Standards
1. A Standard is a set of specifications or guidelines used to ensure that a product, service or process does what it is supposed to do. It is a document that establishes uniform engineering or technical specifications, criteria, methods, processes, or practices.
Related Terms: ISO22301
|
These are some related BCM standards:
International or Country Specified
High Level Auditable BCM Standards
- ISO 22301 Standard for BCMS Business Continuity Management.
- ISO 22301 is the new international standard for business continuity management. It has been created in response to strong international interest in the original British Standard BS 25999-2 and other regional standards. And if you meet the requirements to gain certification, your organization will be recognized globally.
- Notes - The document is available for purchase.
- British Standards Institute (BSI) BS25999 BS 25999 - Business Continuity
- BS 25999-1: Provides a basis for understanding, developing and implementing business continuity within an organization; provides confidence in B2B and B2C relationships.
- BS 25999-2: Specifies the requirements for "establishing, operating, monitoring, reviewing, maintaining and improving a documented BCM system within the context of an organization’s overall business risks", and for the implementation of continuity controls customized to the needs of specific organization.
- Notes - This was superseded by the international standard ISO22301 in May 2012. Organisations certified to BS25999 should transition themselves to the new international standard by 30th May 2014.
- Singapore Standard SS540
- Singapore (SPRING) launches new certifiable standard SS540:2008 which replaces TR 19:2004
- SI 24001:2007
- Security and continuity management systems – Requirements and guidance for use of the Standards Institution of Israel (SII)
- FFIEC Guidelines
- ISO/PAS 22399:2007
- Societal security - Guideline for incident preparedness and operational continuity management
- Australian and New Zealand Business Continuity Management standard : AS/NZS 5050:2010
- Notes - The document may be purchased and it supersedes DR 09013; Governance, risk and compliance regulatory developments in Australia refer to this standard.
- This standard provides a generic guide for Business continuity - Managing disruption-related risk. It may be applied to a wide range of activities or operations of any public, private or community enterprise, or group.
- ANSI Business Continuity Management Standard
High Level Non-auditable BCM Standards
- Bank of International Settlements, High-level principles for business continuity, Summary, Aug 2006
- National Fire Protection Association NFPA 1600, Standard on Disaster/Emergency Management and Business Continuity Programs
- CTIA (Cellular Telecommunications and Internet Association)Telecommunication Industry BCM standard and certification (2011-2012)
- The CTIA is working on plans to offer standard business continuity guidance to the communications industry.
- Notes - This certification and industry standard is in the planning phase. CTIA is currently (May 2005) meeting with industry leads to discuss the feasibility of the requirements and verification method.
- CSA Z1600 Standard on Emergency Management and Business Continuity Programs
- Standards Australia, HB 292-2006 begin_of_the_skype_highlighting 292-2006 end_of_the_skype_highlighting A practitioners guide to business continuity management
- This Guide provides an overview of selected ‘generally accepted practices’ and emerging new practices used variously within Australia, USA and UK. Business Continuity Management (BCM) practice is such that approaches that work well in one organisation may be wholly inappropriate for a different organisation. Extreme care therefore needs to be taken in deciding what and how aspects of BCM will be implemented within an organisation.
- Standards Australia, HB 293-2006 Executive Guide to Business Continuity Management.
- The executive guide to business continuity management (BCM) provides senior management with an overview of the key concepts and processes that are required to implement and maintain an integrated, robust business continuity management program. This document was prepared as a summary and a navigational tool for HB 292, A practitioners guide to business continuity management.
- Standards Australia, HB 221:2004 Business Continuity Management
- This standard sets out a definition and process for business continuity management, and provides a workbook that may be used by organisations to assist in implementation. It sets out the principles and guidance that the Commission expects companies listed on the NZ Stock Exchange to follow for Business Continuity Management and establishing a Business Continuity Plan.
- Notes - The standard Sets out a definition and process for business continuity management, and provides a workbook that may be used by organisations to assist in implementation. It also sets out the principles and guidance that the Commission expects companies listed on the NZ Stock Exchange to follow for Business Continuity Management and establishing a Business Continuity Plan.
- ASIS International - Organizational Resilience: Preparedness and Continuity Management - Best Practices Standard
- ASIS American National Standard (2009)
- The ASIS Organizational Resilience American National Standard provides organizations with a comprehensive management framework to anticipate, prevent if possible, and prepare for and respond to a disruptive incident. It provides generic auditable criteria to establish, check, maintain, and improve a management system to enhance prevention, preparedness (readiness), mitigation, response, continuity, and recovery from an emergency, crisis, or disaster. The standard addresses the core elements and criteria of the DHS Title IX preparedness program.
- Notes - Organizational Resilience: Security, Preparedness and Continuity Management Systems - Requirements with Guidance for Use Standard(ASIS SPC.1-2009); The document may be purchased
- Australian and New Zealand Business Continuity Management standard : AS/NZS ISO 31000:2009 Risk Management - Principles and Guidelines
- Notes - The document may be purchased
- This standard provides a generic guide for Risk management - Principles and guidelines. It may be applied to a wide range of activities or operations of any public, private or community enterprise, or group.
- Australian and New Zealand Business Continuity Management standard : AS/NZS 7799.2:2000 (Previously known as 4444.2)
- This Standard is intended for use by managers and employees who are responsible for initiating, implementing and maintaining information security within their organization and it may be considered as a basis for developing organizational security standards.
- This standard is superseded by AS/NZS 7799.2:2003
- DRJ GAP Report
- The DRJ Editorial Advisory Board Generally Accepted BC Practices Committee in concert with DRI International is continuing its effort to create universally accepted Business Continuity Practice guidelines. The Generally Accepted Business Continuity Practices subject areas align with the ten DRII Professional Practices. The Professional Practices tell you what you need to do and the Generally Accepted BC Practices will tell you how to do it. The DRJ has also partnered with the following organizations to assist in the creation of the Generally Accepted BC Practices:
- Association of Records Management Administration (ARMA)
- DRI International (DRII)
- Financial Services Technology Consortium (FSTC)
- Standards Australia/Standards New Zealand
- National Fire Protection Association (NFPA)
- Notes - Best Practices have been compiled from submittals by experienced Business Continuity Professionals from the public and private sectors, as well as user groups and/or related organizations, in regards to the industry standard Professional Practices.
- Federal Continuity Directives (FCDs)
- Federal Continuity was developed as a repository of information to guide governmental continuity planning efforts and to share information with private sector stakeholders about the importance of planning. The site provides an overarching framework for US Federal Agencies to develop and deploy actionable continuity strategies. Here you will find descriptions, documents, guidance, and worksheets necessary to comply with Federal Continuity mandates and to achieve a high level of preparedness.
- FEMA 141: Emergency Management Guide for Business & Industry
- This Guide was designed to provide guidance for business and industry officials to respond and recover from disasters.
- FINRA Rule 4370 - Emergency preparedness rule
- Rule 4370—FINRA's emergency preparedness rule requires firms to create and maintain business continuity plans (BCPs) appropriate to the scale and scope of their businesses, and to provide FINRA with emergency contact information. This page provides general information related to BCPs for security firms.
- Notes - This rule replaces NYSE Rule 446. The NYSE, along with NASD, has adopted FINRA Rule 4370.
