1

FSTC’s2008 Annual Conference

On the Innovative Edge:Successful Strategies for

Financial Services

Industry Navigators

The Financial Services Technology

Consortium

Empowering the Industry Through Innovative Ideas

June 18, 2008 3

Voluntary Preparedness

• Al Martinez-Fonts – “TITLE IX, FACT VS. FICTION”Department of Homeland SecurityAssistant Secretary, Private Sector Office

• Matthew Deane – “THE ROLE OF STANDARDS IN TITLE IX”Director of Homeland Security Standards American National Standards Institute (ANSI)

• Randy Till – “TITLE IX, A PRACTITIONERS POINT OF VIEW”Global Business Continuity ManagementMasterCard, Worldwide

• David Nolan – ModeratorCEO, Fusion Risk Management, Inc

June 18, 2008

VOLUNTARY EMERGENCY PREPAREDNESSTITLE IX, FACT VS. FICTION

Al Martinez-Fonts,

Department of Homeland SecurityAssistant Secretary, Private Sector Office

June 18, 2008 5

Background

•“Implementing the Recommendations of the 9/11 Commission Act of 2007”

– Public Law 110-53 signed on August 3, 2007 

•Requirement to develop a National Voluntary Private Sector Preparedness Accreditation and Certification Program.

– Establish a common set of standards for private sector preparedness relating to disaster management, emergency management, and business continuity

June 18, 2008 6

Goal

Improve private sector preparedness in

disaster management, emergency

management, and business continuity to enhance nationwide resilience in an all

hazards environment“…the government does not, and cannot

work alone… private sector organizations play a key

role before, during and after an incident.”

National Response Framework (2007)

June 18, 2008 7

Key Program Requirements

• Voluntary participation• Provide method to independently certify

preparedness of private sector entities• Administered by non-government entity • DHS designate one or more standards based on

published target criteria• Integrate/leverage existing regulatory

requirements and existing efforts, if feasible• DHS maintain and make public a listing of any

public entity certified as being compliant, if that public entity consents to being listed

• Small business consideration

June 18, 2008 8

Level 2

(3rd Party Certification)

Program Phase 1Program & Target Criteria

Development

Program Phase 2Basic Preparedness and

Enhanced Target Criteria Refinement

Program Phase 3Enhanced Preparedness

2008

2012

Level 1

(Declaration of Conformity)

Basic (Current) Standards

Draft Program Concept

Establish Accrediting Body Contract

Existing Preparedness Standards - TBD

Existing PreparednessPrograms - TBD

(e.g. “Ready.Gov” and others)

New / Revised Preparedness Programs(e.g., updated / improved Ready.Gov and others)

Target Criteria for Standards (in work)

– Standards process– Scope and Policy – Requirements– Risk Assessment– Objectives and

Strategies– Operational and

Control Strategies– Competence and

Training– Communication and

Warning Strategies– Resource Management– Assessment and

Evaluation– Continuing Review

Level 2

(3rd Party Certification)

New / Revised Preparedness Standards

TBD(Incorporating CIKR / SectorSpecific requirements - as

required)

Level 1

(Declaration of Conformity)

Enhanced (Future) Standards

June 18, 2008 9

Engagement Plan

• Sector Coordinating Council reps and others• Partnership for Critical Infrastructure Security• Standards community• International Security Managers Association• Business Executives for National Security• Small Business Administration and other government

agencies• FEMA National Advisory Council

– Subcommittee for Private Sector Preparedness• Other organizations• Public Notice of draft target criteria (Federal Register)

June 18, 2008

VOLUNTARY EMERGENCY PREPAREDNESSTHE ROLE OF STANDARDS IN TITLE IXMatthew DeaneDirector of Homeland Security Standards American National Standards Institute (ANSI)

June 18, 2008 11

Key Definitions

Standard

A Standard is a Document, Not a Technical Regulation

Document [emphasis added] established by consensus and approved by a recognized body that provides for common and repeated use, rules, guidelines or characteristics for activities or their results aimed at achieving the optimum degree of order…

ISO/IEC Guide 2

Conformity Assessment(accreditation/certification)

Any activity concerned with determining directly or indirectly that requirements are fulfilled

Relevant to requirements for products, services, systems and organizations. May be conducted by:

- a supplier (first party)

- a buyer (second party)

- an organization independent of both buyer and seller (third party)

June 18, 2008 12

Highlighted Text from PL 110-53 (standards)

• “The program developed and implemented under this subsection shall assess whether a private sector entity complies with voluntary preparedness standards.”

• “The term ‘voluntary preparedness standards’ means a common set of criteria for preparedness, disaster management, emergency management, and business continuity programs, such as the Standard on Disaster/ Emergency Management and Business Continuity Programs (ANSI/NFPA 1600).’’

• “shall adopt one or more appropriate voluntary preparedness standards that promote preparedness, which may be tailored to address the unique nature of various sectors within the private sector”

June 18, 2008 13

Highlighted Text from PL 110-53 (accreditation/certification)

• “A selected entity shall manage the accreditation process and oversee the certification process in accordance with the program established under this subsection and accredit qualified third parties to carry out the certification program established under this subsection.”

• “Certification under this subsection shall be voluntary for any private sector entity.”

June 18, 2008 14

Selected Standards and Guidelines

Standards Guidelines/FrameworksNFPA 1600 - Standard on Disaster/ Emergency Management and Business Continuity Programs

- American National Standard

- Freely available at: http://www.nfpa.org/assets/files/PDF/NFPA1600.pdf

ISO/PAS 22399 - Guideline for incident preparedness and operational continuity management

- International Organization for Standardization (ISO) Publicly Available Specification (PAS)

BS 25999 – Business Continuity Management

- British Standard

- Two parts

ASIS International – Organizational Resilience: Preparedness and Continuity Management

- ASIS draft guideline document

Other National Standards

- Standards Australia, SPRING Singapore (TR 19)

CERT ® Resiliency Engineering Framework

- Partnership between Carnegie Mellon and FSTC

http://www.cert.org/resiliency_engineering/

framework.html Emergency Management Accreditation Program (EMAP) Standards

June 18, 2008 15

"Framework for Voluntary Preparedness"

• Alfred P. Sloan Foundation funded initiative to enable stakeholder dialogue with the U.S. DHS on the considerations and strategies relevant to the private sector preparedness certification program under Public Law 110-53

• Series of roundtables coordinated by NYU International Center for Enterprise Preparedness (InterCEP)

• Key deliverable is the Framework prepared by an interdisciplinary group consisting of representatives from:– ASIS International

– Disaster Recovery Institute International (DRII)

– National Fire Protection Association (NFPA)

– Risk and Insurance Management Society, Inc. (RIMS)

June 18, 2008 16

Key Points from "Framework”

• In order for the private sector to adequately and voluntarily establish preparedness programs, it should be given the flexibility to choose from various standards, guidelines and best practices that best meet their needs

• Report identifies core common elements of a preparedness program and provides a crosswalk of existing standards, guidelines and best practices

• Businesses and organizations should be afforded the flexibility to build on their existing programs

• Small businesses in particular need to tailor their preparedness and resilience strategies to their financial realities

• A major barrier to preparedness and resilience management is a lack of knowledge and tools, particularly in case of small businesses

June 18, 2008

VOLUNTARY EMERGENCY PREPAREDNESSTITLE IX, A PRACTITIONERS POINT OF VIEW

Randall J. TillGlobal Business Continuity ManagementMasterCard Worldwide

June 18, 2008 18

Voluntary Emergency Preparedness

Considerations:

• Demonstrates the importance of preparedness and readiness in today's business climate– Government involvement in private sector

preparedness

– Promotes the need for strong resiliency practices

– Expands preparedness and continuity planning as a required business practice for all organization

June 18, 2008 19

Voluntary Emergency Preparedness

Considerations:

• Voluntary certification will help consolidate and solidify standards and practices– Provides a measure to assess and validate business

preparedness and readiness

– Builds on existing standards and proven accreditation/certification processes

– Provide flexibility to address preparedness needs of various size businesses and industry sectors

– Option for self-assessment of organizations

June 18, 2008 20

Voluntary Emergency Preparedness

Concerns:

• Size and complexity of certification process – Simple enough to encourage smaller companies

– Significant enough to influence larger organizations

– Flexible enough to encourage ongoing readiness preparation following certification

• Financial Institutions are already heavily regulated– Increases complexity and requirements for compliance

– Cost and drain on resources to achieve certification

– Voluntary certification becomes mandatory - business partners require certification

June 18, 2008 21

Voluntary Emergency Preparedness

Concerns (continued):

• Business Continuity lacks strong industry standards and consistent planning methodologies– Difficult to define single body of knowledge/standards

– How to define clear standards and requirements with inconsistent planning practices

• Difficult to measure effectiveness of an organizations readiness and preparedness– Preparedness practices are institutionalized, practiced and

executable

• International certification process to address requirements for global organizations

June 18, 2008 22

Voluntary Emergency Preparedness

Opportunities:

• Financial industry can provide leadership and direction in defining voluntary certification processes

• Consolidation and standardization of preparedness practices and standards– Common set of criteria for preparedness

• Drives readiness for a larger sector of the business population providing greater overall resiliency

• Provides a method to assess readiness as part of supply chain management

June 18, 2008 23

Voluntary Emergency Preparedness

Opportunities:

• Ability to demonstrate value-add services for the organization

• Convergence of risk management practices to address overall "operational risk management"

• Evolution of "maturity models" providing a more holistic approach for managing operational risks and resiliency– Provides a framework for achieving certification and

improving resiliency practices

– FSTC/CERT Resiliency Engineering Framework

June 18, 2008 24

Panel Discussion

• Al Martinez-Fonts

“Title IX, Fact vs. Fiction”Department of Homeland Security

Assistant Secretary, Private Sector Office

• Matthew Deane –

“Standards and Title IX, What you need to know”

Director of Homeland Security Standards

American National Standards Institute (ANSI)

• Randy Till “Title IX, A Practitioners Point of View”

Global Business Continuity Management

MasterCard, Worldwide

25

FSTC’s2008 Annual Conference

On the Innovative Edge:Successful Strategies for

Financial Services

Industry Navigators

The Financial Services Technology

Consortium

Empowering the Industry Through Innovative Ideas