1 fstc’s 2008 annual conference on the innovative edge: successful strategies for financial...
TRANSCRIPT
1
FSTC’s2008 Annual Conference
On the Innovative Edge:Successful Strategies for
Financial Services
Industry Navigators
The Financial Services Technology
Consortium
Empowering the Industry Through Innovative Ideas
June 18, 2008 3
Voluntary Preparedness
• Al Martinez-Fonts – “TITLE IX, FACT VS. FICTION”Department of Homeland SecurityAssistant Secretary, Private Sector Office
• Matthew Deane – “THE ROLE OF STANDARDS IN TITLE IX”Director of Homeland Security Standards American National Standards Institute (ANSI)
• Randy Till – “TITLE IX, A PRACTITIONERS POINT OF VIEW”Global Business Continuity ManagementMasterCard, Worldwide
• David Nolan – ModeratorCEO, Fusion Risk Management, Inc
June 18, 2008
VOLUNTARY EMERGENCY PREPAREDNESSTITLE IX, FACT VS. FICTION
Al Martinez-Fonts,
Department of Homeland SecurityAssistant Secretary, Private Sector Office
June 18, 2008 5
Background
•“Implementing the Recommendations of the 9/11 Commission Act of 2007”
– Public Law 110-53 signed on August 3, 2007
•Requirement to develop a National Voluntary Private Sector Preparedness Accreditation and Certification Program.
– Establish a common set of standards for private sector preparedness relating to disaster management, emergency management, and business continuity
June 18, 2008 6
Goal
Improve private sector preparedness in
disaster management, emergency
management, and business continuity to enhance nationwide resilience in an all
hazards environment“…the government does not, and cannot
work alone… private sector organizations play a key
role before, during and after an incident.”
National Response Framework (2007)
June 18, 2008 7
Key Program Requirements
• Voluntary participation• Provide method to independently certify
preparedness of private sector entities• Administered by non-government entity • DHS designate one or more standards based on
published target criteria• Integrate/leverage existing regulatory
requirements and existing efforts, if feasible• DHS maintain and make public a listing of any
public entity certified as being compliant, if that public entity consents to being listed
• Small business consideration
June 18, 2008 8
Level 2
(3rd Party Certification)
Program Phase 1Program & Target Criteria
Development
Program Phase 2Basic Preparedness and
Enhanced Target Criteria Refinement
Program Phase 3Enhanced Preparedness
2008
2012
Level 1
(Declaration of Conformity)
Basic (Current) Standards
Draft Program Concept
Establish Accrediting Body Contract
Existing Preparedness Standards - TBD
Existing PreparednessPrograms - TBD
(e.g. “Ready.Gov” and others)
New / Revised Preparedness Programs(e.g., updated / improved Ready.Gov and others)
Target Criteria for Standards (in work)
– Standards process– Scope and Policy – Requirements– Risk Assessment– Objectives and
Strategies– Operational and
Control Strategies– Competence and
Training– Communication and
Warning Strategies– Resource Management– Assessment and
Evaluation– Continuing Review
Level 2
(3rd Party Certification)
New / Revised Preparedness Standards
TBD(Incorporating CIKR / SectorSpecific requirements - as
required)
Level 1
(Declaration of Conformity)
Enhanced (Future) Standards
June 18, 2008 9
Engagement Plan
• Sector Coordinating Council reps and others• Partnership for Critical Infrastructure Security• Standards community• International Security Managers Association• Business Executives for National Security• Small Business Administration and other government
agencies• FEMA National Advisory Council
– Subcommittee for Private Sector Preparedness• Other organizations• Public Notice of draft target criteria (Federal Register)
June 18, 2008
VOLUNTARY EMERGENCY PREPAREDNESSTHE ROLE OF STANDARDS IN TITLE IXMatthew DeaneDirector of Homeland Security Standards American National Standards Institute (ANSI)
June 18, 2008 11
Key Definitions
Standard
A Standard is a Document, Not a Technical Regulation
Document [emphasis added] established by consensus and approved by a recognized body that provides for common and repeated use, rules, guidelines or characteristics for activities or their results aimed at achieving the optimum degree of order…
ISO/IEC Guide 2
Conformity Assessment(accreditation/certification)
Any activity concerned with determining directly or indirectly that requirements are fulfilled
Relevant to requirements for products, services, systems and organizations. May be conducted by:
- a supplier (first party)
- a buyer (second party)
- an organization independent of both buyer and seller (third party)
June 18, 2008 12
Highlighted Text from PL 110-53 (standards)
• “The program developed and implemented under this subsection shall assess whether a private sector entity complies with voluntary preparedness standards.”
• “The term ‘voluntary preparedness standards’ means a common set of criteria for preparedness, disaster management, emergency management, and business continuity programs, such as the Standard on Disaster/ Emergency Management and Business Continuity Programs (ANSI/NFPA 1600).’’
• “shall adopt one or more appropriate voluntary preparedness standards that promote preparedness, which may be tailored to address the unique nature of various sectors within the private sector”
June 18, 2008 13
Highlighted Text from PL 110-53 (accreditation/certification)
• “A selected entity shall manage the accreditation process and oversee the certification process in accordance with the program established under this subsection and accredit qualified third parties to carry out the certification program established under this subsection.”
• “Certification under this subsection shall be voluntary for any private sector entity.”
June 18, 2008 14
Selected Standards and Guidelines
Standards Guidelines/FrameworksNFPA 1600 - Standard on Disaster/ Emergency Management and Business Continuity Programs
- American National Standard
- Freely available at: http://www.nfpa.org/assets/files/PDF/NFPA1600.pdf
ISO/PAS 22399 - Guideline for incident preparedness and operational continuity management
- International Organization for Standardization (ISO) Publicly Available Specification (PAS)
BS 25999 – Business Continuity Management
- British Standard
- Two parts
ASIS International – Organizational Resilience: Preparedness and Continuity Management
- ASIS draft guideline document
Other National Standards
- Standards Australia, SPRING Singapore (TR 19)
CERT ® Resiliency Engineering Framework
- Partnership between Carnegie Mellon and FSTC
http://www.cert.org/resiliency_engineering/
framework.html Emergency Management Accreditation Program (EMAP) Standards
June 18, 2008 15
"Framework for Voluntary Preparedness"
• Alfred P. Sloan Foundation funded initiative to enable stakeholder dialogue with the U.S. DHS on the considerations and strategies relevant to the private sector preparedness certification program under Public Law 110-53
• Series of roundtables coordinated by NYU International Center for Enterprise Preparedness (InterCEP)
• Key deliverable is the Framework prepared by an interdisciplinary group consisting of representatives from:– ASIS International
– Disaster Recovery Institute International (DRII)
– National Fire Protection Association (NFPA)
– Risk and Insurance Management Society, Inc. (RIMS)
June 18, 2008 16
Key Points from "Framework”
• In order for the private sector to adequately and voluntarily establish preparedness programs, it should be given the flexibility to choose from various standards, guidelines and best practices that best meet their needs
• Report identifies core common elements of a preparedness program and provides a crosswalk of existing standards, guidelines and best practices
• Businesses and organizations should be afforded the flexibility to build on their existing programs
• Small businesses in particular need to tailor their preparedness and resilience strategies to their financial realities
• A major barrier to preparedness and resilience management is a lack of knowledge and tools, particularly in case of small businesses
June 18, 2008
VOLUNTARY EMERGENCY PREPAREDNESSTITLE IX, A PRACTITIONERS POINT OF VIEW
Randall J. TillGlobal Business Continuity ManagementMasterCard Worldwide
June 18, 2008 18
Voluntary Emergency Preparedness
Considerations:
• Demonstrates the importance of preparedness and readiness in today's business climate– Government involvement in private sector
preparedness
– Promotes the need for strong resiliency practices
– Expands preparedness and continuity planning as a required business practice for all organization
June 18, 2008 19
Voluntary Emergency Preparedness
Considerations:
• Voluntary certification will help consolidate and solidify standards and practices– Provides a measure to assess and validate business
preparedness and readiness
– Builds on existing standards and proven accreditation/certification processes
– Provide flexibility to address preparedness needs of various size businesses and industry sectors
– Option for self-assessment of organizations
June 18, 2008 20
Voluntary Emergency Preparedness
Concerns:
• Size and complexity of certification process – Simple enough to encourage smaller companies
– Significant enough to influence larger organizations
– Flexible enough to encourage ongoing readiness preparation following certification
• Financial Institutions are already heavily regulated– Increases complexity and requirements for compliance
– Cost and drain on resources to achieve certification
– Voluntary certification becomes mandatory - business partners require certification
June 18, 2008 21
Voluntary Emergency Preparedness
Concerns (continued):
• Business Continuity lacks strong industry standards and consistent planning methodologies– Difficult to define single body of knowledge/standards
– How to define clear standards and requirements with inconsistent planning practices
• Difficult to measure effectiveness of an organizations readiness and preparedness– Preparedness practices are institutionalized, practiced and
executable
• International certification process to address requirements for global organizations
June 18, 2008 22
Voluntary Emergency Preparedness
Opportunities:
• Financial industry can provide leadership and direction in defining voluntary certification processes
• Consolidation and standardization of preparedness practices and standards– Common set of criteria for preparedness
• Drives readiness for a larger sector of the business population providing greater overall resiliency
• Provides a method to assess readiness as part of supply chain management
June 18, 2008 23
Voluntary Emergency Preparedness
Opportunities:
• Ability to demonstrate value-add services for the organization
• Convergence of risk management practices to address overall "operational risk management"
• Evolution of "maturity models" providing a more holistic approach for managing operational risks and resiliency– Provides a framework for achieving certification and
improving resiliency practices
– FSTC/CERT Resiliency Engineering Framework
June 18, 2008 24
Panel Discussion
• Al Martinez-Fonts
“Title IX, Fact vs. Fiction”Department of Homeland Security
Assistant Secretary, Private Sector Office
• Matthew Deane –
“Standards and Title IX, What you need to know”
Director of Homeland Security Standards
American National Standards Institute (ANSI)
• Randy Till “Title IX, A Practitioners Point of View”
Global Business Continuity Management
MasterCard, Worldwide
25
FSTC’s2008 Annual Conference
On the Innovative Edge:Successful Strategies for
Financial Services
Industry Navigators
The Financial Services Technology
Consortium
Empowering the Industry Through Innovative Ideas