A highlight of the various US regulations and standards for Disaster Recovery, Security, and Business Continuity that are in place for companies. This presentation was given to the Contingency Planners of Ohio North region on April 21, 2010.

1. Regulations and Standards for Business Resiliency Security, DR, and BC Key USA-specific and International examples 4/21/2010 1 © 2010 TPComps LLC

2. Sources and Notes Difference between Regulations and Standards Regulations Review Standards Review Agenda 4/21/2010 2 © 2010 TPComps LLC

3. Information based on DRJ’s 2010 Rules and Regulations matrix Internet research Only Regulations and Standards applicable across most industry categories is included here Industry categories covered: Banking and Finance Public Health & Healthcare Transportation & Shipping Energy Industry Agriculture, Food Supply & Water Information Distribution & Communications Government & Public Agencies * Sources and Notes 4/21/2010 3 © 2010 TPComps LLC * Indicates a non-applicable regulation or standard

4. Regulation vs. Standard Regulation Standard a: an authoritative rule dealing with details or procedure b: a rule or order issued by an executive authority or regulatory agency of a government and having the force of law Enforceable with potential penalties for noncompliance Tells you what you have to do but not how to do it, generally a: something established by authority, custom, or general consent as a model or example b: something set up and established by authority as a rule for the measure of quantity, weight, extent, value, or quality General guideline or framework Tells you how to do what you have to do, generally 4/21/2010 4 © 2010 TPComps LLC

5. Regulations Common USA or International laws having some component address issues of BR 4/21/2010 5 © 2010 TPComps LLC

6. USA - Occupational Safety and Health Administration Effective date: 1970 and various dates since Disaster Preparedness is addressed in 29 CFR 1910.38 subpart E OSHA requires that all businesses with more than 10 employees have a written Emergency Contingency Plan (ECP). For businesses with 10 or less, a written plan is not mandated but recommended. Invocation @ Incident (I) Likely to be invoked or brought to bear as a result of an “incident” occurring involving your organization http://www.osha.gov/SLTC/emergencypreparedness/index.html OSHA - Occupational Safety and Health Administration * 4/21/2010 6 © 2010 TPComps LLC

7. USA – Department of Justice Effective date: 1974 and dates since Requires management to safeguard and to keep the information accurate and current to protect the individual. Damage awards start at $1,000 in addition to “the costs of the action together with reasonable attorney fees as determined by the court” Invocation @ Incident (I) Likely to be invoked or brought to bear as a result of an “incident” occurring involving your organization http://www.justice.gov/opcl/privstat.htm Privacy Act of 1974 (5 U.S.C.§552a) * 4/21/2010 7 © 2010 TPComps LLC

8. International - Common Law - Negligence Liability Effective date: September 2, 1974 and dates since U.S. Code Title 29, Chapter 18, subchapter I, subtitle B, part 4, § 1104 As per the Uniform Commercial Code, legal standard used to determine whether appropriate action was taken in a particular situation. Directors, senior management, officers and agents, when working for an organization, are considered to be in a position of fiduciary responsibility Uniform Commercial Code: Any company, regardless of its industry, is expected to exercise due-care to implement and maintain security mechanisms and practices that protect the company, its employees, customers, and partners., Due-Care can be compared to the "prudent man" concept. A prudent man is seen as responsible, careful, cautious, and practical. A company practicing due-care is seen in the same light by State and Federal Courts. Invocation @ Incident (I) Likely to be invoked or brought to bear as a result of an “incident” occurring involving your organization http://www.law.cornell.edu/uscode/html/uscode29/usc_sec_29_00001104----000-.html Prudent Man Concept * 4/21/2010 8 © 2010 TPComps LLC

9. USA - US Dept of Justice Effective date: December 1977 Policy states that Directors and Officers can be held liable for “failure to enact standards of care” and should they fail to document their assessment processing determining not to develop a contingency plan. Civil penalties can range from $5,000 to $100,000 for individuals and from $50,000 to $500,000 for business entities Criminal sanctions may be imposed against anyone who knowingly violates the statute: up to $2-million in fines for businesses and up to $100,00 for others with 5 years imprisonment Invocation @ Incident (I) Likely to be invoked or brought to bear as a result of an “incident” occurring involving your organization http://www.justice.gov/criminal/fraud/fcpa/docs/fcpa-english.pdf Foreign Corrupt Practices Act of 1977 and Public Law 95-213 Section 13(b)(2) * 4/21/2010 9 © 2010 TPComps LLC

10. USA - Government Accountability Office Effective date: multiple dates Requirements for federal agencies to include the requirement for contingency plans in contracts with private sector organizations providing data processing services Will apply to all organizations providing suppliers or services to GAO or Federal Agencies Enforced (E) Most frequently enforced for compliance purposes http://www.gao.gov GAO Supplier Requirements 4/21/2010 10 © 2010 TPComps LLC

11. USA - Federal Communications Commission Effective date: April 1996 The act was intended to promote competition in the telecommunications industry. Section 256 gives the FCC the right to oversee that telecommunications networks “seamlessly and transparently transmit and receive information between and across telecommunications networks.” The FCC’s Network Reliability and Interoperability Council provides best practices for business continuity and disaster recovery in the telecommunications industry. (www.nric.org) Enforced (E) Most frequently enforced for compliance purposes www.fcc.gov/telecom.html Telecommunications Act of 1996, an Amendment of the FCC Telecommunications Act of 1934 4/21/2010 11 © 2010 TPComps LLC

12. USA - Internal Revenue Service Effective date: January 1998 Legal requirements for computer records containing tax information. Requires off-site protection and documentation of computer records maintaining tax information Invocation @ Incident (I) Likely to be invoked or brought to bear as a result of an “incident” occurring involving your organization http://www.uiowa.edu/~fusrmp/irsruling98-25.html IRS Procedure 98-25(Supersedes IRS Procedure 91-59 and 86-19) * 4/21/2010 12 © 2010 TPComps LLC

13. USA – Securities and Exchange Commission Effective date: March 1999 Addresses the collection of EFT information through the contract process for vendors providing goods and services to the Federal Government Subpart 32.1104 Enforced (E) Most frequently enforced for compliance purposes http://www.fms.treas.gov/eft/regulations/fareft.txt Federal Acquisition Regulation; Electronic Funds Transfer Final Rule * 4/21/2010 13 © 2010 TPComps LLC

14. USA - FTC (Federal Trade Commission) Effective date: 2001, et al. Makes it a federal offense to produce, buy, sell or transfer a credit card or other access devices that are counterfeit, forged, lost or stolen; or to produce, buy, sell, transfer or process equipment used to produce such fraudulent access devices. Section 1030(e) speaks of data and storage Enforced (E) Most frequently enforced for compliance purposes http://www.panix.com/~eck/computer-fraud-act.html Computer Fraud and Abuse Act * 4/21/2010 14 © 2010 TPComps LLC

15. USA – Department of Homeland Security Effective date: October 2001 The act includes requirements for records retention for compliance with section 326 on Customer Identification Programs. Imposes stiff prison terms for those who violate computer security or use computers in criminal or terrorist acts Enforced (E) Most frequently enforced for compliance purposes http://www.epic.org/privacy/terrorism/hr3162.html USA Patriot Act of 2001:(P.L. 107-56 2001 HR 3162) * 4/21/2010 15 © 2010 TPComps LLC

16. USA - Public Company Accounting Oversight Board Effective date: January 2002 Auditors are increasing scrutiny of all areas of internal control, including security and business continuity controls Potential for data loss (ability to identify and rebuild lost transactions and source documentation) Vital records creation and maintenance Non-complying organizations may receive qualified opinions on their internal controls from their external auditors. Enforced (E) Most frequently enforced for compliance purposes http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf Sarbanes-Oxley Act of 2002: (P.L. 107-204 2002 HR 3763) - Section 404 4/21/2010 16 © 2010 TPComps LLC

17. USA - Public Company Accounting Oversight Board Effective date: January 2002 Issuers must disclose information on material changes in financial condition on a regular basis Areas assessed include: Potential for data loss (ability to identify and rebuild lost transactions and source documentation) Vital records creation If IT processing disruption results in lost data, officers and external auditors may not be able to sign off on quarterly or annual SOX disclosure and internal control operating effectiveness certifications/opinion. Enforced (E) Most frequently enforced for compliance purposes http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf Sarbanes-Oxley Act of 2002: Section 409 4/21/2010 17 © 2010 TPComps LLC

18. USA – Federal Trade Commission Effective date: December 2002 Details requirements to Assess Risk Determine levels of security necessary to protect such information Periodically test and evaluate information security controls and techniques Develop plans and procedures to ensure continuity of operations May apply to organizations and institutions communicating with, performing work for, on behalf of a federal agency H.R. 2548-48, Title III, sec 301 Enforced (E) Most frequently enforced for compliance purposes http://csrc.nist.gov/drivers/documents/FISMA-final.pdf FISMA: Federal Information Security Management Act * 4/21/2010 18 © 2010 TPComps LLC

19. USA –American National Standards Institute / Association of Records Managers and Administrators Effective date: March 2003 Addresses the development and implementation of a vital records program within the context of a formal records management program. Vital records are defined as records containing information essential to the survival of an organization in the event of a disaster, since they document an organization's legal and financial position and preserve the rights of employees, customers and stockholders. Specific procedures addressed include: vital records analysis and selection, records protection methods, and the overall administration of a vital records program. Enforced (E) Most frequently enforced for compliance purposes http://webstore.ansi.org/RecordDetail.aspx?sku=ANSI%2FARMA+5-2003 ANSI/ARMA 5-2003 Vital Records Programs 4/21/2010 19 © 2010 TPComps LLC

20. USA - Government Accountability Office Effective date: April 2003 Proposed contingency plan in effect with data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures and Applications and data Criticality Analysis. Includes specific BCM points Applies to any organization Section 1177 establishes penalties for any person that knowingly uses, obtains, or discloses individually identifiable health information in violation of the part. The penalties include: Fines from <$50,000 to <$250,000 and/or imprisonment of <1 to <10 years, depending on the offense Watch List (W) Participating members should be looking for the presence of this item within the coming months/years http://www.nchica.org/HIPAAResources/Security/rule.htm HIPAA (Health Insurance Portability and Accountability Act). Security and Contingency Plans 164.308(a) 4/21/2010 20 © 2010 TPComps LLC

21. USA - State of California Effective date: July 2003 44 other states have similar laws, including Ohio Bill requires all agencies, persons, or businesses that conduct business in California that owns or licenses computerized data containing personal information to notify the owner or licensee of the information of any breach of security of the data. Enforced (E) Most frequently enforced for compliance purposes http://www.legalarchiver.org/sb1386.htm California SB 1386 - Security of Non-Encrypted Customer Information * 4/21/2010 21 © 2010 TPComps LLC

22. USA - Code of Federal Regulations Effective date: September 2006 Continuity of operations for Critical Infrastructure Disclosure of critical information to the government Watch List (W) Participating members should be looking for the presence of this item within the coming months/years http://ecfr.gpoaccess.gov 6 CFR Part 29: Procedures for Handling Critical Infrastructure Information 4/21/2010 22 © 2010 TPComps LLC

23. USA – Department of Homeland Security (DHS) Effective date: February 2008 Acknowledges that government operations / services “cannot be performed without the robust involvement of [Non-Federal Governments] and the private sector.” FCD 1 provides direction for the development of continuity plans and programs for the Federal Executive branch. FCD 2 provides additional guidance for the Departments and Agencies in identifying their Mission Essential Functions (MEFs) and potential P/MEFs along with direction for Departments and Agencies conducting Business Process Analysis (BPAs), and Business Impact Analysis (BIAs). Watch List (W) Participating members should be looking for the presence of this item within the coming months/years http://www.fema.gov/news/newsrelease.fema?id=45287 Federal Continuity Directives (FCD) 1 & 2 4/21/2010 23 © 2010 TPComps LLC

24. USA - Federal Financial Institutions Examination Council Effective date: March 2008 Emphasizes that Business Continuity planning is about maintaining, resuming and recovering the whole Business planning should occur for a BCP BIAs and RAs are encouraged as the foundation of an effective BCP Testing is needed Ineffective or incomplete BCPs may lead to qualified examination reports and loss of trust by regulators and financial markets Enforced (E) Most frequently enforced for compliance purposes http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bcp_00.html FFIEC BCP Handbook: Business Continuity Planning “IT Examination Handbook” * 4/21/2010 24 © 2010 TPComps LLC

25. USA – Securities and Exchange Commission Effective date: October 13, 2009 – latest amendments Without a current Service Auditor's Report, a service organization may have to entertain multiple audit requests from its customers and their respective auditors. Multiple visits from user auditors can place a strain on the service organization's resources. A Service Auditor's Report ensures that all user organizations and their auditors have access to the same information and in many cases this will satisfy the user auditor's requirements. Enforced (E) Most frequently enforced for compliance purposes http://www.sec.gov/about/laws/sea34.pdf http://www.sec.gov/about/laws.shtml#secexact1934 Securities and Exchange Act of 1934:(15 U.S.C.A78A) Rule 17a-4 * 4/21/2010 25 © 2010 TPComps LLC

26. USA – Securities and Exchange Commission Effective date: October 13, 2009 – latest amendments Policy addresses criminal liability of Directors and officers for failure to: Protect computerized information Document process used to assess risks of information loss Exercise “duty of care” Burden of proof lies with the Directors and Officers Potential fines imposed include personal fines up to $5,000,000 and/or imprisonment up to 20 years and corporate fines up to $25,000,000. Enforced (E) Most frequently enforced for compliance purposes http://www.law.uc.edu/CCL/34Act/sec32.html Securities and Exchange Act of 1934,Sections 32(a) and (b) * 4/21/2010 26 © 2010 TPComps LLC

27. USA – Federal Emergency Management Agency (FEMA) Effective date: August 2009, signed into law on August 3, 2007 Designed to encourage private businesses to develop their resiliency plans Establish a common set of criteria for private sector preparedness, including disaster management emergency management business continuity programs The goal of this voluntary program is to enhance nationwide resilience in an all hazards environment by improving private sector preparedness. Ambiguous (A) Further clarification regarding strong ties with Business Continuity need to happen Watch List (W) Participating members should be looking for the presence of this item within the coming months/years http://www.fema.gov/news/newsrelease.fema?id=45287 Private Sector Preparedness Accreditation and Certification Program (PS-Prep)Title IX of US Public Law 110-53 4/21/2010 27 © 2010 TPComps LLC

28. Standards Common USA or International criteria having some component address issues of DR / BC 4/21/2010 28 © 2010 TPComps LLC

29. USA - Federal Emergency Management Agency Effective date: October 1993 Designed to provide guidance for business and industry officials to plan for, respond to, and recover from disasters. A step-by-step approach to emergency planning, response and recovery for companies of all sizes. Includes information on specific hazards Watch List (W) Participating members should be looking for the presence of this item within the coming months/years http://www.fema.gov/pdf/business/guide/bizindst.pdf http://www.fema.gov/business FEMA 141: Disaster Planning Guide for Business and Industry 4/21/2010 29 © 2010 TPComps LLC

30. USA – The Business Roundtable Effective date: June 2003 The Roundtable examines the unique nature of the terrorist threat, as well as the strengths and weaknesses of both government and business in addressing that threat. Recommends various tools and procedures for government to use when regulating and outlines the difficulty of allocating the costs of security. Watch List (W) Participating members should be looking for the presence of this item within the coming months/years http://www.abanet.org/adminlaw/conference/2003/NewFrontier/Newfrontierprogram.html Terrorism: Real Threats, Real Costs, Joint Solutions 4/21/2010 30 © 2010 TPComps LLC

31. USA - Financial Services Sector Coordinating Council for Critical Infrastructure Protection Effective date: May 2004 Ensuring the resiliency of the nation to minimize the damage and expedite the recovery from attacks that do occur. Watch List (W) Participating members should be looking for the presence of this item within the coming months/years https://www.fsscc.org/fsscc/reports/2006/Bank_Finance_SSP_061213.pdf http://digital.library.unt.edu/govdocs/crs/permalink/meta-crs-7844:1 http://www.sifma.org/services/business_continuity/pdf/NationalStrategy.pdf Homeland Security Strategy for Critical Infrastructure Protection in Financial Services Sector 4/21/2010 31 © 2010 TPComps LLC

32. COSO Enterprise Risk Management Framework * USA - Committee of Sponsoring Organizations of the Treadway Commission Effective date: September 2004 Defines essential enterprise risk management (ERM) components Discusses key ERM principles and concepts Suggests a common ERM language Provides clear direction and guidance for enterprise risk management. Cross compatibility with SOX and other legislation Enforced (E) Most frequently enforced for compliance purposes http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf 4/21/2010 32 © 2010 TPComps LLC

33. USA – National Fire Protection Association Effective date: August 2006 Standards for protection of business records, archives and records centers. Addresses record types with storage requirements Vital, Important, Archival, Permanent, Active, Inactive, and Unscheduled Addresses salvage and post-incident procedures Cross compatibility with ANSI/ARMA 5 and UL 72 & 155 Watch List (W) Participating members should be looking for the presence of this item within the coming months/years http://www.nfpa.org/aboutthecodes/AboutTheCodes.asp?DocNum=232 NFPA 232: Standard on Protection of Records 4/21/2010 33 © 2010 TPComps LLC

34. USA - IT Governance Institute Standards Effective date: May 2007 Generally accepted information technology control objectives for information technology. Domains include: Planning and Organization Acquisition and Implementation Delivery and Support Monitoring and Evaluation Areas reviewed for compliance Cross compatibility with ITIL v3, NISTSP800-53, CMMIv1.2, ISO/IEC 17799:2005, PMBOK, PRINCE2, SEICMM, and TOGAF8.1 Enforced (E) Most frequently enforced for compliance purposes http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/COBIT6/Obtain_COBIT/CobiT4.1_Brochure.pdf CobiT-Control Objectives for Information and related Technology v4.1 4/21/2010 34 © 2010 TPComps LLC

35. International - IT Infrastructure Library Effective date: August 2007 Global standard in the area of service management. ITIL® (IT Infrastructure Library®) is the most widely accepted approach to IT service management in the world. Provides a cohesive set of best practice, drawn from the public and private sectors internationally. Contains comprehensive publicly accessible specialist documentation on the planning, provision and support of IT services Cross compatibility with BS 15000 & ISO/IEC 20000 Watch List (W) Participating members should be looking for the presence of this item within the coming months/years http://www.ogc.gov.uk/guidance_itil.asp ITIL v3 - IT Infrastructure Library 4/21/2010 35 © 2010 TPComps LLC

36. International - British Standards Institute Effective date: December 2006 / November 2007 BS 25999-1 is a BCM code of practice, replaces PAS56 BS25999-2 is a specification for business continuity management. NOTE: The BS25999 standard is a standard that must be purchased. Follows the Plan-Do-Check-Act methodology Possible use with PS-Prep Cross compatibility with ISO 17021, NFPA 1600 Enforced (E) Most frequently enforced for compliance purposes http://www.w3j.com/xml BS (British Standard) 25999, parts 1 and 2 4/21/2010 36 © 2010 TPComps LLC

37. ISO/IEC 27005:2008 Information technology - Security techniques - Information security risk management International Effective date: June 2008 Continuation of ISO 27000 series standard The purpose of ISO/IEC 27005 is to provide guidelines for information security risk management Cross compatibility with ISO/IEC 27001 Revises and supersedes the Management of Information and Communications Technology Security (MICTS) standards ISO/IECTR 13335-3:1998 plus ISO/IECTR 13335-4:2000 Watch List (W) Participating members should be looking for the presence of this item within the coming months/years http://www.iso27001security.com/html/27005.html http://www.27000.org 4/21/2010 37 © 2010 TPComps LLC

38. USA – American Society for Industrial Security Effective date: March 2009 A comprehensive management systems approach for Organizational Resilience: Security, Preparedness, and Continuity Management Systems Includes guidance for response, mitigation, business / operational continuity, and recovery for disruptive incidents resulting from an emergency, crisis or disaster. Cross compatibility with ISO 9001:2000, ISO 14001:2004, ISO/IEC 27001:2005, and PDCA Model Watch List (W) Participating members should be looking for the presence of this item within the coming months/years http://www.asisonline.org/guidelines/ASIS_SPC.1-2009_Item_No._1842.pdf ASIS American National Standard (SPC 1.2009)Organizational Resilience 4/21/2010 38 © 2010 TPComps LLC

39. USA – National Fire Protection Association Effective date: June 2009, supersedes previous Applies to electrical feeds from UPS, generators, and external power supplies Some types of UPSs are excluded from this standard Covers installation and maintenance Watch List (W) Participating members should be looking for the presence of this item within the coming months/years http://www.nfpa.org/aboutthecodes/AboutTheCodes.asp?DocNum=111 NFPA111:Standard on Stored Electrical Energy Emergency and Standby Power Systems 4/21/2010 39 © 2010 TPComps LLC

40. USA - National Institute of Standards and Technology Effective date: July 2002, new draft October 2009 Details the fundamental planning principles necessary for developing an effective contingency capability. Contingency planning guidance includes preliminary planning, business impact analysis, alternative site selection and recovery strategies. Cross compatibility with P.L. 106-398 & 100-235, IATF, GAO Enforced (E) Most frequently enforced for compliance purposes http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf NIST SP 800-34 Contingency Planning Guide * 4/21/2010 40 © 2010 TPComps LLC

41. USA – National Fire Protection Association Effective date: December 2009 Establishes minimum criteria for disaster management for the private and public sectors in the development of a program for effective disaster mitigation, preparedness, response and recovery. Cross compatibility with DRII, CSA Z1600, FEMA, NIST 800, ANSI/ARMA 5 Watch List (W) Participating members should be looking for the presence of this item within the coming months/years http://www.nfpa.org/PDF/nfpa1600.pdf?src=nfpa NFPA Standard 1600 on Disaster/Emergency Management and Business Continuity Programs 4/21/2010 41 © 2010 TPComps LLC

42. USA - American Institute of Certified Public Accountants Effective date: October 1958 – June 2010 Represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. 2 different types of audits: Type I and II Type I is a point in time Type II is a minimum of 6 months of operations Statement on Standards for Attestation Engagements (SSAE) No. 16 will replace SAS 70 in June 2010 Enforced (E) Most frequently enforced for compliance purposes http://www.sas70.com Statement on Auditing Standards(SAS) 70 audit reports * 4/21/2010 42 © 2010 TPComps LLC

43. International - Disaster Recovery Institute International Effective date: in current draft review Professional practice letters include developing business continuity management strategies and other contingency planning Areas reviewed include: Program Initiation and Management Risk Evaluation and Control Business Impact Analysis Business Continuity Strategies Emergency Response and Operations Business Continuity Plans Awareness and Training Programs Business Continuity Plan Exercise, Audit and Maintenance Crisis Communications Coordination with External Agencies Cross compatibility with FEMA 141, HS-1 & SM 170; NCRP 111; NFPA 99, 130; NRT-1; NUREG-0654 & -0849; ARC 33050M; and others Watch List (W) Participating members should be looking for the presence of this item within the coming months/years https://www.drii.org/docs/profprac_details.pdf DRI International – “Ten Professional Practices for Business Continuity Professionals” * 4/21/2010 43 © 2010 TPComps LLC

44. Thank You Questions, Comments, or Concerns Ted Kozenko,CISM, CISSP, IAM, BCMMA, QGCS TPComps LLC P. O. Box 1303 Mentor, OH 44061-1303 phone (440) 375-0088 fax (440) 354-2527 Planning@TPComps.com http://www.tpcomps.com TedKozenko or TPComps TedKozenko or TPComps TPComps TedKozenko3 “Life is thickly sown with thorns, and I know no other remedy than to pass quickly through them. The longer we dwell on our misfortunes, the greater their power to harm us.” –Voltaire 4/21/2010 44 © 2010 TPComps LLC © Scott Adams