Business continuity planning standards and guidelines

In this excerpt from Chapter 1: Contingency and Continuity Planning of Business Continuity and Disaster Recovery for InfoSec Managers, authors John W. Rittinghouse and James F. Ransome review what regulatory issues one should address when developing a business continuity and disaster recovery plan and take an in-depth look at sector-specific requirements.

Industry-Specific Standards and Guidelines

Regulatory compliance can play a major role in motivating companies to implement thorough business continuity plans. U.S. federal government agencies with essential missions at federal, state, and local levels have always had continuity plans. The Continuity of Operations Planning (COOP) directives produced by the Office of Management and Budget (OMB) and the President of the United States outline the objectives of business continuity planning for all federal departments and agencies. Examples are as follows:

• OMB Circular A-130, Appendix III, "Security of Federal Automated Information Resources" (published in 1993) ensures that appropriate business continuity plans were put in place for all federal general purpose systems and major applications, which include the mission-critical applications identified under the Y2K program.
• Presidential Decision Directive (PDD) 67, issued in October 1998, requires federal agencies to develop Continuity of Operations Plans for Essential Operations.
• Executive Order 12656 [Section 202]; requires the head of each federal department and agency to ensure the continuity of essential functions in national security emergencies by providing for safekeeping of essential resources, facilities, and records and establishment of emergency operating capabilities.
• Presidential Decision Directive (PDD) 63, issued in May 1998, calls for a national effort to ensure the security of the United States' critical infrastructures—the physical and cyberbased systems essential to the minimum operations of the economy and government. It sets a goal of a reliable, interconnected, and secure information system infrastructure by the year 2003 and requires the federal government to serve as a model to the rest of the country for how infrastructure protection is to be attained.

Finance Sector Requirements

• The Gramm-Leach-Bliley Act of 1999, Section 501(b) Financial Institutions Safeguards, requires that the agencies described in Section 505(a) establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards for the security and confidentiality of customer records and information. The compliance deadline for this legislation was July 1, 2001.
• The Expedited Funds Availability Act, enacted by the U.S. Controller of Currency (January 1, 1989), required federally chartered financial institutions to have a demonstrable business continuity plan to ensure prompt availability of funds.
• SAS70 reports, in accord with a statement on Auditing Standards Number 70 issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in 1993, review the processing of transactions by service organizations, such as electronic data processing (EDP) centers and banks. SAS70 reports must be performed by certified external auditors, who examine general computer controls, qualified service providers, participant eligibility, and claim system application controls, and review the findings with management.

Health Sector Requirements

• The Health Insurance Portability and Accountability Act (HIPAA) of 1996, requiring health care plans, providers, and clearinghouses to adopt standardized electronic claims and payment systems. Non-compliance fines start at $100 for failure to meet a standard, but range up to $250,000 and 10 years of imprisonment for the wrongful use or disclosure of individual health information for commercial advantage, personal gain, and the like. Also, accreditation agencies, such as the Joint Commission on Accreditation of Health Care Organizations (JCAHO), inspect for compliance during their accreditation process.

Telecommunications Sector Requirements

• The Telecommunications Act of 1996, Section 256, "Coordination for Interconnection" requires the Federal Communications Commission (FCC) to establish procedures to oversee coordinated network planning by telecommunications carriers and other providers of telecommunications service. It also permits the FCC to participate in the development of public network interconnectivity standards by appropriate industry standards-setting bodies. The act recognizes the need for disaster recovery plans, but also acknowledges the existence of inadequate testing because of the rapid deployment of new technologies.

Want more from Business Continuity and Disaster Recovery for InfoSec Managers? Download the rest of Chapter 1: Contingency and Continuity Planning.

Note: Printed with permission from Digital Press, a division of Elsevier. "Business Continuity and Disaster Recovery for InfoSec Managers" by John W. Rittinghouse and James F. Ransome, PhD. Copyright 2006. For more information about this title and other similar books, please visit www.books.elsevier.com.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Data Storage Safend expands data leakage prevention product to plug more gaps TrueCrypt: How to get started with open source disk encryption Report: Firms avoid encrypting backup tapes, databases Encryption tips: How to secure a laptop The real reason behind backup recovery disk failures Infosec pros wake up to Excel spreadsheet security risks How to enforce an enterprise data leak prevention policy 3ami allows employers to track use of USB storage devices How to create a data classification policy EMC adds configuration management with Configuresoft acquisition Data Breach Incident Management and Recovery Make PCI DSS compliance easier by reducing scope, outsourcing data Full disk encryption: Safer and easier than file and folder encryption PCI DSS requirements: Get ready for stricter enforcement, fines Data breach costs continue to rise in 2009, Ponemon study finds Data Protection Act breach could cost companies 500,000 pounds Jericho Forum to provide customers with good security questions to ask Verizon report goes deep inside data breach investigations Insider threat detection still a challenge for employers Layoffs prompt insider threat fears, cybersecurity survey finds ArcSight boosts system log management capabilities Information Security Risk Assessment: Methodology and Analysis Improving software with the Building Security in Maturity Model (BSIMM) Encryption basics: How asymmetric and symmetric encryption works Getting the most out of the gap analysis process Jericho Forum to provide customers with good security questions to ask A guide to internal and external network security auditing Insider threat detection still a challenge for employers Get more out of your security event log data Secure cloud computing: a contradiction in terms? Report: U.K. lags in information security management practices Aligning network security with business priorities

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary