1 / 21

PUBLIC LAW 110-53 “IMPLEMENTING RECOMMENDATIONS OF THE 9/11 COMMISSION ACT OF 2007” TITLE IX

PUBLIC LAW 110-53 “IMPLEMENTING RECOMMENDATIONS OF THE 9/11 COMMISSION ACT OF 2007” TITLE IX. Post-9/11. Sarbanes-Oxley Act of 2002 HIPAA, Final Security Rule FFIEC BCP Handbook -2003/ 2008 Fair Credit Reporting Act NASD Rule 3510 NERC Security Guidelines FERC Security Standards

Pat_Xavi
Download Presentation

PUBLIC LAW 110-53 “IMPLEMENTING RECOMMENDATIONS OF THE 9/11 COMMISSION ACT OF 2007” TITLE IX

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PUBLIC LAW 110-53 “IMPLEMENTING RECOMMENDATIONS OF THE 9/11 COMMISSION ACT OF 2007” TITLE IX

  2. Post-9/11 Sarbanes-Oxley Act of 2002 HIPAA, Final Security Rule FFIEC BCP Handbook -2003/ 2008 Fair Credit Reporting Act NASD Rule 3510 NERC Security Guidelines FERC Security Standards NAIC Standard on BCP NIST Contingency Planning Guide FRB-OCC-SEC Guidelines for Strengthening the Resilience of US Financial System NYSE Rule 446 California SB 1386 Australia Standards BCM Handbook GAO Potential Terrorist Attacks Guideline Federal and Legislative BC Requirements for IRS Basel Capital Accord MAS Proposed BCP Guidelines (Singapore) NFA Compliance Rule 2-38 FSA Handbook (UK) BCI Standard, PAS 56 (UK) Civil Contingencies Bill (UK) FPC 65 NYS Circular Letter 7 ASIS State of NY FIRM White Paper on CP NISCC Good Practices (Telecomm) Australian Prudential Standard on BCM HB221 HB292 BS25999 SS507 TR19 CA Z1600 ISO/PAS 22399 Pre-9/11 Consumer Credit Protection Act OMB Circular A-130 FEMA Guidance Document Paperwork Reduction Act FFIEC BCP Handbook Computer Security Act 12 CFR Part 18 Presidential Decision Directive 67 FDA Guidance on Computerized Systems used in Clinical Trials ANSI/NFPA Standard 1600 Turnbull Report (UK) ANAO Best Practice Guide (Australia) SEC Rule 17 a-4 FEMA FPC 65 CAR DRII BCI Title IX – 110-53 1991 - 2001 2002 2008

  3. The Holy Grail or SOX for Business Continuity • The Program Was Called For In Title IX Of "The Implementing The 9/11 Commission Recommendations Act Of 2007“ (Public Law 110-53) Which Addresses A Diversity Of Other National Security Issues As Well. It Was Signed Into Law By The President On August 3, 2007. • Intent – To Implement The Findings Of The 9/11 Commission • “Like” NFPA 1600 Was Recommendation Of Commission For Standard • DRII’s Professional Practices Are The Basis For BCP In NFPA 1600 • Will It Become A “Standard”???? • Voluntary • Non-punitive • Unsuccessful Attempts By Federal Government To Address Private Sector BCM • Overcome Investments By Private Sector • Strain On Small And Medium Sized Businesses In Supply Chain

  4. Title IX – 110-53 a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs.  The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification.  b.  The program will be voluntary.c.  Key stakeholders are invited to participate in the development of the program.  Consultation with a variety of organizations and various sectors is required by the legislation.  Program development will likely include involvement by a diversity of private sector advisory groups and others.d.  The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs.e.  One or more preparedness standards can be designated.  NFPA 1600 is reference by example.f.  Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated.g.  Special consideration will be made for small business.h.  Proprietary and confidential information is to be protected.

  5. Defining “The Standard” • Process Used By Sloan Interdisciplinary Team • Representatives of: • ASIS, DRI International, NFPA, RIMS • Review Existing Regulations • FFIEC, NYSE, SEC, NASD • NERC • HIPAA • Provide “Credit” for Work Already Done • Reduce Start From Scratch Opposition • Create Core Elements for Standard Core elements are those basic components that, when implemented within an organization’s unique governance and culture, provide the underlying framework to enable the organization to sustain itself in spite of a disruptive event (i.e., the “common set of criteria for preparedness, disaster management, emergency management, and business continuity programs...." called for under the law.)

  6. Core Elements 13 Become 8 • Policy statement and management commitment - Scope, program roles, responsibilities, and resources • Risk identification, assessments and criticality impact analyses, including legal and other requirements • Prevention and Mitigation Evaluation and Planning • Incident management (procedures and controls before, during and after a disruption, including emergency management of people, business operations and technology) includes communications • Recovery Planning - May be considered to include rebuilding, repairing, and / or restoring • Awareness and training • Exercises and testing • Program revision and improvement

  7. Process Mapping

  8. Standards Crosswalk • NFPA 1600:2007 Standard on Disaster/ Emergency Management and Business Continuity Programs • CSA Z1600 Standard on Emergency Management and Business Continuity Programs • DRII/BCI Professional Practices for Business Continuity Planners • BS 25999-2: 2007 Business Continuity Management – Part 2: Specification • ASIS International - Organizational Resilience: Preparedness and Continuity Management - Best Practices Standard • TR19:2005 Technical Reference for Business Continuity Management (BCM) ____________ ____________

  9. Flexibility Within A Framework • Existing Industry Efforts • Regulations • FFIEC – NYSE – SEC – HIPAA – NERC – • Standards • ISO, ANSI, BSI NOT Sarbanes-Oxley

  10. Results

  11. Process For Implementation of Title IX 1.  DHS will designate one or more organizations to act as the accrediting body, and oversee the certification process, and to accredit qualified third parties to carry out the certification program. 2.  DHS will separately designate one or more standards for assessingprivate sector preparedness. 3.  DHS will provide information and promote the business case forvoluntary compliance with preparedness standards. 4.  DHS will monitor the effectiveness program on an on-going basis.

  12. Process For Implementation of Title IX • Appointment by DHS of Designated Officer October 1, 2007 • Ashley Moore– FEMA • Enter into Agreement for standard February 28, 2008 Marcus Pollock- FEMA

  13. Gaining Accreditation

  14. Implications • Certification • Benefit To Passing Certification • If You Can’t Pass Don’t Start • Legal • Litigation Standard • “Voluntary Negligence” • No Teeth • Non-Punitive Will it meet customer requirements?

  15. What We Know Right Now • Title IX of PL 110-53 is an unfunded effort, there are no tangible rewards; e.g., tax reductions in the form of deductions or tax credits to use as an incentive. While there are ongoing efforts to provide some insurance relief for business continuity planning, at this time no such incentives are available – Sloan Foundation Report • FEMA has been designated to lead the effort • ANSI – ANAB -will oversee the certification process • Manage Accreditation • Accredit third parties to carry out certification • Collaborate to develop procedures and requirements for certification and accreditation

  16. Now For The Misinformation Although voluntary right now, these standards could soon be federal mandatesfor all private industry.- Not To Be Named Consulting Firm in advertising for their webinar Will share their best practices to meet the new "national preparedness standard" known as NFPA 1600 – Not To Be Named Consulting Firm • This voluntary program offers a number of potential benefits to the certified organization, including:  • Possible insurance premium advantages • Enhanced credit ratings • Competitive differentiation - Not To Be Named Consulting Firm

  17. Assessing The Business Continuity Process • DRII Evaluates Planning Process, Implementation and Testing Across The 10 Professional Practices – MAPS TO CORE ELEMENTS • Includes Subcategories • Ability To Weight Each Category • Utilizes The Same Scoring As It Does For Certifying Professionals • Questions Require a Yes Or No • Recommendations Are Provided When a “No” Answer Is Provided • May Be Customized For Industry, Country Or Regulatory Considerations • Will Contribute To a Worldwide Database

  18. Thank You Q&A

  19. The TREATY OF ORLANDO • 10% ACP Members for all DRII Courses • 5% “Sponsorship Fee” To ACP Chapter Hosting a DRII Course • Contact: Russell Wooldridge – 202-962-3930 • rwooldridge@drii.org

More Related