In this excerpt from Chapter 1: Contingency and Continuity Planning of Business Continuity and Disaster Recovery for InfoSec Managers, authors John W. Rittinghouse and James F. Ransome review what regulatory issues one should address when developing a business continuity and disaster recovery plan and take an in-depth look at sector-specific requirements.

Industry-Specific Standards and Guidelines

Regulatory compliance can play a major role in motivating companies to implement thorough business continuity plans. U.S. federal government agencies with essential missions at federal, state, and local levels have always had continuity plans. The Continuity of Operations Planning (COOP) directives produced by the Office of Management and Budget (OMB) and the President of the United States outline the objectives of business continuity planning for all federal departments and agencies. Examples are as follows:

• OMB Circular A-130, Appendix III, "Security of Federal Automated Information Resources" (published in 1993) ensures that appropriate business continuity plans were put in place for all federal general purpose systems and major applications, which include the mission-critical applications identified under the Y2K program.
• Presidential Decision Directive (PDD) 67, issued in October 1998, requires federal agencies to develop Continuity of Operations Plans for Essential Operations.
• Executive Order 12656 [Section 202]; requires the head of each federal department and agency to ensure the continuity of essential functions in national security emergencies by providing for safekeeping of essential resources, facilities, and records and establishment of emergency operating capabilities.
• Presidential Decision Directive (PDD) 63, issued in May 1998, calls for a national effort to ensure the security of the United States' critical infrastructures—the physical and cyberbased systems essential to the minimum operations of the economy and government. It sets a goal of a reliable, interconnected, and secure information system infrastructure by the year 2003 and requires the federal government to serve as a model to the rest of the country for how infrastructure protection is to be attained.

Finance Sector Requirements

• The Gramm-Leach-Bliley Act of 1999, Section 501(b) Financial Institutions Safeguards, requires that the agencies described in Section 505(a) establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards for the security and confidentiality of customer records and information. The compliance deadline for this legislation was July 1, 2001.
• The Expedited Funds Availability Act, enacted by the U.S. Controller of Currency (January 1, 1989), required federally chartered financial institutions to have a demonstrable business continuity plan to ensure prompt availability of funds.
• SAS70 reports, in accord with a statement on Auditing Standards Number 70 issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in 1993, review the processing of transactions by service organizations, such as electronic data processing (EDP) centers and banks. SAS70 reports must be performed by certified external auditors, who examine general computer controls, qualified service providers, participant eligibility, and claim system application controls, and review the findings with management.

Health Sector Requirements

• The Health Insurance Portability and Accountability Act (HIPAA) of 1996, requiring health care plans, providers, and clearinghouses to adopt standardized electronic claims and payment systems. Non-compliance fines start at $100 for failure to meet a standard, but range up to $250,000 and 10 years of imprisonment for the wrongful use or disclosure of individual health information for commercial advantage, personal gain, and the like. Also, accreditation agencies, such as the Joint Commission on Accreditation of Health Care Organizations (JCAHO), inspect for compliance during their accreditation process.

Telecommunications Sector Requirements

• The Telecommunications Act of 1996, Section 256, "Coordination for Interconnection" requires the Federal Communications Commission (FCC) to establish procedures to oversee coordinated network planning by telecommunications carriers and other providers of telecommunications service. It also permits the FCC to participate in the development of public network interconnectivity standards by appropriate industry standards-setting bodies. The act recognizes the need for disaster recovery plans, but also acknowledges the existence of inadequate testing because of the rapid deployment of new technologies.

Want more from Business Continuity and Disaster Recovery for InfoSec Managers? Download the rest of Chapter 1: Contingency and Continuity Planning.

Note: Printed with permission from Digital Press, a division of Elsevier. "Business Continuity and Disaster Recovery for InfoSec Managers" by John W. Rittinghouse and James F. Ransome, PhD. Copyright 2006. For more information about this title and other similar books, please visit www.books.elsevier.com.

16 Aug 2006