![Page 1: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/1.jpg)
1
FSTC’s2008 Annual Conference
On the Innovative Edge:Successful Strategies for
Financial Services
Industry Navigators
The Financial Services Technology
Consortium
Empowering the Industry Through Innovative Ideas
![Page 2: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/2.jpg)
June 18, 2008 3
Voluntary Preparedness
• Al Martinez-Fonts – “TITLE IX, FACT VS. FICTION”Department of Homeland SecurityAssistant Secretary, Private Sector Office
• Matthew Deane – “THE ROLE OF STANDARDS IN TITLE IX”Director of Homeland Security Standards American National Standards Institute (ANSI)
• Randy Till – “TITLE IX, A PRACTITIONERS POINT OF VIEW”Global Business Continuity ManagementMasterCard, Worldwide
• David Nolan – ModeratorCEO, Fusion Risk Management, Inc
![Page 3: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/3.jpg)
June 18, 2008
VOLUNTARY EMERGENCY PREPAREDNESSTITLE IX, FACT VS. FICTION
Al Martinez-Fonts,
Department of Homeland SecurityAssistant Secretary, Private Sector Office
![Page 4: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/4.jpg)
June 18, 2008 5
Background
•“Implementing the Recommendations of the 9/11 Commission Act of 2007”
– Public Law 110-53 signed on August 3, 2007
•Requirement to develop a National Voluntary Private Sector Preparedness Accreditation and Certification Program.
– Establish a common set of standards for private sector preparedness relating to disaster management, emergency management, and business continuity
![Page 5: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/5.jpg)
June 18, 2008 6
Goal
Improve private sector preparedness in
disaster management, emergency
management, and business continuity to enhance nationwide resilience in an all
hazards environment“…the government does not, and cannot
work alone… private sector organizations play a key
role before, during and after an incident.”
National Response Framework (2007)
![Page 6: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/6.jpg)
June 18, 2008 7
Key Program Requirements
• Voluntary participation• Provide method to independently certify
preparedness of private sector entities• Administered by non-government entity • DHS designate one or more standards based on
published target criteria• Integrate/leverage existing regulatory
requirements and existing efforts, if feasible• DHS maintain and make public a listing of any
public entity certified as being compliant, if that public entity consents to being listed
• Small business consideration
![Page 7: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/7.jpg)
June 18, 2008 8
Level 2
(3rd Party Certification)
Program Phase 1Program & Target Criteria
Development
Program Phase 2Basic Preparedness and
Enhanced Target Criteria Refinement
Program Phase 3Enhanced Preparedness
2008
2012
Level 1
(Declaration of Conformity)
Basic (Current) Standards
Draft Program Concept
Establish Accrediting Body Contract
Existing Preparedness Standards - TBD
Existing PreparednessPrograms - TBD
(e.g. “Ready.Gov” and others)
New / Revised Preparedness Programs(e.g., updated / improved Ready.Gov and others)
Target Criteria for Standards (in work)
– Standards process– Scope and Policy – Requirements– Risk Assessment– Objectives and
Strategies– Operational and
Control Strategies– Competence and
Training– Communication and
Warning Strategies– Resource Management– Assessment and
Evaluation– Continuing Review
Level 2
(3rd Party Certification)
New / Revised Preparedness Standards
TBD(Incorporating CIKR / SectorSpecific requirements - as
required)
Level 1
(Declaration of Conformity)
Enhanced (Future) Standards
![Page 8: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/8.jpg)
June 18, 2008 9
Engagement Plan
• Sector Coordinating Council reps and others• Partnership for Critical Infrastructure Security• Standards community• International Security Managers Association• Business Executives for National Security• Small Business Administration and other government
agencies• FEMA National Advisory Council
– Subcommittee for Private Sector Preparedness• Other organizations• Public Notice of draft target criteria (Federal Register)
![Page 9: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/9.jpg)
June 18, 2008
VOLUNTARY EMERGENCY PREPAREDNESSTHE ROLE OF STANDARDS IN TITLE IXMatthew DeaneDirector of Homeland Security Standards American National Standards Institute (ANSI)
![Page 10: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/10.jpg)
June 18, 2008 11
Key Definitions
Standard
A Standard is a Document, Not a Technical Regulation
Document [emphasis added] established by consensus and approved by a recognized body that provides for common and repeated use, rules, guidelines or characteristics for activities or their results aimed at achieving the optimum degree of order…
ISO/IEC Guide 2
Conformity Assessment(accreditation/certification)
Any activity concerned with determining directly or indirectly that requirements are fulfilled
Relevant to requirements for products, services, systems and organizations. May be conducted by:
- a supplier (first party)
- a buyer (second party)
- an organization independent of both buyer and seller (third party)
![Page 11: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/11.jpg)
June 18, 2008 12
Highlighted Text from PL 110-53 (standards)
• “The program developed and implemented under this subsection shall assess whether a private sector entity complies with voluntary preparedness standards.”
• “The term ‘voluntary preparedness standards’ means a common set of criteria for preparedness, disaster management, emergency management, and business continuity programs, such as the Standard on Disaster/ Emergency Management and Business Continuity Programs (ANSI/NFPA 1600).’’
• “shall adopt one or more appropriate voluntary preparedness standards that promote preparedness, which may be tailored to address the unique nature of various sectors within the private sector”
![Page 12: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/12.jpg)
June 18, 2008 13
Highlighted Text from PL 110-53 (accreditation/certification)
• “A selected entity shall manage the accreditation process and oversee the certification process in accordance with the program established under this subsection and accredit qualified third parties to carry out the certification program established under this subsection.”
• “Certification under this subsection shall be voluntary for any private sector entity.”
![Page 13: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/13.jpg)
June 18, 2008 14
Selected Standards and Guidelines
Standards Guidelines/FrameworksNFPA 1600 - Standard on Disaster/ Emergency Management and Business Continuity Programs
- American National Standard
- Freely available at: http://www.nfpa.org/assets/files/PDF/NFPA1600.pdf
ISO/PAS 22399 - Guideline for incident preparedness and operational continuity management
- International Organization for Standardization (ISO) Publicly Available Specification (PAS)
BS 25999 – Business Continuity Management
- British Standard
- Two parts
ASIS International – Organizational Resilience: Preparedness and Continuity Management
- ASIS draft guideline document
Other National Standards
- Standards Australia, SPRING Singapore (TR 19)
CERT ® Resiliency Engineering Framework
- Partnership between Carnegie Mellon and FSTC
http://www.cert.org/resiliency_engineering/
framework.html Emergency Management Accreditation Program (EMAP) Standards
![Page 14: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/14.jpg)
June 18, 2008 15
"Framework for Voluntary Preparedness"
• Alfred P. Sloan Foundation funded initiative to enable stakeholder dialogue with the U.S. DHS on the considerations and strategies relevant to the private sector preparedness certification program under Public Law 110-53
• Series of roundtables coordinated by NYU International Center for Enterprise Preparedness (InterCEP)
• Key deliverable is the Framework prepared by an interdisciplinary group consisting of representatives from:– ASIS International
– Disaster Recovery Institute International (DRII)
– National Fire Protection Association (NFPA)
– Risk and Insurance Management Society, Inc. (RIMS)
![Page 15: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/15.jpg)
June 18, 2008 16
Key Points from "Framework”
• In order for the private sector to adequately and voluntarily establish preparedness programs, it should be given the flexibility to choose from various standards, guidelines and best practices that best meet their needs
• Report identifies core common elements of a preparedness program and provides a crosswalk of existing standards, guidelines and best practices
• Businesses and organizations should be afforded the flexibility to build on their existing programs
• Small businesses in particular need to tailor their preparedness and resilience strategies to their financial realities
• A major barrier to preparedness and resilience management is a lack of knowledge and tools, particularly in case of small businesses
![Page 16: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/16.jpg)
June 18, 2008
VOLUNTARY EMERGENCY PREPAREDNESSTITLE IX, A PRACTITIONERS POINT OF VIEW
Randall J. TillGlobal Business Continuity ManagementMasterCard Worldwide
![Page 17: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/17.jpg)
June 18, 2008 18
Voluntary Emergency Preparedness
Considerations:
• Demonstrates the importance of preparedness and readiness in today's business climate– Government involvement in private sector
preparedness
– Promotes the need for strong resiliency practices
– Expands preparedness and continuity planning as a required business practice for all organization
![Page 18: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/18.jpg)
June 18, 2008 19
Voluntary Emergency Preparedness
Considerations:
• Voluntary certification will help consolidate and solidify standards and practices– Provides a measure to assess and validate business
preparedness and readiness
– Builds on existing standards and proven accreditation/certification processes
– Provide flexibility to address preparedness needs of various size businesses and industry sectors
– Option for self-assessment of organizations
![Page 19: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/19.jpg)
June 18, 2008 20
Voluntary Emergency Preparedness
Concerns:
• Size and complexity of certification process – Simple enough to encourage smaller companies
– Significant enough to influence larger organizations
– Flexible enough to encourage ongoing readiness preparation following certification
• Financial Institutions are already heavily regulated– Increases complexity and requirements for compliance
– Cost and drain on resources to achieve certification
– Voluntary certification becomes mandatory - business partners require certification
![Page 20: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/20.jpg)
June 18, 2008 21
Voluntary Emergency Preparedness
Concerns (continued):
• Business Continuity lacks strong industry standards and consistent planning methodologies– Difficult to define single body of knowledge/standards
– How to define clear standards and requirements with inconsistent planning practices
• Difficult to measure effectiveness of an organizations readiness and preparedness– Preparedness practices are institutionalized, practiced and
executable
• International certification process to address requirements for global organizations
![Page 21: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/21.jpg)
June 18, 2008 22
Voluntary Emergency Preparedness
Opportunities:
• Financial industry can provide leadership and direction in defining voluntary certification processes
• Consolidation and standardization of preparedness practices and standards– Common set of criteria for preparedness
• Drives readiness for a larger sector of the business population providing greater overall resiliency
• Provides a method to assess readiness as part of supply chain management
![Page 22: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/22.jpg)
June 18, 2008 23
Voluntary Emergency Preparedness
Opportunities:
• Ability to demonstrate value-add services for the organization
• Convergence of risk management practices to address overall "operational risk management"
• Evolution of "maturity models" providing a more holistic approach for managing operational risks and resiliency– Provides a framework for achieving certification and
improving resiliency practices
– FSTC/CERT Resiliency Engineering Framework
![Page 23: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/23.jpg)
June 18, 2008 24
Panel Discussion
• Al Martinez-Fonts
“Title IX, Fact vs. Fiction”Department of Homeland Security
Assistant Secretary, Private Sector Office
• Matthew Deane –
“Standards and Title IX, What you need to know”
Director of Homeland Security Standards
American National Standards Institute (ANSI)
• Randy Till “Title IX, A Practitioners Point of View”
Global Business Continuity Management
MasterCard, Worldwide
![Page 24: 1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology](https://reader035.vdocument.in/reader035/viewer/2022062806/56649d0f5503460f949e4f13/html5/thumbnails/24.jpg)
25
FSTC’s2008 Annual Conference
On the Innovative Edge:Successful Strategies for
Financial Services
Industry Navigators
The Financial Services Technology
Consortium
Empowering the Industry Through Innovative Ideas