Business continuity planning standards and guidelines

Business Continuity and Disaster Recovery for InfoSec Managers John W. Rittinghouse, James F. Ransome 408 pages; $54.95 Digital Press, a division of Elsevier

In this excerpt from Chapter 1: Contingency and Continuity Planning of Business Continuity and Disaster Recovery for InfoSec Managers, authors John W. Rittinghouse and James F. Ransome review what regulatory issues one should address when developing a business continuity and disaster recovery plan and take an in-depth look at sector-specific requirements.

More Info on Business Contingency Planning Create an effective business contingency plan. Improve your disaster recovery plan. Learn how regulations have changed the information security landscape.

Industry-Specific Standards and Guidelines

Regulatory compliance can play a major role in motivating companies to implement thorough business continuity plans. U.S. federal government agencies with essential missions at federal, state, and local levels have always had continuity plans. The Continuity of Operations Planning (COOP) directives produced by the Office of Management and Budget (OMB) and the President of the United States outline the objectives of business continuity planning for all federal departments and agencies. Examples are as follows:

• OMB Circular A-130, Appendix III, "Security of Federal Automated Information Resources" (published in 1993) ensures that appropriate business continuity plans were put in place for all federal general purpose systems and major applications, which include the mission-critical applications identified under the Y2K program.
• Presidential Decision Directive (PDD) 67, issued in October 1998, requires federal agencies to develop Continuity of Operations Plans for Essential Operations.
• Executive Order 12656 [Section 202]; requires the head of each federal department and agency to ensure the continuity of essential functions in national security emergencies by providing for safekeeping of essential resources, facilities, and records and establishment of emergency operating capabilities.
• Presidential Decision Directive (PDD) 63, issued in May 1998, calls for a national effort to ensure the security of the United States' critical infrastructures—the physical and cyberbased systems essential to the minimum operations of the economy and government. It sets a goal of a reliable, interconnected, and secure information system infrastructure by the year 2003 and requires the federal government to serve as a model to the rest of the country for how infrastructure protection is to be attained.

Finance Sector Requirements

• The Gramm-Leach-Bliley Act of 1999, Section 501(b) Financial Institutions Safeguards, requires that the agencies described in Section 505(a) establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards for the security and confidentiality of customer records and information. The compliance deadline for this legislation was July 1, 2001.
• The Expedited Funds Availability Act, enacted by the U.S. Controller of Currency (January 1, 1989), required federally chartered financial institutions to have a demonstrable business continuity plan to ensure prompt availability of funds.
• SAS70 reports, in accord with a statement on Auditing Standards Number 70 issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in 1993, review the processing of transactions by service organizations, such as electronic data processing (EDP) centers and banks. SAS70 reports must be performed by certified external auditors, who examine general computer controls, qualified service providers, participant eligibility, and claim system application controls, and review the findings with management.

Health Sector Requirements

• The Health Insurance Portability and Accountability Act (HIPAA) of 1996, requiring health care plans, providers, and clearinghouses to adopt standardized electronic claims and payment systems. Non-compliance fines start at $100 for failure to meet a standard, but range up to $250,000 and 10 years of imprisonment for the wrongful use or disclosure of individual health information for commercial advantage, personal gain, and the like. Also, accreditation agencies, such as the Joint Commission on Accreditation of Health Care Organizations (JCAHO), inspect for compliance during their accreditation process.

Telecommunications Sector Requirements

• The Telecommunications Act of 1996, Section 256, "Coordination for Interconnection" requires the Federal Communications Commission (FCC) to establish procedures to oversee coordinated network planning by telecommunications carriers and other providers of telecommunications service. It also permits the FCC to participate in the development of public network interconnectivity standards by appropriate industry standards-setting bodies. The act recognizes the need for disaster recovery plans, but also acknowledges the existence of inadequate testing because of the rapid deployment of new technologies.

Want more from Business Continuity and Disaster Recovery for InfoSec Managers? Download the rest of Chapter 1: Contingency and Continuity Planning.

Note: Printed with permission from Digital Press, a division of Elsevier. "Business Continuity and Disaster Recovery for InfoSec Managers" by John W. Rittinghouse and James F. Ransome, PhD. Copyright 2006. For more information about this title and other similar books, please visit www.books.elsevier.com.

Digg This!     StumbleUpon     Del.icio.us

<< PREVIOUS | NEXT >>: Security rules to live by: Compliance with laws...

VIEW ALL IN THIS CATEGORY

RELATED CONTENT General IT compliance success doesn't equal security success Security rules to live by: Compliance with laws and regulations Define security's role in the regulatory process The 5 pillars of successful compliance What to tell senior management about regulatory compliance Complying with multiple regulations and contending with conflicts Will the 'regulatory police' be knocking on your door? