business continuity rules & regulations 08 bc rules regs...bank of america: proprietary 4 laws,...

Martin MyersAugust 20, 2008

Business Continuity Rules & Regulations

Bank of America: Proprietary

2

What Will be Covered in This Presentation?

•Rules & Regulations - Definitions

•Source of Business Continuity Rules & Regulations

•Selected Rules & Regulations Pertaining to Business Continuity

•Additional Sources

Rules & Regulations Defined


4

Laws, Rules, Regulations, etc.

• Law is a system of rules, usually enforced through a set of institutions• A statute is passed by the legislature. A statute can have regulatory intent.• A regulation is a form of secondary legislation which is used to implement a primary piece of legislation

appropriately …• The reasonable person standard is often used legal term that originated in the development of the

common law. … The question of how a reasonable person might act, or what judgments they might make under the circumstances performs a critical role in legal reasoning in areas such as negligence, contract law, and criminal law.

• Due diligence is a term used for the performance of an act with a certain standard of care. It can be a legal obligation…

• The precedent on an issue is the collective body of judicially announced principles that a court should consider …

• A set of widely accepted leading practices often becomes a de facto standard or precedent, and may become legally binding via the courts or through legislative or statuary law.

“The rule of law is better than the rule of any individual.”

-- Aristotle, 350 BC

“If you like laws and sausages, you should never watch either one being made.”

-- Otto von Bismarck (1815–98)

Rules & Regulationsthe Resource


6

Disaster Recovery Journal (DRJ) Tool


7

TitleRegulation / StandardGoverning BodyCountrySummarySignificant Dates, Fines, PenaltiesCategory • Enforced, • Ambiguous, • Watch list, • Invocation @ IncidentNotes / Comments (links)Infrastructure Category:1. Banking & Finance; 2. Public Health & Healthcare; 3. Transportation & Shipping; 4. Energy (including nuclear); 5. Industry; 6. Agriculture, 7. Food Supply & Water; 8. Information Distribution &

Communications; 9. Government & Public

Agencies

Organization & Sorting


8

Narrowing Down the List (?)

•Complete list which includes the U.S. plus 15 other specific nations as well as some ‘international’ - 121

•U.S. entries - 61•U.S. entries that involve “Banking & Finance” - 57

Rules & RegulationsHighlights for Banking & Finance


10

Critical Infrastructure Protection Program

The USA has had a wide-reaching Critical Infrastructure Protection Program in place since 1996. The Patriot Act of 2001 defined critical infrastructure as those "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitation impact on security, national economic security, national public health or safety, or any combination of those matters."

These have identified a number of critical infrastructures and responsible agencies:

Agriculture and Food – Departments of Agriculture and Health and Human Services

Water – Environmental Protection Agency

Public Health – Department of Health and Human Services

Emergency Services – Department of Homeland Security

Government – Department of Homeland Security

Defense Industrial Base – Department of Defense

Information and Telecommunications – Department of Commerce

Energy – Department of Energy

Transportation and Shipping – Department of Transportation

Banking and Finance – Department of the Treasury

Chemical Industry and Hazardous Materials – Department of Homeland Security

Post – Department of Homeland Security

National monuments and icons - Department of the Interior


11

National Infrastructure Protection Plan

• The National Infrastructure Protection Plan (NIPP)[1] is a document, called for by Homeland Security Presidential Directive 7, which aims to unify Critical Infrastructure and Key Resource protection efforts across the country.

• NIPP is structured to create partnerships between Government Coordinating Councils (GCC) from the public sector and Sector Coordinating Councils (SCC) from the private sector.

• Government Coordinating Councils: Department of Agriculture Department of Health and Human Services Department of Defense Department of Energy Department of Health and Human Services Department of the Interior Department of the Treasury Environmental Protection Agency DHS-Office of Infrastructure Protection DHS-Office of Cyber Security and Telecommunications DHS-Transport Security Administration DHS-Transport Security Administration U.S. Coast Guard Immigration and Customs Enforcement Federal Protective Service

• Sector Coordinating Councils Agriculture and Food Defense Industrial Base Energy Public Health and Healthcare National Monuments and Icons Financial Services Drinking Water and Water Treatment Systems Chemical Commercial Facilities Dams Emergency Services Damns Nuclear Reactors, Materials, and Waste Information Technology Communications Postal and Shipping Transportation Systems Government Facilities


12

FFIEC Business Continuity Planning IT Examination Handbook

•Link: http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_plan.pdf

•provides guidance and examination procedures

– evaluating financial institution– service provider – risk management processes – the availability of critical financial

services•financial institutions play a crucial role in the United States economy

– operations are resilient – effects of disruptions in service are

minimized – maintain public trust


13

FFIEC, Continued

•Board & Senior Management Responsibilities

•BC Process– BIA– Risk Assessment– Risk Management

• Plan Development

– Policies, Standards, and Processes• Project Management• Employee Training &

Communications

– Risk Monitoring• Testing Strategy• Test Scope & Objectives• Validation• Accuracy• Completeness• Testing Methods


14

Federal Deposit Insurance Corporation (FDIC)Electronic Funds Transfer Act (EFTA)

•Link: http://www.fdic.gov/regulations/laws/rules/6500-1350.html

•Establishes the basic responsibilities, rights and liabilities of consumers and financial institutions who use electronic fund transfer services and of that offer these services.

•BCP to meet “reasonable standard of care”


15

Interagency Paper for Strengthening the Resilience of US Financial System

•Link: http://www.sec.gov/news/studies/34-47638.htm

•Interagency– FRB (Federal Reserve Bank)– OCC (Office of the Comptroller of the

Currency)– SEC (Securities and Exchange

Commission)•Lessons learned from September 11,

– agreed that three business continuity objectives have special importance for all financial firms and the U.S. financial system as a whole.


16

Interagency Paper, Continued

•3 business continuity objectives:– Rapid recovery and timely resumption of critical operations following a

wide-scale disruption;– Rapid recovery and timely resumption of critical operations following the

loss or inaccessibility of staff in at least one major operating location; and– A high level of confidence, through ongoing use or robust testing, that

critical internal and external continuity arrangements are effective and compatible.

•For Market Utilities and Core Clearing and Settlement Agencies– goal to meet objectives is end of 2004.

•For Significant Role Firms– goal is no later than 2006.


17

Department of the TreasuryFederal Government Participation in the Automated Clearing House; Final Rule

•Link: http://www.fms.treas.gov/ach/interim_2003.pdf

•Requires 6 year file retention on all ACH transactions

•An ACH transaction is a batch-processed, value-dated electronic funds transfer between originating and receiving financial institutions

•Non-compliant fines not more than $10,000 or imprisoned not more than ten years, or both


18

Code of Federal RegulationsProcedures for Handling Critical Infrastructure Information

•Link: http://law.justia.com/us/cfr/title06/6-1.0.1.1.9.html

•Continuity of operations for Critical Infrastructure

•Disclosure of critical information to the government

Appendix


20

Some helpful links

Disaster Recovery Journal (DRJ)www.drj.com

Disaster Recovery Journal – Rules & Regulationswww.drj.com/index.php?option=com_content&task=view&id=713&Itemid=328

Continuity Insightswww.continuityinsights.com

Continuity Centralwww.continuitycentral.com

Disaster Recovery Institute (DRI)www.dri.org

Department of Homeland Security (DHS) – Prevention & Protectionhttp://www.dhs.gov/xprevprot/

Department of Homeland Security (DHS) – Preparedness & Responsehttp://www.dhs.gov/xprepresp/

Federal Emergency Management Agency (FEMA)http://www.fema.gov/library/index.jsp


21

business continuity rules & regulations 08 bc rules regs...bank of america: proprietary 4 laws,...

Documents