- The DRJ Editorial Advisory Board Generally Accepted BC Practices Committee in concert with DRI International is continuing its effort to create universally accepted Business Continuity Practice guidelines. The Generally Accepted Business Continuity Practices subject areas align with the ten DRII Professional Practices. The Professional Practices tell you what you need to do and the Generally Accepted BC Practices will tell you how to do it. The DRJ has also partnered with the following organizations to assist in the creation of the Generally Accepted BC Practices:
- Homeland Security Strategy for Critical Infrastructure Protection in Financial Services Sector (May 2004)
- This strategy is for ensuring the resiliency of the nation to minimize the damage and expedite the recovery from attacks that do occur.
- ISO 9000
- ISO 9000:2000, Quality management systems - Fundamentals and vocabulary covers the basics of what quality management systems are and also contains the core language of the ISO 9000 series of standards.
- Its purpose is to determine elements of quality control systems, especially maintenance of records and verification standards. While business continuity planning is not required by statute, vendors report that records retention and data availability are issues with their customers, and that they are specifically asked about their plans.
- ISO 9000:2000, Quality management systems - Fundamentals and vocabulary covers the basics of what quality management systems are and also contains the core language of the ISO 9000 series of standards.
- ISO 9001
- ISO 9001:2000 Quality management systems - Requirements is intended for use in any organization which designs, develops, manufactures, installs and/or services any product or provides any form of service. It provides a number of requirements which an organization needs to fulfill if it is to achieve customer satisfaction through consistent products and services which meet customer expectations. This is the only implementation for which third-party auditors may grant certifications.
- ISO 9002, Quality assurance standard
- This standard addresses risk management and continuity planning issues for compliance.
- Note - Previous members of the ISO 9000 series 9002 and 9003 have been integrated into 9001
- ISO 9004 Quality management systems - Guidelines for Performance Improvement
- ISO 9004:2000 Quality management systems - Guidelines for performance improvements covers continual improvement. This gives you advice on what can be done to enhance a mature system. This standard very specifically states that it is not intended as a guide to implementation.
- Notes - Revised by ISO 9004:2009
- ISO Guide 73:2009
- Risk management -- Vocabulary
- Notes - The document is available for purchase
- ISO/IEC 27002:2005
- This standard focuses on:
- Business continuity management process
- Writing and implementing continuity plans
- Business continuity planning framework
- Business continuity and impact analysis
- Testing and maintaining BCPs
- Areas reviewed include:
- Was BS17799 originally and proposed as ISO 7799
- Notes - ISO/IEC 17799:2005: It has subsequently renumbered ISO/IEC 27002:2005 in July 2007, bringing it into line with the other ISO/IEC 27000-series standards. It is entitled Information technology - Security techniques - Code of practice for information security management.
- This standard focuses on:
- ISO/IEC 27005:2008
- Continuation of ISO 27000 series standard.
- The purpose of ISO/IEC 27005 is to provide guidelines for information security risk management.
- Significant Dates,Fines,Penalties
- The standard was published in June, 2008
- ISO/IEC 31010:2009
- The standard includes Risk management - Risk assessment techniques
- Notes - The document is available for purchase
- IT Security Guidelines - G3
- These Guidelines Introduce general concepts relating to Information Technology Security and elaborates interpretations on the Baseline IT Security Policy. It also provides readers some guidelines and considerations in defining security requirements.
- Significant Dates,Fines,Penalties
- In this document, government bureau and departments are suggested to consider implementing a BCP/DR as part of business planning.
- V4.1 November 2008
- Notes -http://www.ogcio.gov.hk/en/infrastructure/methodology/security_policy/
- ITIL- IT Infrastructure Library
- Global standard in the area of service management,ITIL®(IT Infrastructure Library®) is the most widely accepted approach to IT service management in the world. ITIL provides a cohesive set of best practice, drawn from the public and private sectors internationally.
- It contains comprehensive publicly accessible specialist documentation on the planning, provision and support of IT services.
- King I Report - 1994,King II Report - 2002,King III 2009
- This is a standard for good corporate governance which most companies in South Africa make reference to in their AFS and try to adhere to.
- From Wikipedia:
- The King Committee on Corporate Governance, formed in 1993 by the Institute of Directors in Southern Africa (IoD) was established to investigate the role of boards of directors in South African firms.Chaired by businessman and former judge Mervyn E. King, the committee included Phillip Armstrong, Nigel Payne, and Richard Wilkinson.
- The committee has released three King reports on corporate governance in South Africa:
- 1994 King I
- 2002 King II
- 2009 King III
- Management, Supervision and Internal Control Guidelines (The Internal Control Guidelines)
- For persons licensed by or Registered With The Securities and Futures Commission.
- A licensed or registered person should have internal control procedures and financial and operational capabilities which can be reasonably expected to protect its operations, its clients and other licensed or registered persons from financial loss.
- Significant Dates,Fines,Penalties
- In section 36 under operational risk: An effective business continuity plan appropriate to the size of the firm is implemented to ensure that the firm is protected from the risk of interruption to its business continuity.
- Notes - Copies of the Guidelines are available at the SFC. They can also be found on the SFC's website at
- Information Technology Control Guidelines
- This is Crisis Management for Directors
- MAS Guidelines on Outsourcing - Section 6.6 BCM (Oct 2004)
- These are guidelines on ensuring BC preparedness is not compromised by outsourcing; taking steps to evaluate and satisfy itself that interdependency risk arising from the outsourcing arrangement can be adequately mitigated such that the institution remains able to conduct its business with integrity and competence in the event of disruption, or unexpected termination of the outsourcing or liquidation of the service provider.
- Significant Dates,Fines,Penalties
- International: Issued on October 2007
- Updated on July 1, 2005
- MAS Technical Reference for Business Continuity Management (BCM)
- This Reference specifies the requirements for organisations intending to build competence, capacity, resilience and readiness to respond to and recover from events which threaten to disrupt normal business operations and activities. It stipulates the requirements to attain and maintain readiness to deal with risks and risk events faced by organisations due to the nature of their businesses, external environment or regulatory requirements.
- NFPA 111:A standard on Stored Electrical Energy Emergency and Standby Power Systems
- This is a guideline of a step-by-step approach to emergency planning, response and recovery for companies.
- NFPA 232: Standard on Protection of Records
- These are standards for protection of business records, archives and records centers.
- NFPA Standard 1600 on Disaster/Emergency Management and Business Continuity Programs
- This standard establishes minimum criteria for disaster management for the private and public sectors in the development of a program for effective disaster mitigation,preparedness, response and recovery.
- Significant Dates,Fines,Penalties
- 4th Edition due around April, 2010.
- NIST SP 800-34 Contingency Planning Guide
- This Guide details the fundamental planning principles necessary for developing an effective contingency capability.
- Contingency planning guidance includes preliminary planning, business impact analysis, alternative site selection and recovery strategies.
- NIST SP 800-53 Contingency Planning Guide
- The purpose of this publication is to provide guidelines for selecting and specifying security controls for information systems, supporting the executive agencies of the federal government to meet the requirements of FIPS 200, Minimum Security Requirements for Federal Information and Information Systems.
- The guidelines apply to all components of an information system that process, store, or transmit federal information. The guidelines have been developed to help achieve more secure information systems and effective risk management within the federal government
- It also includes Contingency Planning Policy And Procedures
- OCC 2001-47
- This bulletin provides guidance to national banks on managing the risks that may arise from their business relationship with third parties. A third party’s inability to deliver products and services, whether arising from fraud, error, inadequate capacity, or technology failure, exposes the bank to transaction risk. Lack of effective business resumption and contingency planning for such situations also increases the bank’s transaction risk.
- The contract should provide for continuation of the business function in the event of problems affecting the third party’s preperations, including system breakdown and natural (or man-made) disaster.
- Notes - The bank’s own contingency plan should address potential financial problems or insolvency of the third party.
- OCC 2003-18: FFIEC (March 2003)
- Information Technology Examination Handbook- Business Continuity Planning and supervision of Technology Service Providers Booklets
- The BCP Booklet describes the process for managing business continuity based on risk as the following:
- Business impact
- OCC 99-9: Infrastructure Threats from Cyber-Terrorists (March 5, 1999)
- This Standard identifies and raises awareness of vulnerabilities and threats of cyber terrorism to the financial services industry, including ensuring that these threats are taken into account when preparing and testing a disaster recovery/business contingency.
- Publicly Available Specification (PAS) 56- Guide to Business Continuity Management
- Publicly Available Specification, PAS 56, is an ‘informal standard’ that was published by the BSI in 2003.
- Notes - PAS56 has been replaced with BS 25999.
- SIFMA BCP Best Practices Documents - The benefits of Public and Private Partnerships (September 2011)
- The SIFMA Business Contingency Planning (BCP) Best Practices Committee completed work on a survey regarding Regional Coalitions. The survey included 23 companies representing 648,000 employees and 2,600 locations. Based upon the survey results, the following areas of additional interests were identified and will be addressed by this document:
- Increase awareness of public/private partnerships
- Define how to establish and maintain public/private partnership relationships and outline the "best practices" for participation.
- Define how to engage regional partnerships for test planning and execution.
- The SIFMA Business Contingency Planning (BCP) Best Practices Committee completed work on a survey regarding Regional Coalitions. The survey included 23 companies representing 648,000 employees and 2,600 locations. Based upon the survey results, the following areas of additional interests were identified and will be addressed by this document:
- Statement on Auditing Standards (SAS) No. 70, Service Organizations
- A service auditor's examination performed in accordance with SAS No. 70 ("SAS 70 Audit") is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes.
- Service organizations receive significant value from having a SAS 70 engagement performed. A Service Auditor's Report with an unqualified opinion that is issued by an Independent Accounting Firm differentiates the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities. A Service Auditor's Report also helps a service organization build trust with its user organizations (i.e. customers).
- The AICPA recently launched a new set of internal control reports - Service Organization Control (SOC) Reporting including the new SSAE 16 standard.
High Level Related Standards
- ISO 27001
- Malaysia Standard MS1970:2007 Business Continuity Management Framework
- Singapore Standard SS507:2004
- ISO/PAS 23399 - Incident Preparedness and Operational Continuity Management
- Australia/ New Zealand Standard, AS/NZS 4360:2004 (Australian/New Zealand Standard)
- The AS/NZS 4360 is the only internationally accepted risk management standard. The Standard provides a generic guide for establishing and implementing the risk management process involving identification, analysis, assessment, treatment and continuous risk monitoring.
- AS/NZS 4360 is a generic guide for risk management so that it applies to all forms of organizations. Risk management is defined as the culture, processes and structures that are directed towards realizing potential opportunities whilst managing adverse effects.
- This standard is superseded by AS/NZS ISO 31000:2009
- HIPPA
- COBIT-Control Objectives for information and related Technology (4.1) (May 2007)
- This is a generally accepted information technology control objectives for information technology. Domains include:
- Planning and Organization
- Acquisition and Implementation
- Delivery and Support
- Monitoring and Evaluation Areas are Reviewed for compliance
- The IT Governance Institute and the sponsors of COBIT: Control Objectives for Information and related Technology have designed the product primarily as an educational resource for controls professionals.
- This is a generally accepted information technology control objectives for information technology. Domains include:
- COSO (Committee of Sponsoring Organisations of the Treadway Commission) Enterprise Risk Management Framework (September 2004)
- This standard defines essential enterprise risk management components, discusses key ERM principles and concepts, suggests a common ERM language, and provides clear direction and guidance for enterprise risk management.
- ITIL 2008 SCM: Disaster Recovery Self-Assessment
- NASD 3510
- NYSE 446
- NAIC for Business Continuity
- ANAO (Australian National Audit Office) Better Practice Guide: Business Continuity Management - Building Resilience in public sector entities. June 2009.
- This Guide was produced following consultations with the Australian Government and private sector entities. It provides a refreshed version of a previous ANAO Guide which is presented in a more user-friendly format, and includes contemporary practical advice, case studies and references as well as exploring issues within the business continuity environment that have arisen since the previous ANAO publication.
- ANAO states that business continuity management is an essential component of good public sector governance and is part of an entity’s overall approach to effective risk management. It says that the guide will be a useful reference document for boards, chief executives and senior management in public sector entities.
- APRA (Austalian Prudential Regulation Authority) - Prudential Standard CPS 232 Business Continuity Management
- This Prudential Standard aims to ensure that each regulated institution and Level 2 group implements a whole-of-business approach to business continuity management, appropriate to the nature and scale of its operations. Business continuity management increases resilience to business disruption arising from internal and external events and may reduce the impact on the regulated institution’s or group’s business operations, reputation, profitability, depositors, policyholders and other stakeholders.
- Business Continuity Institute - BCM Guides and Standards
- The BCI is regularly asked by members and other interested parties about current legislation, regulation and standards that exist nationally and internationally for Business Continuity Management. It is difficult to provide a definitive list because there are regular changes and amendments at a country level and often inconsistent terminology between countries, sectors and legislators.
- Note - The document produced is the most comprehensive that it was possible to produce based upon information provided to us by our members around the world. Where we have country input we have included it alphabetically. At the end of the document we have a page summarising current and projected international initiatives particularly those supported by the International Standards Organisation (ISO) and the Basel Committee on Banking Supervision.
- Business Continuity Management Good Practice Guidelines 2010
- The BCI published its first Good Practice Guidelines in 2002. This played a significant part in the development of the British Standards Institution’s (BSI) Publicly Available Specification for Business Continuity Management (PAS 56). GPG05 was issued followed by an extensive rewrite to take into account the latest thinking in BCM internationally and to recognise increasing maturity in BCM practice across all sectors, public and private. Good Practice Guidelines (GPG) 2010 are therefore intended for use by practitioners, consultants, auditors and regulators with a working knowledge of the rationale for BCM and its basic principles.
- Notes - GPG is available for BCI members and Non-Members. BCI Training and the BCI Certificate examination are both based on the Good Practice Guidelines. The Good Practice Guidelines are available either as a digital download or as a printed book. The GPG is currently available in English, Portuguese, Spanish, Italian, Japanese and German with translations into French, Chinese, Greek and Korean underway.
- Business Continuity Planning Committee Best Practice Guidelines (April 2011)
- This presents guidelines that can assist in the establishment of a comprehensive business continuity program. It is not intended to be an outline of a business continuity plan or as a single best approach, but rather it should be viewed as a summary of significant components that an organization may wish to consider when developing a full business continuity program.
- Circular to Licensed Corporations - Business continuity planning against serious communicable diseases by Securities and Futures Commission of Hong Kong.
- Business continuity plans are prepared in case of unexpected market conditions and failures. This section also directs to other regulator's business continuity plans.
- Notes - Crisis Management HKEx procedures & guidelines Public Health
- Guidance Note on the Use of Internet for Insurance Activities (GN8)
- To better protect the insuring public and ensuring the healthy development of the industry in the information technology era. The scope of this Guidance Note covers the internet insurance activities of all service providers.
- Significant Dates,Fines,Penalties
- Point 11 address the issue of security in which service providers are advised to take all practicable steps to ensure a number of items including the integrity of data stored in the system hardware, whilst in transit and as displayed on the website.
- Guidelines on Business Continuity Planning, BSD Circular No . 13 of 2004
- Guidelines on Business Continuity Planning.
- HKMA Business Continuity Planning V.1 – 02.12.02, TM-G-2
- This is a new, non-statutory guideline issued by the MA (Monetary Authority) as a guidance note. It sets out the HKMA’s (Hong Kong Monetary Authority) supervisory approach to business continuity planning and the sound practices which the HKMA expects Authorized Institutions to take into consideration regading Business Continuity Planning
- HKMA TM E-1
- TM E-1 sets out the HKMA’s approach to the supervision of AIs’ electronic banking (e-banking) services and to provide AIs with guidance on general principles for risk management of e-banking.
- Previous Guidelines Superseded by TM E-1:
- Guideline 15.1 “Electronic Banking” dated 07.07.97
- Guideline 15.1.1 “Security of Banking Transactions over the Internet” dated 25.11.97 Guideline 15.3
- “Public Key Infrastructure and Legal Environment for Development of Internet Banking” dated 07.10.98
- Circular “Guidance Note on Management of Security Risks in Electronic Banking Services” dated 06.07.00
- Circular “Guidance Note on Independent Assessment of Security Aspects of Transactional E-banking Services” dated 26.09.00
- Circular “Overseas"
- Significant Dates.Fines,Penalties
- A non-statutory guideline issued by the MA as a guidance note
- JCAHO 2010 Hospital Accreditation Standards
- Guidelines for information management established by JCAHO
- Standard Label: IM.1.20 - The organization plans for the continuity of its information management processes.
- OCC Comptroller's Handbooks
- OCC Comptroller's Handbook provides guidance for asset management, safety and soundness, consumer compliance, and securities compliance. Together with this Handbook, following separated publications has been issued by OCC:
- Business Continuity Planning: Bank and Thrift Agencies Issue Advisory on Influenza Pandemic Preparedness 03/15/2006
- Business Continuity Planning: Benefits of Regional Coalitions for Disaster Recovery 09/16/2008
- Business Continuity Planning: Lessons Learned from Hurricane Katrina 06/13/2006
- Notes - Listed guidelines are joint publication between:
- Board of Governors of the Federal Reserve System
- Federal Deposit Insurance Corporation
- Office of the Comptroller of the Currency
- Office of Thrift Supervision
- OCC Comptroller's Handbook provides guidance for asset management, safety and soundness, consumer compliance, and securities compliance. Together with this Handbook, following separated publications has been issued by OCC:
- Outsourcing Technology Booklet
- The institution should understand all relevant service provider business continuity requirements, incorporate those requirements within its own business continuity plan, and ensure the service provider tests its plan annually.
- Management should require the service provider to report all test plan results and to notify the institution after any business continuity plan modifications.
- The institution should integrate the provider's business continuity plan into its own plan, communicate functions to the appropriate personnel, and maintain and periodically review the combined plan.
- Notes - "The "Outsourcing Technology Booklet" is one of several that comprise the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook).
- The outsourcing risk management program should identify, for Business Continuity Planning (BCP) purposes, the specific responsibilities of all parties, particularly in the areas of information security and business continuity planning.
- PCI Data Security Standard (PCI DSS)
- The PCI DSS states that disaster recovery sites are not in-scope unless they process, store or transmit cardholder data. However, in the same breath, the PCI DSS states that once a disaster recovery site is activated, the site is in-scope and is required to comply with the PCI DSS requirements just as the production data center complied. This should be applicable to any manual workarounds or altetrnative strategies when BCP/DR plan has been invoked.
- Personal Data (Privacy) Ordinance
- The purpose of the Ordinance is to protect the privacy interests of living individuals in relation to personal data. It also contributes to Hong Kong's continued economic well-being by safeguarding the free flow of personal data to Hong Kong from restriction.
- Based on the Data Protection Principles published, the relevant principles to BCM are Principle 2 - the personal data should be accurate, up-to-date and kept no longer than necessary; Principle 4 - appropriate security measures should be applied to personal data.
- Policy Statement on Business Continuity Management (BCM) and Business Continuity Plan (BCP)
- This Policy Statement provides general framework for Business Continuity Management and Business Continuity Plan for financial institutions in Thailand.
- The policy requires board-level involvement, identification and recovery plans for “Critical Business Functions,” writing plans and testing them at least once every 12 months.
- Significant Dates,Fines,Penalties
- The deadline for banks to comply was 2008
- Notes - Unofficial Translation by the courtesy of The Foreign Banks' Association
- Please refer to the Thai text for the official version - BOT Notification No. 118-2550
- SIFMA Business Continuity Resources
- The following guidelines are published by SIFMA:
- BCP Best Practices Document.Regional Coalitions: The Benefits of Public and Private Partnerships- September 2011
- Executive Summary: Telecommuting Analysis of Regional Winter Storms 2010 & 2011 - September 2011
- Vendor Business Continuity Questionnaire 2010
- Business Continuity Practices Guidelines- April 2011
- Telecommuting Sound Practice Guidelines - March 2009
- Testing Methodologies For Validating Business Continuity Plans - January 2008
- BCP Critical Infrastructure Guide - February 2007
- SIFMA's mission is to develop policies and practices which strengthen financial markets and which encourage capital availability, job creation and economic growth while building trust and confidence in the financial industry. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA).
- The following guidelines are published by SIFMA:
IT Disaster Recovery Standards
- BS 25777:2008
- Information and communications technology continuity management Code of practice
- ISO 24762:2008/
- Guidelines for ICT and disaster recovery services
- SS507:2008
- Guidelines for ICT and disaster recovery services
- SI 24001:2007
- Security & Continuity Management Systems (Israel)
Central Bank Specified
International:
- Basel Committee on Banking Supervision - The Joint Forum -High-level principles for business continuity (August 2006)
- Basel Committee on banking supervision international organisation of securities commissions; International Association of insurance supervisors C/O bank for international settlements CH-4002 Basel, Switzerland
- Basel III Implementation and Basel II Advanced Approached Implementation
- This Regulation Addresses Operational Risk and defines it as “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.”
- Notes - In June 2010, the Basel Committee on Banking Supervision (BCBS) published a comprehensive reform package, Basel III. Published by the Federal Reserve Board, in the section titled "U.S. Implementation of the Basel Accords," are the proposed rule-making changes.
- DRI International:“Ten Professional Practices for Business Continuity Professionals”
- Professional practice letters include developing business continuity management strategies and other contingency planning
- Areas reviewed include:
- Potential for data loss
- Vital records creation, storage and retention
- Business and IT recovery
- Prudent Man Concept
- As per the Uniform Commercial Code, legal standard used to determine whether appropriate action was taken in a particular situation.
- Directors, senior management, officers and agents, when working for an organization, are considered to be in a position
- Notes - Uniform Commercial Code
- Any company, regardless of its industry, is expected to exercise due-care to implement and maintain security mechanisms and practices that protect the company, its employees, customers, and partners.
- Due-Care can be compared to the "prudent man" concept. A prudent man is seen as responsible, careful, cautious, and practical. A company practicing due-care is seen in the same light by State and Federal Courts.
AUSTRALIA:
- Australian Prudential Regulation Authority (APRA) Guidance Note AGN 232.1 - Risk Assessment and Business Continuity Management
- Key Highlights: Guidelines for authorised deposit-taking institutions when implementing the Prudential Standard APS 232 business continuity management.
- AFMA (Australia Financial Markets Association) KRI Definitions and Guidelines
- This follows ISIA Business Continuity Planning Guidelines. See page 12, section 7.1, for their guidelines on "Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) Testing"
- Australian Commonwealth Criminal Code (1994)
- Establishing criminal penalties for officers and directors of organizations that experience a major disaster and fail to have a proper business continuity plan in place. Although has no specific reference to business continuity.
- Notes - Section 5. Corporate criminal responsibility, Part 2.5
BAHAMAS: Central Banks of the Bahamas Business Continuity Guidelines: Consultative Paper PU26-0606, 6 Nov 2006
BARBADOS: Central Bank of Barbados, Operational Risk Guideline, June 2007
Canada:CAN/CSA-Z 731-03
- Canada’s Emergency Preparedness and Response Standards
- IDA By-law 17.19 - Business Continuity Plan Requirement
- The purpose of the proposed by-law is to require each IDA member to establish and maintain a business continuity plan, such that the member can stay in business in the event of a significant business disruption and can meet obligations to its customers and other capital markets counterparts.
HONG KONG:
- Hong Kong Monetary Authority (HKMA), Supervisory Policy Manual, TM-G-2 - Business Continuity Planning
- Key Highlights: This Manual sets out the HKMA's latest supervisory policies and practices, the minimum standards authorized institutions ("AIs") are expected to attain in order to satisfy the requirements of the Banking Ordinance and recommendations on best practices that... ...
- This manual takes a supervisory approach where the HKMA’s objective is to help ensure that Authorized Institutions ("AIs") have workable and well thought through BCPs to protect all the critical areas of their business and to cope with prolonged disruption.
- Hong Kong Monetary Authority (HKMA)General Principles for Technology Risk Management, TM-G1,V.1-24.06.03
- The aim of these principles are to provide AIs with guidance on general principles which AIs are expected to consider in managing technology-related risks. Section 3.1.4 discusses "adequate off-site back-up and contingency arrangements". In section 2.6, policies, procedures or service agreements of between AIs and the overseas offices (e.g. parent banks, subsidiaries, head offices or other regional offices of the same banking group) with regard to certain IT controls or support activities. Section 7.1.1 includes "should develop a contingency plan for critical outsourced technology services to protect them from unavailability of services due to unexpected problems of the technology service provider".
- Notes - The outsourcing agreement should specify clearly, among other things, the performance standards and other obligations of the technology service provider, and the issue of software and hardware ownership. As technology service providers may further sub-contract their services to other parties, AIs should consider including a notification or an approval requirement for significant sub-contracting of services and a provision that the original technology service provider is still responsible for its sub-contracted services
- HKMA Supervisory Policy Manual TM-G-2 (v.1 - 02.12.02)
- This is enforced by onsite examinations, and it requires a need for BCP documentation and testing at least annually, planning for different scenarios and prolong outages.
- Significant Dates,Fines,Penalties
- BCP organization & governance structure
- Approach to business continuity planning
- Documentation
- DR site & vendor management
- HKMA Supervisory Policy Manual, General Principles for Technology Risk Management TM-G-1 V.1 24.06.03
- This refers to TM-G-2 on BCP on the need to provide continuous service.
- Significant Dates,Fines,Penalties
- Need to provide alternative service
- HKMA, Supervisory Policy Manual, Supervision of E-Banking TM-E-1 V.1 17-Feb-2004
- Refers to TM-G-2 on BCP on the need to provide continuous and/or alternative services.
- Significant Dates,Fines,Penalties
- Need to provide alternative service
India
- RBI BC Circulars
- RBI/2009-10/108 - National Electronic Funds Transfer (NEFT) System – Business Continuity Plan
- RBI/2008-09/495 - IT based systems – Business Continuity and DR Operations
- RBI/2004-05/420 - Operational Risk Management - Business Continuity Planning
- Note - The Reserve Bank of India is India's central bank. Lister requirements are created together with:
- Securities & Exchange Board of India, (SEBI)
- National Stock Exchange (NSE)
- Bombay Stock Exchange (BSE)
Indonesia:
- Circular Letter No. 9/30/DPNP - Risk Management in the Use of Information Technology by Commercial Banks (March 31st, 2008)
- This regulation requires BCP documentation and testing at least annually with focus placed on Bank Indonesia RTGS system. Also, it requires Internal Audit to conduct an audit at least annually and provide report to Bank Indonesia.
- Notes - Titled: "Circular Letter No. 9/30/DPNP - Risk Management in the Use of Information Technology by Commercial Banks"
JAPAN:
- Bank of Japan
- Questionnaire Survey on Business Continuity Management
- Detailed Survey Results Dec 2006
- The Bank develops and continually revises business continuity plans for functions such as circulation of banknotes and operation of payment and settlement systems, in order to carry out its responsibilities in times of disaster. The Bank trains its staff and conducts emergency drills on a regular basis to ensure a timely and appropriate response.
- The Bank also coordinates with relevant parties for effective business continuity planning at payment and settlement systems, at the market level, and in the financial system as a whole. For example, the Bank tests contingency procedures with market participants and with related administrative institutions, based on various scenarios including large-scale earthquakes."
KENYA:
- Central Bank of Kenya, Central Bank of Kenya (CBK) pridential Guideline on Business Continuity Management (BCM) for Institution Licensed under the Banking Act
- Key Highlights: This guidance Note TM-G-2 requires financial institutions to implement and maintain their business continuity plans.
LATVIA: Bank of Latvia (Latvjas Banka)\
MALAYSIA:
- Bank Negara Malaysia (BNM), [1]Guidelines on Business Continuity Management Guidelines for Banking Institutions BNM/RH/GL 013-3, 30 July 2008
- Draft Malaysian Standard 2- Business Continuity Framework - 2006
- This Malaysian Standard was developed by the Working Group on Business Continuity Management under the authority of the Information Technology, Telecommunication and Multimedia Industry Standards Committee.
- Guidelines on Management of IT Environment BNM/RH/GL/ 013-3
- The guidelines Outline minimum responsibilities and requirements for planning and managing, as well as, establishing preventive and detective measures that should be implemented by institutions to mitigate the risks pertaining to the IT environment
- Notes - These guidelines are applicable to all institutions under the purview of the Bank, with effect from 1 January 2008
MALTA:
- Central bank of Malta, Directive No 6: HARMONISED CONDITIONS FOR PARTICIPATION IN TARGET2-MALTA - Guidelines on Business Continuity and Contingency procedures Appendix IV, 2008
NEW ZEALAND:
- Civil Defence Emergency Management Act 2002
- The purpose of this Act is to improve and promote the sustainable management of hazards in a way that contributes to the social, economic, cultural, and environmental well-being and safety of the public and also to the protection of property; and encourage and enable communities to achieve acceptable levels of risk.
PAKISTAN:
- State Bank of Pakistan (SBP); Risk Management - Guidelines for Commercial Banks & DFIs
- Key Highlights: The State Bank of Pakistan requires Commercial Banks & DFIs to have business continuity plans.
- Risk Management - Guidelines for Commercial Banks & DFIs.
- Guidelines on Risk Management 5.10.1 Banks should have in place contingency and business continuity plans to ensure their ability to operate as going concerns and minimize losses in the event of severe business disruption
- Notes - Based upon the Basel Committee‘s Joint Forum "High Level Principles ‖"
PHILIPPINES:
- Bangko Sentral ng PilipinasCircular Letter 10 Mar 2001
- BSP Circular Letter (2001) - Business Continuity Plan
- This regulation requires a comprehensive and updated business continuity plan as an integral part of a the risk management process of all financial institutions. The overall goal of this business continuity plan must be to
- Ensure that there will be minimal disruption of bank operations ***Minimize financial losses through lost business opportunities or asset deterioration, and
- Ensure a timely resumption of normal operations.
- Notes - This Regulation requires submission and validation of business continuity plan by all Non-Bank Financial Institutions With Quasi-Banking Functions (NBQBs), Investment Houses (IHs) With Trust Functions, Non-Stock Savings And Loan Associations (NSSLAs), AND All Other Non-Bank Financial Institutions (NBFIs) Which are Subsidiaries or Affiliates of Banks or NBQBs.
- This regulation requires a comprehensive and updated business continuity plan as an integral part of a the risk management process of all financial institutions. The overall goal of this business continuity plan must be to
- BSP Memorandum (2004) - MAB/NBFIs - Establishment of Back-Up Operation Centers and Data Recovery Sites
- This regulation is enforced by audit, requires all banks to setup a disaster recovery facility.
- Notes - Responsibilities on Business Continuity
- Subject: Back-up Operations Centers and Data Recovery Sites
POLAND:
- National Bank of Poland Business continuity of payment and securities settlement systems infrastructure
- Key Highlights: The Bangko Sentral ng Pilipinas requires Financial Institutions to have business continuity plans validated and submitted to the Central Bank.
RUSSIA:
- Central Bank of the Russian Federation (STO BR IBBS-1.0-2006)
SINGAPORE:
- Monetary Authority of Singapore (MAS),Business Contunity Management Guidelines June 2003
- Key Highlights: A consultation paper with seven principles for Business Continuity Planning. In June 2003 The Monetary Authority of Singapore (MAS) published Business Continuity Guidelines to regulated institutions (the banking, insurance, securities and futures industries). The guidelines are sound BCM principles and institutions are encouraged to accept and adopt the sound principles, and develop implementation plans taking into consideration their business activities and operating environment.
- Singapore Stock Exchange Business Continuity Policy Rule 4.6.21 dated 22 January 2009
- MAS SPRING Singapore BCM Fact Sheet 2006
- Rule 3.5.4(1) requires Clearing Members to maintain adequate business continuity
arrangements, and document such arrangements in a business continuity plan.
- MAS Business Continuity Management Guidelines (June 2003)
- 7 Guiding Principles on Senior Management responsibilities for BCM; embedding BCM into Business-as-usual activities, incorporating sound practices; testing BCP regularly, completely and meaningfully; developing recovery strategies and setting RTO.
SOUTH AFRICA:
- Banks Act (94/1990)
- This act provides for the regulation and supervision of the business of public companies taking deposits from the public; and to provide for matters connected therewith.
- Notes - This act was amended most recently in 2007
- Disaster Management Act (2002) - South Africa
- This is an integrated and co-ordinated disaster management policy that focuses on preventing or reducing the risk of disasters, mitigating the severity of disasters, emergency preparedness, rapid and effective response to disasters and post-disaster recovery; the establishment of national, provincial and municipal disaster management centres and disaster management volunteers.
- Significant Dates,Fines, Penalties
- Any person who contravenes or fails to comply with any provision of regulations shall be guilty of an offence and on conviction be liable to a fine or imprisonment for a period of 12 months and, in the case of a continuous offence, to an additional time or additional imprisonment for each day on which the offence continues: Provided that the period of such additional imprisonment shall not exceed 90 days.
- Notes - Regulation Gazette No. 7122 Vol. 433 Pretoria 30 July 2001 No. 22506
- Disaster Management Act No. 57 of 2002
- Proposed national disaster management framework.One of the main reasons for South Africa’s DM Act being recognised internationally as a model for disaster risk management best practice is that it gives effect to the concept of mainstreaming disaster risk reduction into development through legislation.
- Notes - A draft bill including amendments to the Disaster Management Act is expected to be presented to Parliament in 2013.
- Major Hazard Installation Regulations, 1993
- These regulations talk about emergency plans.Emergency plan means a plan in writing which, on the basis of identified potential incidents at the installation, together with their consequences, describes how such incidents and their consequences should be dealt with.
- Notes - Subject to the provisions of sub-regulation (3), these regulations shall apply to employers, self-employed persons and users, who have on their premises, either permanently or temporarily.
- Major Hazard Installations Regulations (2001)-South Africa
- Major Hazard Installations Regulations [PDF] regulates employer responsibility for the health and safety of workers as well as the public in or in the vicinity of the workplace.
- Significant Dates,Fines,Penalties
- Any person who contravenes or fails to comply with any provision of regulations shall be guilty of an offence and on conviction be liable to a fine or imprisonment for a period of 12 months and, in the case of a continuous offence, to an additional time or imprisonment for each day on which the offence continues: Provided that the period of such additional imprisonment shall not exceed 90 days.
- Notes - Regulation Gazette No. 7122 Vol. 433 Pretoria 30 July 2001 No. 22506
- Oversight of the South African National Payment System
- One of the requirements for participation in the SAMOS system is to have sufficient business continuity planning (BCP) and DR facilities in place.
- Notes - SAMOS and CLS Business Continuity Procedures for SA Reserve Bank and National Payment System Participants
- Public Finance Management Act, 1999- DRAFT Treasury Relations
- Unable to find anything specific to BC or DR… “availability of financial information” was included
SRI LANKA:
- Insurance Board of Sri Lanka Guidelines on Business Continuity Plan
THAILAND:
- Bank of Thailand (BOT), 118/2550 - Submitting Policy Statement on Business Continuity Management (BCM) and Business Continuity Plan (BCP) of Financial Institutions, January 2007
- Key Highlights: This guidelines (translated from Thai) requires Financial Institutions to have business continuity plans. Policy statement requires business continuity management and includes establishing policies, standards and operating procedures of the entire organization.
UNITED KINGDOM:
- FSA, Business Continuity Practice Guides, Nov 2006
- Key Highlights: Read the Resilience Benchmarketing Project: Discussion Paper June 2008.
- Civil Contingencies Act 2004
- This is an Act to make provision about civil contingencies. It outlines and defines the duty to assess, plan and advise.
- Notes - Changes to legislation: There are outstanding changes not yet made by the legislation.gov.uk editorial team to Civil Contingencies Act 2004. Those changes will be listed when the content is opened using the Table of Contents. Any changes that have already been made by the team appear in the content and are referenced with annotations.
- Civil Contingencies Bill (Bill 53, Feb 2004)
- This regulation includes:
- Local arrangements for civil protection
- Duty to assess, plan and advise
- Advice and assistance to business
- Requires persons or bodies listed in the document to assess the risk of an emergency and maintain plans for the purpose of ensuring that if an emergency occurs that the persons or bodies are able to continue to... ...
- This regulation includes:
- Financial Services Authority Handbook
- The purpose of REC 3.16 is to ensure that the FSA receives a copy of the UK recognised body's plans and arrangements for ensuring business continuity if there are major problems with its computer systems.
- External events and other changes (SYSC 13.8),Unexpected changes and business continuity management SYSC 3.2.19 G provides high level guidance on business continuity.
- The outsourcing (SYSC 13.9)and consideration of any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms the extent to which a service provider will provide business continuity for outsourced operations.
- Notes - Breaching a Principle makes a firm liable to disciplinary sanctions. In determining whether a Principle has been breached it is necessary to look to the standard of conduct required by the Principle in question. Under each of the Principles the onus will be on the FSA to show that a firm has been at fault in some way. What constitutes "fault" varies between different Principles.
UNITED STATES OF AMERICA:
- ACH (Federal Reserve's Automated Clearinghouse Association)
- This regulation requires a 6 year file retention on all ACH transactions. An ACH transaction is a batch-processed, value-dated electronic funds transfer between originating and receiving financial institutions.
- Significant Dates,Fines,Penalties: Non-compliant fines not exceeding $10,000 or imprisonment for a duration not exceeding ten years, or both.
- Notes: Log-in is required to access the file, but non member log-ins are granted and given read-only access.
- 6 CFR Part 29: 6 CFR (Code of Federal Regulations) Part 29: Procedures for Handling Critical Infrastructure Information (Aug 2009)
- This code regulates
- The continuity of operations for critical infrastructure.
- The disclosure of critical information to the government
- This code regulates
- ANSI (American National Standards Institute)/ARMA (Association of Records Managers and Administrators)5-2010 Vital Records Programs.
- This standard sets the requirement for the establishment of a Vital Records Program. It includes clarifications of what a Vital Records Program encompasses and the requirements for identifying and protecting vital records, assessing and analyzing their vulnerability, and determining the impact of their loss on the organization.
- Bulletin R-67
- Notes - Rescinded 7/10/1989.Comptroller of Currency BC-177 (1983, 1987) supercedes Federal Home Loan Bank Bulletin R-67.
- California SB 1386 - Security of Non-Encrypted Customer Information (July 1, 2003)
- Bill requires all agencies, persons or businesses that conduct business in California that owns or licenses computerized data containing personal information to notify the owner or licensee of the information of any breach of security of the data.
- Computer Fraud and Abuse Act by FTC (Federal Trade Commission)
- This act makes it a federal offense to produce, buy, sell or transfer a credit card or other access devices that are counterfeit, forged, lost or stolen; or to produce, buy, sell, transfer or process equipment used to produce such fraudulent access devices.
- Consumer Credit Protection Act (CCPA) of 1992, Section 2001 Title IX- Electronic Funds Transfer
- The purpose of this title is to provide a basic framework for establishing the rights, liabilities, and responsibilities of participants in electronic fund transfer systems. The primary objective of this title, however, is the provision of individual consumer.
- Significant Dates,Fines,Penalties
- The Act takes effect upon the expiration of eighteen months from the date of its enactment, except that sections 909 and 911 take effect upon the expiration of ninety days after the date of enactment
- Non-compliant fines not more than $10,000 or imprisonment
- Electronic Fund Transfer Act (EFTA)
- The Act establishes the basic responsibilities, rights and liabilities of consumers and financial institutions who use electronic fund transfer services and of that offer these services. BCP to meet “reasonable standard of care”
- Fair Credit Reporting Act
- This Act:
- Ensures credit information is accurate and up-to-date
- Designed to promote accuracy and ensure the privacy of the information used in consumer reports"
- Significant Dates, Fines, Penalties
- Civil penalty of not more than $2,500 per violation
- State action of damages of not more than $1,000 for each willful or negligent violation
- This Act:
- FDICIA –Federal Deposit Insurance Corporation Improvement Act of 1991
- This act requires at the beginning of the year that all FDIC-insured depository institutions with total assets of $500 million or more to certify that there is effective functioning of their internal controls systems.
- Notes - Last updated December 3, 2009
- Federal Acquisition Regulation; Electronic Funds Transfer Final Rule
- This regulation addresses the collection of EFT information through the contract process for vendors providing goods and services to the Federal Government
- FFIEC BCP Handbook: Business Continuity Planning (May 2003)IT Examination Handbook
- This Handbook emphasizes that Business Continuity planning is about maintaining, resuming and recovering the whole Business.
- Planning should occur for a BCP
- Business Impact Analysis and Risk assessment are encouraged as the foundation of an effective BCP- Testing
- Significant Dates, Fines, Penalties
- Ineffective or incomplete BC plans may lead to qualified examination reports and loss of trust by regulators and financial market
- This Handbook emphasizes that Business Continuity planning is about maintaining, resuming and recovering the whole Business.
- FFIEC Policy SP-5
- This is a policy mandating corporate-wide contingency planning, including the development of recovery alternatives for distributed processing and service bureau information processing.
- Significant Dates,Fines,Penalties
- This policy was issued in July 1989
- Notes - With the issuance of the new FFIEC Information Technology Examination Handbook, several Supervisory Policies (SP) found in Chapter 25 of the 1996 Handbook have been rescinded, including SP-5, Interagency Policy on Contingency Planning for Financial Institutions
- Financial Institutions Reform, Recovery, and Enforcement Act- (FIRREA) of 1989; (P.L. 101-73 1989 HR 1278)
- This Policy allows regulators/examiners to impose civil penalties for violations or non-compliance with regulations, laws, temporary agency orders or any breach of a written agreement between an agency and the institution. (pronounced “fie-ree-ah”) Federal legislation passed in 1989 in response to the banking and savings and loan crisis, the FDIC bailout, and the bankruptcy of the Federal Savings and Loan Insurance Corporation (FSLIC). It reorganized much of the oversight and regulatory framework for financial institutions and created the Resolution Trust Corporation (now defunct) to receive and liquidate assets from failed financial institutions.
- Significant Dates, Fines, Penalties
- Whoever violates any provision of law to which this section is made applicable by subsection (c) of this section shall be subject to a civil penalty in an amount assessed by the court in a civil action under this section.
- Maximum Amount Of Penalty--
- (Generally)- The amount of the civil penalty shall not exceed $1,000,000.
- Special Rule for Continuing Violations- In the case of a continuing violation, the amount of the civil penalty may exceed the amount described in paragraph (1) but may not exceed the lesser of $1,000,000 per day or $5,000,000.
- FISMA: Federal Information Security Management Act of 2002
- This Act details requirements to
- Assess Risk
- Determine levels of security necessary to protect such information
- Periodically test and evaluate information security controls and techniques
- Develop plans and procedures to ensure continuity of operations
- This Act details requirements to
- Foreign Corrupt Practices Act of 1977: (P.L. 95-213) Section 13(b)(2).
- This policy states that Directors and Officers can be held liable for “failure to enact standards of care” and should they fail to document their assessment processing determining not to develop a contingency plan.
- Significant Dates,Fines,Penalties
- This policy was issued in 1977
- Civil penalties can range from $5000 to $100,000 for individuals and from $50,000 to $500,000 for business entities
- Criminal sanctions may be imposed against anyone who knowingly violates the statute: up to $2 million in fines
- FRB (Federal Reserve Banks) SR 03-5
- SUBJECT: Amended Inter-agency Guidance on the Internal Audit Function and its Outsourcing (SR 03-5)
- Supersede: Outsourcing of Information and Transaction Processing Cross Reference: SR letter 97-35)
- GAO Supplier Requirements
- These are requirements for federal agencies to include the requirement for contingency plans in contracts with private sector organizations providing data processing services.
- Notes - This will apply to all organisations providing supplies or services to GAO or Federal Agencies.
- Gramm-Leach-Bliley Act of 1999, section 501 (b): (P.L. 106-102 1999 S 900)
- Guidelines in this section address standards for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information.The act includes record-retention requirements.
- Significant Dates,Fines,Penalties
- Effective as of July 1,2001
- The Bank must report to the board annually
- HIPAA (Health Insurance Portability and Accountability Act) Final Security Rule~ #7. Contingency Plan (164.308(a)(7)(i))
- The Proposed contingency plan in effect with data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures and Applications and data Criticality Analysis.
- It includes specific BCM points
- It can be applied to any organization
- Significant Dates,Fines,Penalties
- Section 1177 establishes penalties for any person that knowingly uses a unique health identifier, or obtains or discloses individually identifiable health information in violation of the part. The penalties include:
- A fine of not more than $50,000 and/or imprisonment of not more than 1 year;
- If the offense is ‘‘under false pretenses,’’ a fine of not more than $100,000 and/or imprisonment of not more than 5 years; and
- If the offense is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years.
- Section 1177 establishes penalties for any person that knowingly uses a unique health identifier, or obtains or discloses individually identifiable health information in violation of the part. The penalties include:
- The Proposed contingency plan in effect with data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures and Applications and data Criticality Analysis.
- Inter-agency Paper for Strengthening the Resilience of US Financial System (May 2003; Implementation in 2007)
- During discussions about the lessons learnt from September 11, industry participants and others agreed that three business continuity objectives have special importance for all financial firms and the U.S. financial system as a whole:
- Rapid recovery and timely resumption of critical operations following a wide-scale disruption;
- Rapid recovery and timely resumption of critical operations following the loss or inaccessibility of staff in at least one major operating location; and
- A high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible.Firms that Play Significant Roles in Critical Financial Markets
- As a guideline, the agencies consider a firm significant in a particular critical market if it consistently clears or settles at least five percent of the value of transactions in that critical market.
- Significant Dates,Fines,Penalties
- For Market Utilities and Core Clearing and Settlement Agencies, the goal to meet objectives is end of 2004.
- For Significant Role Firms, the goal is no later than 2006.
- During discussions about the lessons learnt from September 11, industry participants and others agreed that three business continuity objectives have special importance for all financial firms and the U.S. financial system as a whole:
- IRS Procedure 91-59(Superseded IRS Procedure 86-19)
- This Procedure:
- Provides the basic requirements to those institutions that utilize computerized Records
- Requires computer records containing tax information.H22
- Requires off-site protection and documentation of computer records maintaining tax information
- The purpose of this revenue procedure is to specify the basic requirements that the Internal Revenue Service considers to be essential in cases where a taxpayer's records are maintained within an Automatic Data Processing system (ADP). This revenue procedure updates and supersedes Rev. Proc. 91-59, 1991-2 C.B. 841
- This Procedure:
- NASD Rule 108 (Sept 9, 02) and SR-NASD-2002-112 (March 10, 03)
- Each member must create and maintain a written business continuity plan identifying procedures relating to an emergency or significant business disruption.
- It must update its plan in the event of any material change to the member's operations, structure
- NASD Rule 3500: Emergency Preparedness Part 3510: Business continuity Plans
- Requires a Business Continuity Plan addressing:
- Alternate communications between customers, firm and employees
- Business constituent, bank and counter party impact
- Regulatory Reporting
- Mission Critical Systems
- Operational and Finance
- Requires a Business Continuity Plan addressing:
- NASD Rule 3500: Emergency Preparedness Part 3520: Emergency Contact Information
- Rule 3520 requires NASD members to provide NASD with emergency contact information and to update any information upon the occurrence of a material change. The Rule requires members to designate two emergency contact persons that NASD may contact in the emergency.
- NFA Compliance Rule 2-38: Business Continuity and Disaster Recovery Plan
- The Rule requires all National Futures Association members to establish and maintain a written business continuity and disaster recovery plan that outlines procedures to be followed in the event of an emergency or significant disruption.
- NYSE Rule 446: Business Continuity and Contingency Planning
- Members and member organizations must develop and maintain a written business continuity and contingency plan establishing procedures to be followed in the event of an emergency or disruption.
- A yearly review must be conducted of the business continuity- Amended in September, 2008
- Notes - NYSE Rule 446 is no longer current. The NYSE, along with NASD, has adopted FINRA Rule 4370.
- OSHA - Occupational Safety and Health Administration
- Disaster preparedness
- OSHA requires that all businesses with more than 10 employees have a written Emergency Contingency Plan (ECP).
- For businesses with 10 or less a written plan is not mandated but recommended.
- Disaster preparedness
- Privacy Act of 1974 (SUSC552a)
- This Act requires the management to safeguard and to keep the information accurate and current to protect the individual.
- Sarbanes-Oxley Act of 2002: (P.L. 107-204 2002 HR 3763)
- Section 404. Management Assessment of Internal Controls
- Section 409. Real Time Issuer Disclosures
- Non-complying organizations may receive qualified opinions on their internal controls from their external auditors.
- Notes - Auditors are increasing scrutiny of all areas of internal control, including security and business continuity controls. Relevant for publicly held companies in the U.S
- Section 404. Management Assessment of Internal Controls
- Telecommunications Act of 1996
- The act was intended to promote competition in the telecommunications industry. Section 256 gives the FCC the right to oversee that telecommunications networks “seamlessly and transparently transmit and receive information between and across telecommunications networks.
- The FCC’s Network Reliability and Inter-operability Council provides best practices for business continuity and disaster recovery in the telecommunications industry. (www.nric.org)
- USA Patriot Act of 2001: (P.L. 107-56 2001 HR 3162)
- This act applies to all Financial Institutions in the U.S. and any individual responsible for an act of terror defined by the Act. Business continuity implications include records protection and availability. Most frequently enforced for compliance purposes.
- Note - The act specifically targets financial institutions in an effort to reduce terrorist money laundering by requiring minimum standards of identification to open accounts, periodic reporting of suspicious activity, and the integration of anti-money laundering programs.
Energy Specified
- FERC COOP 2007 Continuity of Operations Plan
- FERC RM01-12-00
- NERC CIP 002-009 2006