedness. We will see those

now.



A.P.RL.AREA POLICE/PRIVATE SECURITY LIAISON

Dear Security Director,

The New York City Police Department invites you to join a growing association between public and private lawenforcement personnel, the Area Police/Private Security Liaison program better known as A.P.P.L.

A.P.P.L. was established in 1986 in the midtown area of Manhattan, originally consisted of approximately thirty(30) member organizations. It has since expanded throughout the city and has a current membership of over7300 organizations.

The goals of A.P.P.L. are to share information, identify and discuss crime trends and solutions, work togethertoward the common goal of protection of persons and assets and create a better working relationship betweenlaw enforcement and private security personnel.

Regular meetings are held between A.P.P.L. members and Division Commanders, Precinct Commanders and•ey precinct personnel. Lecturers from other Police Department units, the District Attorney's Office and the

private sector use these meetings as a forum for the exchange of information. Topics are diverse, covering suchareas as terrorism, auto crime and legislation such as the Security Guard Act.

Eligibility fo r membership in A.P.P.L. is limited to security directors having anestablishedproprietary orcontractual security force within N ew York City.

For more information on A.P.P.L. contact Sergeant Bill Gaeta, Police Officer John Flaherty or Police OfficerKen Schneiweis at (212) 614-6724.

Cooperation between the Police Department and the private security industry is essential to the future of ourcity. The New York City Police Department welcomes you, and encourages your participation in A.P.P.L. Ifyou wish to become a member, please complete the attached membership application.

Email your completed application to: [email protected] or return it via fax to: (212) 614-6743

We look forward to the opportunity to work with you,

Sincerely,Jessica E. CoreyLieutenantCommanding OfficerCrime Prevention/APPL

EMAIL: [email protected] TELEPHONE: (212) 614-6724 FAX: (212) 614-6743



contentPage 1 o f 2

W ho Are We?

Our Mission?To "bridge the gap" between the private

security sector and law enforcement byworking together for a com mo n goal.

The First Precinct Co mmu nity CouncilFinancial Area, Inc. meets on the secondThursday ofeach month at locationsthrougho ut Lower Manhattan.

Our Next Monthly Meeting

First Precinct CommunityCouncil Financial Area, Inc.MembersOur m embership includes sec urity

professionals and property managersrepresenting bu sinesses throughou t LowerManhattan, as well as representatives of the1 st Precinct, Officeof the Chief of theDepartment, Transit Bureau, Port Authority,Office of the New York District Attorney andvarious other members of law enforcement.

1 st PRECINCT COMMUNITY COUNCILBQARD..MEMBERS

The Precinct Co mm unityCouncilPrecinct Comm unity Councilsare a primeexample of collaborative neighborhood effortsthat are essential to succes sfulpolice/communityrelations. Councilsare amechanism to enco urage co operationbetween the people of each com munity andthe men and wom an in their local po lice

New York City PoliceDepartment ValuesIn partnership w ith the community,we pledgeto :

- Protect the lives and property of our fellowcitizens and impartially enfo rce the law

- Fight crime both by preventing it and byaggressively pursuing v iolatorsof the law

- Maintain a higher standard of integrity than isgenerally expected of others becau se so m uchis expected of us

- Value human life, respect the dignityof eachindividualand render our services withcourtesy and civility

DS

httD://www.firstprecinctcc.org/pages/599191/page599191.html?refresh=1068603318537 11/12/2003



F I N A N C I A L S E R V I C E SR O U N D T A B L E

S U M M A R YOFBITS CRISIS M ANAG EM ENT C OORDINATIONANDTELECOMMUNICATIONSWORKINGGROUPS M EETINGWITHGUESTSF R O MTHE TELECOMM UNICATIONS INDUSTRY AN D GOVERNMENT

APRIL24,2003OFFICEO F THE COMPTROLLEROF THE CURRENCY

WASHINGTON,B.C.

Se e last sectionfor a list of participants.

WELCOMEANDREVIEWOF G O A L S

Ralph Sharpe-welcomed participants to the headquarters of the Office of the Comptroller of theCurrency (OCC).

Allan Woods, Vice Chairman and CIO, Mellon Financial Corporation, and Chairman of the BITSCrisis Management Coordination Working Group, reviewed the following goals, objectives, andconcerns of financial institutions:• To establish a clear notion of the deliverables, ownership, management process, and target

milestones for the telecommunications initiative, including the assessment recoverabilityinformation exchange.

• Key concerns for the financial services industry have not changed since the group's kst meetingin Pittsburgh:— Financial markets are entirely dependent on highly complex telecommunications networks.

Consequently, there is a need for greater diversity/physical redundancy and betterinformation sharing between and among financial services and telecommunications sectors.

— Financial regulators require end-to-end reliability, diversity and redundancy.— There is a continuing need for unprecedented cooperation and collaboration among the

financial services industry, the telecommunications industry, and government to mitigaterisks.

• Participants have embraced the telecommunications initiative as a "noble endeavor" with a viewtowards improving the recoverability of critical financial services. Never before have twoindustries worked this closely at the CEO and CIO levels. In early April, the CEOs of AT&Tand MCI briefed BITS/FSR member company CEOs at The Financial Services Roundtable'sAnnual Meeting. Future meetings among CEOs are planned.

Woods reviewed the outcome of February 7 BITS Telecommunications Working Group meeting:According to Mr. Woods' assessment of the meeting, participants agreed to work with the NationalCommunications System (NCS)to facilitate, develop and coordinate scenario exercises. He furtherstated that NCS agreed to facilitate an effort to:• Bring together the telecommunications industry representatives in the National Coordinating

Center (NCC) as well as representatives from financial services and government.• Identify and analyze telecommunications dependencies in several geographic locations of critical

payment, clearing, and settlement processes.

BITS Proprietaryand Confidential 1 Final as of 5/7/03



• Determine what plans are in place to get critical telecommunications recovered under thescenarios developed.

• Identify areas needing additional emphasis and/or identify issues for the financial andtelecommunications industries to address in recovery planning.

• Design the process as a repeatable model for use in other geographic locations.

Woods urged participants to focus on two specific points:• Completing a pilot assessment information exchange in Chicago involving telecommunications

providers and financial institutions; and• Drafting a recovery plan that assumes a critical telecommunications facility has been destroyed.

This would help CEOs understand what their business-continuity plans should address and thusanswer a critical question: How long will it take to restore telecommunications service?

Woods added that this later point would be viewed by CEOs as an important interim step.

Woods reviewed recently announced priority initiatives of the President's National InfrastructureAssurance Council (NIAC), which is made up of 24 CEOs from private-sector companies. DickKovacevich of Wells Fargo Corporation and Marty McGuinn of Mellon Financial Corporationrepresent the financial services industry on the NIAC and are leaders in BITS/FSR. (McGuinn isthe new Chairman of The Financial Services Roundtable.) One of the five priority initiatives, whichMcGuinn agreed to lead, addresses critical interdependencies across sectors. Woods stated thatMcGuinn and other CEOs will look for short-term deliverables, and that the work of the BITSTelecommunications Working Group would be beneficial in meeting NIAC's objectives.

S T AT U SOFBITS TELECOMMUNICATIONS WORKINGG R O U PJohn DiNuzzo, Manager of Crisis Management, FleetBoston Financial Corporation and Chairmanof the BITS Telecommunications Working Group, reviewed Telecommunications Working Groupefforts since the February 7 meeting:

• February: Briefed FRB Vice Chairman Roger Ferguson, Treasury Assistant Secretary forFinancial Institutions Wayne Abernathy, and Michael Dawson, Treasury Deputy AssistantSecretary fo r Critical InfrastructureProtection an d Compliance Policy.

• March: Encouraged members to adopt NRIC VI best practices in physical security, cybersecurity, disaster recovery/business continuity and public safety;briefed members of theFinancial Services Sector Coordinating Council for Critical Infrastructure Protection andHomeland Security (FSSCC)on telecommunications project; and encouraged members to adoptNRIC VI recommendations. Participated in NCS/NCC efforts to develop an assessmentexercise.

• April: Briefed BITS CEOs on BITS Telecommunications initiative; invited AT&T and MCICEOs to speak at Annual Meeting. FSR/BITS Board of Directors approved telecommunications

public policy statement.

Two telecommunications CEOs participated in the FSR Annual Meeting —David Dorman ofAT&T and Michael Capellas of MCI. The following are highlights of their presentations:•. David Dorman, AT&T:

- Supports BITS' efforts to work in partnership with the telecommunications industry andgovernment to strengthen the resilience of telecommunications and financial servicessectors.

BITSProprietaryand Confidential 2 F inal as of5/7/03



— Invited BITS to participate in quarterly crisis management exercises.— Reviewed AT&T product/service designed to enhance resiliency. The implied message was

that financial institutions need to specify desired service (and hence pay for it).

• Michael Capellas, MCI:— Discussed the company's efforts to emerge from bankruptcy by the summer of 2003.— Reviewed the company's experience on 9/11 and post 9/11: Brought up applications and

core networks quickly, however, backup sites took as long as 48 hours to becomeoperational.

— Discussed challenges of managing applications on the outer edges as well as the "last mile."— Stated that MCI has worked to review circuitry in order to eliminate last-mile problems and

developed emergency response teams, including hazmat teams.— Recognized that MCI needs partners such as BITS.- Stated that the adoption of standards will lead to greater resiliency, but partnerships are

needed to encourage organizations to implement standards.— Said telecommunications companies need to think about delivering telecommunications

services end-to-end, including the kst mile.— Plans to create telecommunications advisory group with financial institution participation.

DiNuzzo outlined BITS' definition of success for the telecommunications initiative and stated thathe reviewed these definitions of success with the CEOs of BITS/FSR member companies at theAnnual Meeting on April 4:• Completing the assessment will yield a useful process that identifies critical points of failure and

helps financial institutions better restore mission-critical business processes.• Improving communication between financial institutions and telecommunications service

providers.• Developing best practices for financial institutions, including better due diligence when entering

into contracts with telecommunications providers.• Establishing a better political process to address NS/EP issues.

DiNuzzo underscored the importance of working together, adding that the sectors need each other.He also noted that financial institutions are not telecommunications experts, and that this is anopportunity to educate each other and develop best practices. DiNuzzo urged participants to stayfocused on national security concerns. He concluded his presentation with the following timeline:• April: Secure BITS members active in Chicago to participate in assessment.• May-June: Participate in the "assessment" and develop lessons learned.• 3Q03: Potentially repeat the process, if the assessment exercise successfully executes the goals

and objectives, in other cities.• 3Q-4Q03: Work with telecommunications companies and others to develop best practices for

financial institutions.

NATIONALS E C U R I T Y T E L E C O M M U N I C A T IO N S A D V I SO R YCOMMITTEE (NST A C)FINANCIALSERVICESTASKFORCE(FSTF)Roger Callahan, Bank of America Corporation, and Cristin Flynn, MCI, reviewed the activities ofthe NSTAC FSTF. The task force is focused on the following:• Identifying existing content from interested parties (NRIC VI, NCS Council of Representatives,

BITS, Downtown Alliance, "Interagency Paper on Sound Practices to Strengthen the Resilience

BITS Proprietaryand Confidential 3 Final as of 5/7/03





the best minds in the industry have come together to work on these best practices. Nowhere in theworld, he said, has this happened before. Rauschernoted that the initial focus of NRIC was on theprevention of incidents, but in recent months NRIC has been focusing on restoration of services.For example, an additional 100 best practices were delivered at their quarterly council meeting inMarch. BITS CEO Catherine Allen added that during the FSR Annual Meeting in April BITSencouraged member company CEOs to review and, when appropriate, adopt the best practices.

Pamela "P.J." Aduskevicz,Network Vice President of AT&T, added that NRIC is a wonderfulmodel involving experts from the entire telecommunications industry. One effort is focusing onconducting reviews of industry reliability similar to the National Transportation Safety Board(NTSB) following major transportation disasters. As part of this effort, telecommunicationscompanies report performance and outage information on a quarterly basis. This will pu t pressureon companies with higher than normal outages. This allows for the comparison of outage standardsand will encourage those companies with higher than normal outages to improve dieir performance.Aduskevicz added that NRIC is involved in a major outreach effort coordinated by Pamela StegoraAxberg, Qwest, to present to numerous groups and conferences and encourage the telecom industryto adopt best-practices.

C O U N C I L O F R E PR E S E N T AT I V E S ' C R IT I C A L F A C I L IT IE S W O R K I N G G R O U P

Chuck Madine,FRB, provided a brief overview of the efforts of the Council of Representatives(COR). He noted that he has attended many of the meetings, but that he is not a formal member orleader of this effort, which is headed by Ken Moran of the FCC. The COR hasbeen focusing on thefollowing:• Procedures for federal agencies to assess whether critical facilities provide an adequate level of

diversity;• Processes to ensure that, once diversity circuits are specified, carriers cannot reassign without

notification and approval; and• Contractual-based processes to ensure adequate levels of diversity.

This effort parallels the work of the NSTAC IES. Government agencies are focused primarily onthe last mile and are trying to understand why and how diversity "erodes" and what infrastructureissues need to be preserved. In its attempts to answer the question of what government really needs,COR representatives have looked at the FAA system, and have focused on the extensive andexpensiveprocess of auditing circuits to ensure they remain diverse. Madine added that COR isfocusing on the single points of failure and recoverability, recognizing that on 9/11 both private andpublic sector telecommunications systems were affected. He added that a key concern is to improveinformation systems by ensuring that telecommunications companies improve their identification ofcritical circuits.

I N T E R A G E N C YP A P E RON

S O U N D P R A C T I C E STO STRENGTHENTHE RESILIENCEOF THE U SF I N A N C I A LS Y S T E M

Ralph Sharpe, Deputy Comptroller for Technology, OCC, gave an update on newly releasedbusiness continuity requirements from the "Interagency Paper on Sound Practices to Strengthen theResilience of the U SFinancial System." The final paper, released on April 8, is a cooperative effortof the OCC, Federal Reserve System, and Securities and Exchange Commission. Its purpose is toidentify those institutions and utilities involved in critical financialservices and assess theimplications of the system going down (i.e., the effect on payments, clearing and settlement andother critical processes). The focus was on worst-case scenarios in the financial system that could

BITS Proprietary and Confidential 5 Final as of 5/7/03



cause the system to come to a halt. The worst-case scenario includes a wide-scale disruption withimplications for all critical infrastructure components. The paper sets forth guidelines for rapidrecovery and resumption and staff inaccessibility, and emphasizes the importance of regular testing.Sharpe added that the paper is not a regulation and that it will be used as a basis for ongoingdiscussions. To date, the OCC has received positive feedback on the paper. Sharpe described theapproach to sound practices and indicated that the regulators have discussed these expectations withcovered institutions.

Sharpe stated that the paper acknowledges the effect telecommunications dependencies can have onrecovery times. He added that the target recovery times are aggressive: two hours for "core clearingand settlement organizations" and four hours for "financial institutions that pky significant roles incritical markets." However, Sharpe said that many in the industry say that they are very close toachieving these. The final paper applies to only five core clearing and settlement organization andtwenty financial institutions that play significant roles in critical markets. The regulators havecontacted these firms, but do not plan on publishing a list for national security reasons.

Sharpe reviewed the keyelements of the white paper and identified the following three broad post-

9711 business-continuity objectives for all financial firms and the US financialsystem as a whole:• Rapid recovery and timely resumption of critical operations following a wide-scale

disruption.

• Rapid recovery and timely resumption of critical operations following the loss orinaccessibility of staff in at least one major operating location.

• A high level of confidence, through ongoing use or robust testing, that critical internal andexternal continuity arrangements are effective and compatible.

The paper also lists the following four sound practices for "core clearing and settlementorganizations" and"firms that pky significant roles in critical financialmarkets":1. Identify clearing and settlement activities in support of critical financial markets.

2. Determine appropriate recovery and resumption objectives for clearing and settlement activitiesin support of critical markets. The paper states that "core clearing and settlement organizations"should develop the capacity to recover and resume clearing and settlement activities within thebusiness day on which the disruption occurs, with the overall goal of achieving recovery andresumption within two hours after an event. In addition, "firms that pky significant roles incritical financial markets" should pkn to recover clearing and settlement activities within thebusiness day on which a disruption occurs, but strive for a four-hour recovery time.

3. Maintain sufficient geographically dispersed resources to meet recovery and resumptionobjectives. The paper does not specify a minimum distance between primary and backup sites;however, the paper clearly states that backup sites should not rely on the same infrastructurecomponents (e.g., transportation, telecom, water, electric) used by the primary.

4. Routinely use or test recover}7 and resumption arrangements. "Core clearing and settlementorganizations" should "periodically" test recovery and resumption plans on all of their backupsites.

Regardingimplementation, the paper says that "core clearing and settlement organizations" shouldachieve the sound practices by the end of 2004. "Firms that pky a significant role in critical financialmarkets" should develop, approve and implement plans as soon as practicable but no later thanApril 2006. Boards of directors should review business continuity strategies to ensure that plans are




consistent with their firm's overall business objectives, risk management strategies and financialresources.

PILOTRECOVERABILITYASSESSMENT EXCHANGERoger Callahan reviewed efforts by representatives of the financial services industry,telecommunications, and the National Communications System (NCS) to develop the "pilotrecoverability assessment information exchange." Since the February 7 meeting, John Burke (BITSCounsel), Roger Callahan, John Carlson, and Lee Zeichner have met with NCS policy and legalexperts to work out the details of the assessment. Callahan outlined the process and basic groundrules for participation in the assessment. He added that the NCS and the telecom companiesrepresented by the National Coordination Center (NCC) have worked hard to make this assessmentpossible. On April 9, John Carlson and Roger Callahan briefed approximately 12 Chicago-basedfinancial services companies at a meeting organized by Louis Rosenthal, LaSalle BankCorporation and Ro Kumar, Options Clearing Corporation. Rosenthal joined the meeting viaconference call and described the group as a "grass roots effort" created to coordinate resources andaddress a variety of crisis-related issues. Rosenthal added that the Chicago-based group plans to

meet regularly and, while some are waiting for additional information on legal protections andlogistical information on safeguarding the information, many firms have expressed interest inparticipating. To encourage participation in the exercise, BITS and NCS are working on a documentoutlining the objectives, deliverables, benefits of participation, information required fromparticipants, etc.

John Compitello reviewed an exercise that New York-based institutions completed in the kte 1980sto look at power and telecommunications dependencies. The exercise included a task force, createdby Mayor David Dinkins, consisting of 14 major telecommunications companies. A major outcomeof the exercise was the identification of 60 Hudson Street as a critical point of failure. The exerciseled to the creation of additional facilities to help mitigate this point of failure.

Participants debated whether recoverabilityissues should be addressed through one-on-onediscussions between a financial institution and its telecommunications providers versus a multi-lateral approach involving multiple carriers. Allan Woods argued that the erosion of diversityinvolves multiple carriers and thus it must be addressed by multiple carriers.

Callahan reviewed the assessment's objectives:• Examine a geographic area with a high concentration of critical financial services that, if not

available for two or more hours, could have NS/EP implications.• Determine the telecommunications assets/processes supporting these services and their

associated recovery processes/timelines under a postulated set of scenarios.

• Identify any potential significant recovery issues or concerns.

He outlined the goals of engagement:• Establishing a trusted process to identify areas of the most critical financial functions (e.g-,

wholesale payment, clearance, settlement services).• Exploring, in detail, technological and business interfaces between these activities and their

telecommunications services.— Focus on physical diversity and redundancy considerations.

BITS P roprietary andC onfidential 7 Final as of5/7/03



. Using specific details from both the financial sendees and the telecommunications sectors togenerate anintegrated view for the assessment and information exchange.

. Facilitating discussions among financial nstitutions and telecommunications companies todetermine recoverability of criticaltelecommunications. .

. Understandinghow stakeholders can better manage diversification and redundancy planning for

the most critical financial functions. .. Using this effort as a model for examining other areas of significant geographic concentration.

The group selected Chicago for the assessment exchange due to its high concentration of financialservices firms and its presumed "high target value," per experts in the intelligence community.Callahan emphasized that this is an experiment, which has never been done before.

John Carlson noted there are several efforts underway to address recoverability issues in Chicagoone of them being the DHS-sponsored and funded (via Argonne Laborato )̂ Security Board BITShas communicated with Dick Arns of the Security Board who has advised BITS of the complexpolitical and competitive environment in Chicago. Arns requested that BITS work » V-ershipwith the Security Board. Carlson stated that BITS will not partner with the Security Board, but thatBITS would periodicallycommunicate wit* Arns in order to keep the SecurityBoard apprised of ourefforts and to learn about the Security Board's efforts.

Roger Callahan referenced other efforts, including those by Dartmouth CoUege (Live Wire), and theFinancial Industry's Technical Officers and Professionals(FITOP). Callahan mentioned thatTreasury has asked the FSSCC to map out the groups who are asking financial institutions toparticipate inscenario-building exercises and identify their primary objectives Participants notedmat they have been asked to participatein multiple exercises and that financial services andtelecommunications companies must decide which ones to participate in.

Allan Woods asked why the group did not plan to focus on a particular facility^that:*e group wouldconsider to be a potential single point of failure. Jane Polk of the NCS noted *at thetelecommunications carriers do not believe that this is a useful approach to achieving Ae goals asoutlined. Instead, the telecommunications companies recommend focusing on how thetelecommunications industry supportscritical functions of the financialservices industry. Ascenario-based approach will no t lead to the rightdialogue and generate useful knowledge for thefinancial institutions to help in their recoveryplanning. Woods responded that financial servicescompanies need to know how long it will take to recover if a -tied telecom facility is destroyed morder to develop a realistic businesscontinuity plan. John CompiteUoadded this was not: posabkwithout looking at specific facilities. Teresa Undsey, BITS, noted that these goals are not mutuallyexclusive P T . Aduskevicz ofAT&T concluded that the telecommunications providers stronglybelieve a scenario-based approachis no t advisable. Woods emphasized that recoverability,inaddition to a long-term approach, isimportant. However, he added the financia1servicesmdustryneeds information that a scenario-based approach would provide to develop realistic business

continuityplans.

Harry Underbill AT&T, stated that telecommunications companies do not know which circuitsunderlie critical services. Consequendy, the best approach fo r telecommunications companies is totake a center point (including the Chicago suburbs) and draw a ring around Chicago Financialinstitutions should be prepared to review the identity of critical circuits. Mr. Underbill also

J f , c , - i a Final as of 5/7/03BITS Proprietary and Confidential °



recommended that the scope include relevant suburbs in Chicago or the assessment would notcapture important telecom facilities.

Callahan reviewed the four-step process for the assessment: preparation, briefing participants,performing the pilot assessment, and evaluating the pilot assessment.

Callahan stated that the information will be shared during the assessment exchange but that paperdocuments (e.g., "the map") will be destroyed and electronic documents will be prohibited. Carriersand financial institutions will apply this new knowledge to strengthen resilience.

In addition to briefing participants, NCS and BITS are working on the following legal issuesdesigned to protect stakeholders and participants:• Protect proprietary and sensitive information

— U se Non-disclosure agreementsCrafting basic agreements for industry, government and contractor participants. Musthave some form to claim Freedom of Information Act (FOIA) protections.

— Craft business rules for handling of informationLabeling/handling of all information - "Proprietary and Confidential"Managing access to information during assessment

— Implement FOIA protectionsReviewing based on NCS/DISA policies —must affirm with new Department ofHomeknd Security

- Protect against antitrust liabilityDevelop rules for assessment participationInclude/involve counsel—John Burke (BITS) and Carl Smith (DISA)—in assessmentactivitiesAddress other legal risks involving business practicesNon-essential option: Business Review Letter. 1

NCSANDNCCJane Polk, Chief of Operations Branch of the Critical Infrastructure Protection Division of the NCS,reviewed the activities of the NCS and NCC. Since the last meeting, the NCS has been merged intothe Department of Homeland Security. Its primary mission is to guarantee telecommunicationsservices for the Executive Office of the President and to ensure telecommunications services fornational security and emergency preparedness (NS/EP). The NCS works with the NCC to establishservices in an emergency. Polk emphasized the close, trusted relationship the NCS has fostered withthe telecommunications industry since the agency's establishment of the National CoordinationCenter for Telecommunications (NCC) in the early 1980s. The NCC provides a trustedenvironment where industry and government can address issues and implement NS/EP programs.

1 A Business Review Letter on the assessment exercise would provide additional guarantees from thegovernment on antitrust issues. Specifically, a Business Review Letter is a written request to the USDepartment of Justice (DOJ) outlining assessment details —who attends, what information will be shared, etc.The DOJ reviews planning efforts to ensure that there are no antitrust violations. DOJ will either write backapproving the plans ("if you follow the letter, then we will not have any reason to prosecute...") or provideadditional recommendations or guidance on alternative plans for antitrust purposes.




All NCC representatives have agreed to participate in the assessment exercise. Thetelecommunications companies request that participating financial institutions bring the followingspecific information to the assessment exchange; the providers consider these data elementsessential for a successful assessment exchange:• The institution's critical location(s) for both primary and backup sites

—Addresses• Mission critical circuit(s) for primary and back-up sites

— Vendor for circuit(s) of concern (the company that bills the institution)— Type of circuit(s)- Circuit ID(s)- Telephone number(s)

• Circuit diversity— ID of diversity pairs— Vendor for each

• Circuit utilization (amount of time they are used, e.g., require 80 percent utilization of the circuitduring the X process run, this occurs for Z hours, Y times a day)

• Duration of sustained outage before critical mission is impaired

The telecommunications companies have also drafted the following rules of engagement• A specific geographic area around Chicago must be identified for consideration during the

information exchange (i.e., "a circle around Chicago"); Harry Underbill (AT&T) requested thatthe assessment include certain suburbs.

• Only two representatives from each carrier should participate in the information-exchangesession. NCC members will coordinate with the financial services team to determine financialsector representation for the exchange.

• All NCC representatives are permitted to attend the information-exchange session, even if theircarrier's network is not involved in the assessment.

• The information exchange can occur only if the financial sector provides circuit IDs for circuitssupporting critical services at each financial site.

• Specific scenarios will not be considered during the information exchange; rather, a generaldiscussion will take place about the circuits supporting the critical services.

NCS and the telecommunications companies recognize that non-disclosure agreements (NDAs) arecritical and that all participants will have to sign and agree to the NDA. Attorneys are working onthe issue. Polk closed by stating that the telecommunications companies are dedicated to this issue,but that they have gone as far as they can by themselves.

LEGALPROTECTIONSLee Zeichner, Zeichner Risk Analytics (and contractor for the NCS), acknowledged the hard workand efforts of attorneys John Burke, Foley Hoag, and Carl Smith, Defense Information SystemsAgency (DISA) during the past two months, and Cristin Flynn, MCI, during the past two weeks inhelping to address the legal issues posed by the exercise. Zeichner added that NCS is applying threemodels to develop a simple process for protecting stakeholders and participants in the assessment.He also identified two problems in developing NDAs: 1) defining the information and 2) definingthe consequences. In addition, the attorneys are addressing Freedom of Information Act (FOIA)issues to ensure that information will not be made public. NCS has already requested that Mr.Smith, DISA General Counsel, initiate a formal process through DHS, including a request for advice

BITSProprietary andConfidential 10 Final as of5/7/03



on how documents should be marked. Antitrust issues are also under consideration. Ralph Sharpe(OCC) encouraged the participants to speak with the Federal government's experts in FOIA at theDepartment of Justice. Zeichner noted that attorneys had approached and talked to the JusticeDepartment (i.e., Office of Information and Privacy) regarding FOIA implementation guidance.

OTHERDISCUSSIONTOPICSFederal Reserve Role.John Carlson stated that Federal Reserve Board decided shortly after theFebruary 7 meeting that it will not participate in the assessment. Notwithstanding this, the FR B hasbeen a strong supporter of efforts to improve resiliency and to strengthen cooperative effortsamong financial institutions and telecommunications companies. While Chuck Madine (from theFRB, on detail to the NCS) is involved, he is officially not acting as a FRB representative inthe NCS/NCC discussions.

CollaborationwithTelecommunicat ions Companies .Catherine Allen noted that BITS met with senior stafffrom AT&T to follow up on commitments made following C EO David Dorman's presentation atthe FSR Annual Meeting. AT&T has offered to host several meetings in the coming months todiscuss business-continuity and security-related issues. These meetings are intended to be

educational (not sales oriented) to improve collaboration between the financial services andtelecommunicationssectors.

DELIVERABLESA NDNEXTSTEPSThe group agreed to the following deliverablesand next steps; leads are indicated in brackets:

Assessment:

• Determine how the goal of drafting the recovery plan could be accomplished. [NCS andTelecommunications providers to discuss and report back to BITS Telecom WorkingGroup]

• Draf t briefing document for CEOs of Chicago-based institutions who have been asked to

participate in the assessment exchange. The briefing document would lay out the objectives,goals,process, required information, and legal protections. [BITS with input from NCS]

• Involve financial institution legal counsel in the NDA process; consider hosting meetings ofkey legal experts from Chicago-based financial institutions (along with CEOs) in the Chicagoarea. [BITS and NCS]

• Develop planning guide. [NCS to provide BITS with a final planning guide].

Best Practices:

• Determine how NRIC's best practices might be referenced in contracts. [BITS to developfirst draft and then vet with NCS/NCC, NRIC, and other interested parties.]

• Develop list of financial institution-specific questions for contracting telecommunications

services and incorporate in SLAs.[BITS to develop first draft and vet with NCS/NCC,NRIC, and other interested parties.]

• Collaborate on and produce a glossary of key terms. [NSTAC IES with support from NRIC]

Resources:

• Determine what resources are needed to complete target deliverables [BITS to develop aproposal and solicit additional resources from member companies.]




Other:• Determine how to leverage efforts to advance NIAC's goal of examining cross-sector

interdependencies of critical infrastructure sectors and provide risk-assessment guidance.[BITS to work with member CEOs to make firms represented on NIAC aware of theseefforts. BITS to ask NIAC to look at other advisory committees.]

NEXT M EETINGThe NCS volunteered to host the next meeting at their offices in Arlington, Virginia on Thursday,M ay 29 .

In Person ParticipantsAT&T, P.J. AduskeviczAT&T, Hairy UnderbillBank of America Corporation, Roger CallahanBITS, John CarlsonBITS,Teresa Lindsey

BITS, Leslie MitchellBITS,Heather WysonBooz Allen Hamilton, Joe ButcherBooz Allen Hamilton, Annalisa SheelarThe Clearing House, Al WoodCompass Bank, Rick NelsonEDS, Liesyl FranzFederal Reserve Board, Chuck MadineFederal Reserve System, Ken BuckleyFleetBoston Financial Corporation,John DiNuzzo

Lucent Technologies, Karl RauscherMCI, Cristin Flynn

Mellon Financial Corporation, Susan VismorMellon Financial Corporation, Allan WoodsNational Communications System, Jane PolkNorthern Trust Corporation, John FowlerOffice of the Comptroller of the Currency,Jim Devlin

Office of the Comptroller of the Currency,Ralph Sharpe

Office of the Comptroller of the Currency,Joe Szaro

Qwest, Tom SneeSBC, Rosemary LefflerSBC, Jonathan BoyntonSprint, John StogoskiU.S. Department of Treasury, Eric RobbinsVerizon, Ernie Gormsen

Zeichner Risk Analytics, Lee Zeichner

Phone-in ParticipantsBITS, Catherine AllenEdward Jones Investments, Mel MussonLaSalle Bank Corporation, Louis RosenthalPNC Financial Services Group, Inc., Sherry DuCarmePNC Financial Services Group, Inc., Chuck RodgerSecurities Industry Automation Corporation (SIAC), Andy Bach

SIAC, Edwin CruzU.S. Department if Navy, Jim St.Clair

Submitted by John Carlson,BITS, on May 7,2003




C O N T I N G E N C Y P L A N N I N G E X C H A N G E55 1Fifth Avenue, Suite 3025

New York, NY 10176Ph. 212-983-8644 • Fax 212-687-4016

www.cpeworld.org• headauarters(S),cpeworld.ore

Q U A R T E R LYM E E T I N GDate:Time:Host:Place:

Wednesday, November 12, 20038 a.m. - 5 p.m.Con Edison4 Irving Place19th Floor AuditoriumNew York, NY 10004

A G E N D A8-9 a.m. Member Registration and Vendor Exhibits

Continental Breakfast

9-9:05 a.m. WelcomeKEVIN BURKE, President and COOConsolidated Edison Company of New York

9:05-9:15 a.m. CPE Welcome and AnnouncementsROSEANN McSORLEY. Deutsche BankChair, Contingency Planning Exchange, Inc.

9:15-9:45 a.m. Keynote Address

DAVE DORMANCEO, AT&T

9:45-10:30a.m. CHICAGO First Public Private PartnershipTERESA LINDSEYBITS — The TechnologyGroup

10:30-11a.m. Break and Vendor Displays

11-11:45 a.m. Corporate Emergency Access System Approved fo r New York CityPETER PICARILLO, Director of Public Private InitiativesNew York City Office of Emergency Management

11:45 a.m.-12:30 p.m. NYC DoITT — Telecommunications Infrastructure UpdateAGOSTINO CANGEMI

Deputy Commissioner for Franchise Administration and Planning

12:30-1:30 p.m. Lunch and Vendor Displays

1:30-2p.m. Con Edison CommunicationsPETER RUSTCon Edison



2-2:45p.m.

2:45-3p.m.

3-3:45p.m.

3:45-4:30p.m.

4:30-5p.m.

Crisis M anagem entMICHAELSPALL, Project Manager, Em ergency Managem entCon Edison

Break and Vendor Displays

The Un ique Vulnerabilityof the NY-NJMetropolitanRegiontoSevere Storm LandfallDR. NICHOLASK. COCHSchoolof Earth and EnvironmentalSciences — Queens CollegeandCUNYGraduate Center

CurrentEvent AnalysisSPEAKERTBD

Closing Ceremoniesand Raffle Drawings

RSVP:

B U I L D I N G E N T RY:

C O S T:

H A N D O U T S :

TRA VEL DIRECTIONS:

Requestedfor planning purposes, 212-983-8644orheadquarters(5).cpeworld.org

Photo identification is required for building entry.

Members- FreeNonmembers, $75payableby cash, check,or credit card.

Hand out materialsare providedto attendeesat the discretionof the presenter.

Via Subway: "4 ". "5,"or "6," to 14th Street and walk oneblockeast to the facility; maps availableat www.cpeworld.org.

A N DF O RT H ES E P T E M B E R3,2003,M E E T I N G ,S P E C IA L T H A N K ST O :

Citigroupfor providingth e facility.Strohl Systems for providing the refreshments.

Documents

FO B3 Public Hearing 11-19-03 1 of 2 Fdr- Introduction and Material From APPL- BITS and Contingency Planning Exchange 661