I l ti NFPA 1600Implementing NFPA 1600

Bobby Williams, CBCP

Who Am I?

• Bobby Williams, CBCP• Business Continuity Manager• Emdeon, Inc. (NYSE: EM)• BSEE, University of Tennessee, Chattanooga

• 20 Years in IT Industry• Nuclear Power Industry• Health Care Industry• Fortune 500 Companies• Certified Solaris Administrator• Certified HPUX Administrator• Extensive background with Unix, Windows, and NetBackup• ITIL V3 certified

• Vice President, Middle Tennessee Chapter of the Association of Contingency Planners (ACP)

Agenda

• PS-Prep• NFPA 1600• NFPA 1600• The parts of NFPA 1600 that could trip you up• A handy tool to use to track your progress

What is PS-Prep?

• PUBLIC LAW 110–53 (AUG. 3, 2007)• Created as a response to the 9/11 Commission findingsp g• Department of Homeland Security identifies 3 standards for

businesses continuity• The business can choose to implement any of the 3

– NFPA 1600– BS 25999BS 25999– ASIS SPC 1

What is NFPA 1600?

• Standard on Disaster/Emergency Management and Business Continuity Programs

• Endorsed by 9/11 Commission• One holistic framework addresses:

– Emergency Management– Business Continuity– Crisis Communications– Recoveryli d i h ’ f i l i f• Aligned with DRII’s 10 Professional Practices for

Business Continuity

What does NFPA 1600 address?

• Organization• Organization• Management• Risk assessment, prevention, mitigation• Resource Management• Emergency Response• Operational Continuityp y• Recovery

Why do I need a standard for my program?

If you aim for nothing, gyou will hit it every time.

What is in NFPA 1600?

1. Purpose2. References3. Definitions4. Management5. Planning6. Implementation7. Test & Exercises8. Improvement

So implementation should be easy, right?

YYesAnd

No

What is going to trip me up?

4. Management4. Management5. Planning6. Implementation7. Test & Exercises8. Improvement

4. Management

• 4.1 Leadership and Commitmentp– If you don’t have Executive support, stop now– If you don’t have a budget, stop now– If this is an “additional duty”, proceed with caution

• 4.3 BCP Committee – If you don’t have a committee, stop now– If HR is not part of the committee, stop now– If Legal is not part of the committee, stop now

4. Management

• 4.8 Records Management• Policies need to be created, approved, and enforced to

address the following:address the following:– Records classification– Maintenance of confidentiality– Maintenance of integrity incorporating audit trail– Record retention– Record storage– Record archivingg– Record destruction– Access control– Document control

5. Planning

• Nothing here that you are not already doing.• Needed in all plans

– identify the functional roles and responsibilities of internal and external agencies, organizations, departments, and positions

– identify lines of authority– identify lines of succession– identify interfaces to external organizations– identify the process for delegation of authorityidentify the process for delegation of authority– identify logistics support and resource requirements

5. Planning

• NFPA 1600 requires that your program will:

– Do Risk Assessments– Conduct Business Impact Analysis (BIA)– Include prevention measures– Include mitigation strategies

• Nothing new hereg

6. Implementation

Here comes the hard stuff• 6.1 Resource Management - HR

l id/ i l• 6.2 Mutual Aid/Assistance - Legal• 6.3 Communications and Warning - HR & Legal• 6.4 Operational Procedures• 6.5 Emergency Operations/ Response• 6.6 Employee Assistance and Support - HR & Legal• 6.7 Continuity and Recovery• 6 8 Crisis Communications and Public Information• 6.8 Crisis Communications and Public Information• 6.9 Incident Management• 6.10 Emergency Operations Centers (EOCs)• 6.11 Training and Education

6. Implementation

• 6.6 Employee Assistance and Support– 6.6.1 The entity shall develop a strategy for Employee

Assistance and Support to include the following:Assistance and Support to include the following:(1) Communications procedures(2) Contact information, including emergency contact outside

anticipated hazard area(3) Accounting for persons affected, displaced, or injured by the

incident(4) Temporary, short-term or long-term housing, feeding and

care of those displaced by an incident(5) Mental health and physical well-being of individuals affected ( ) p y g

by the incident

(6) Pre-incident and post-incident awareness

7. Testing and Exercises

• Evaluate BCP Plans, procedures, and capabilities through periodic testing and exercises

• Exercises shall be designed to evaluate BCP Plans, procedures, and capabilities

• Exercises shall provide a standardized methodology to practice procedures and interact with other entities in a controlled settingwith other entities in a controlled setting

• Testing and exercises shall be conducted on the frequency needed to establish and maintain required capabilities

8. Improvement

• Review• Review• Revise• Repeat

Hey, I already do most of that!

• The majority of the policies and procedures j y p prequired by NFPA 1600 are probably in your program NOW

• Some parts may not be applicable to your organization

• Mature programs may want to use it as a refresh • Mature programs may want to use it as a refresh or improvement guide

• Think of your program as a train• NFPA 1600 is going to be the track to guide the direction • Your steering committee is going to drive the train• You (the BC professional) are going to shovel the coal to keep the fire hot• Your executives are going to keep the engine coupled to the rest of the train

How do I keep up with all of this stuff?

Business Continuity Program Program Definition

Program Compliance 3 Addressed or

Completed(Program Definition is a one time occurrence, Program Compliance is the ongoing BC effort) 100.0% 100.0% 2Working

4Program Management 100.0% 100.0% 1Not Addressed4 1Leadership and Commitment. 3 3

4 1 1The entity leadership shall demonstrate commitment to the program to prevent, mitigate the consequences of, prepare 32 34 1 1 y p p g p , g q , p pfor, respond to, maintain continuity during, and recover from incidents. 3

4 1 2The leadership commitment shall include the following: 3 34 1 2 (1)Policies, plans, and procedures to develop, implement and maintain the program 3 3

(2)Resources to support the program 3 3(3)Reviews and evaluations to ensure program effectiveness 3 3(4)Correction of deficiencies 3 3

4 1 3The entity shall adhere to policies, execute plans, and follow procedures developed to support the program. 3 3

4 2Program Coordinator. The program coordinator shall be appointed by the entity and authorized to develop, implement, administer, evaluate, and maintain the program. 3 3

4 3Program Committee. 3 34 3 1A program committee shall be established by the entity in accordance with its policy. 3 3

4 3 2The program committee shall provide input for, and or assist in, the coordination of the preparation, development, implementation, evaluation, and maintenance of the program. 3 3

4 3 3The program committee shall include the program coordinator and others who have the expertise, the knowledge of the entity, and the capability to identify resources from all key functional areas within the entity and shall solicit applicable external representation.

3 3

4 4Program Administration. 3 34 4 1The entity shall have a documented program that includes the following: 3 34 4 1 (1)Executive policy including vision, mission statement, roles and responsibilities, and enabling authority 3 3

(2)Program scope, goals, objectives, and method of program evaluation 3 3(3)Program plans and procedures that include the following: 3 3

a)Anticipated cost 3 3b)Priority 3 3c)Time schedule 3 3d)Resources required 3 3

(4)Applicable authorities, legislation, regulations, and industry codes of practice as required by Section 4.5. 3 3(5)Program budget and schedule, including milestones 3 3(6)Records management practices as required by Section 4.8 3 3

4 5Laws and Authorities. 3 34 5 1 The program shall comply with applicable legislation, policies, regulatory requirements, and directives. 3 3

4 5 2The entity shall establish and maintain a procedure(s) to comply with applicable legislation, policies, regulatory requirements, and directives. 3 3

4 5 3The entity shall implement a strategy for addressing the need for revisions to legislation, regulations, directives, policies, and industry codes of practice. 3 3

4 6Performance Objectives. 3 3

Resources

• The spreadsheet for tracking your program can be downloaded from:p g y p g– http://midtenn.acp-international.com/tools/bcscorecard.xlsx

• A copy of NFPA 1600 can be downloaded from:– http://www.nfpa.org/assets/files/PDF/NFPA16002010.pdf

• Disaster Recovery Institute International (DRII) has an audit training and certification program for NFPA 1600 audits– https://www.drii.org/education/course_desc.php?courseeventid=40

5&courseid=55

Questions?