Business continuity planning standards and guidelines

In this excerpt from Chapter 1: Contingency and Continuity Planning of Business Continuity and Disaster Recovery for InfoSec Managers, authors John W. Rittinghouse and James F. Ransome review what regulatory issues one should address when developing a business continuity and disaster recovery plan and take an in-depth look at sector-specific requirements.

Industry-Specific Standards and Guidelines

Regulatory compliance can play a major role in motivating companies to implement thorough business continuity plans. U.S. federal government agencies with essential missions at federal, state, and local levels have always had continuity plans. The Continuity of Operations Planning (COOP) directives produced by the Office of Management and Budget (OMB) and the President of the United States outline the objectives of business continuity planning for all federal departments and agencies. Examples are as follows:

• OMB Circular A-130, Appendix III, "Security of Federal Automated Information Resources" (published in 1993) ensures that appropriate business continuity plans were put in place for all federal general purpose systems and major applications, which include the mission-critical applications identified under the Y2K program.
• Presidential Decision Directive (PDD) 67, issued in October 1998, requires federal agencies to develop Continuity of Operations Plans for Essential Operations.
• Executive Order 12656 [Section 202]; requires the head of each federal department and agency to ensure the continuity of essential functions in national security emergencies by providing for safekeeping of essential resources, facilities, and records and establishment of emergency operating capabilities.
• Presidential Decision Directive (PDD) 63, issued in May 1998, calls for a national effort to ensure the security of the United States' critical infrastructures—the physical and cyberbased systems essential to the minimum operations of the economy and government. It sets a goal of a reliable, interconnected, and secure information system infrastructure by the year 2003 and requires the federal government to serve as a model to the rest of the country for how infrastructure protection is to be attained.

Finance Sector Requirements

• The Gramm-Leach-Bliley Act of 1999, Section 501(b) Financial Institutions Safeguards, requires that the agencies described in Section 505(a) establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards for the security and confidentiality of customer records and information. The compliance deadline for this legislation was July 1, 2001.
• The Expedited Funds Availability Act, enacted by the U.S. Controller of Currency (January 1, 1989), required federally chartered financial institutions to have a demonstrable business continuity plan to ensure prompt availability of funds.
• SAS70 reports, in accord with a statement on Auditing Standards Number 70 issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in 1993, review the processing of transactions by service organizations, such as electronic data processing (EDP) centers and banks. SAS70 reports must be performed by certified external auditors, who examine general computer controls, qualified service providers, participant eligibility, and claim system application controls, and review the findings with management.

Health Sector Requirements

• The Health Insurance Portability and Accountability Act (HIPAA) of 1996, requiring health care plans, providers, and clearinghouses to adopt standardized electronic claims and payment systems. Non-compliance fines start at $100 for failure to meet a standard, but range up to $250,000 and 10 years of imprisonment for the wrongful use or disclosure of individual health information for commercial advantage, personal gain, and the like. Also, accreditation agencies, such as the Joint Commission on Accreditation of Health Care Organizations (JCAHO), inspect for compliance during their accreditation process.

Telecommunications Sector Requirements

• The Telecommunications Act of 1996, Section 256, "Coordination for Interconnection" requires the Federal Communications Commission (FCC) to establish procedures to oversee coordinated network planning by telecommunications carriers and other providers of telecommunications service. It also permits the FCC to participate in the development of public network interconnectivity standards by appropriate industry standards-setting bodies. The act recognizes the need for disaster recovery plans, but also acknowledges the existence of inadequate testing because of the rapid deployment of new technologies.

Want more from Business Continuity and Disaster Recovery for InfoSec Managers? Download the rest of Chapter 1: Contingency and Continuity Planning.

Note: Printed with permission from Digital Press, a division of Elsevier. "Business Continuity and Disaster Recovery for InfoSec Managers" by John W. Rittinghouse and James F. Ransome, PhD. Copyright 2006. For more information about this title and other similar books, please visit www.books.elsevier.com.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Data Storage Local council finds better way to track lost laptops Will the rise of SharePoint services lead to increased data loss? Scottish NHS trust ensures no repeat of USB data loss Finance sector poor at achieving outsourcing success Mobile technology may limit harm of laptop data loss HSBC loses customer data in the post How to lock down USB devices Another day, another embarrassing data loss How to achieve laptop data security Chemical giant says data leakage tools not up to snuff Business Continuity and Disaster Recovery Data breach notification: A legal requirement? Reports show security awareness and training are still lagging Poynter report uncovers culture of insecurity at HMRC Security breach management: Planning and preparation Sharing information during a data breach Worst practices: Security incidents to avoid Data breach costs soar What are the proper procedures for handling a potential insider threat? Black Hat 2007: For financial firms, availability too often trumps security Black Hat 2007: Estonian attacks were a cyber riot, not warfare Risk Assessment Analysis Reports show security awareness and training are still lagging Data threats: Insiders vs. outsiders Managed services company finds way to automate support RSA gets control of security, risk with Agiliance compliance solution Database patch denial: How 'critical' are Oracle's CPUs? Is personal Internet usage acceptable for employees in the workplace? Windows registry forensics guide: Investigating hacker activities Security strategy research seeks to plug weaknesses Bank security chief explains how to avoid internal threats Data loss prevention doesn't come in a pill

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary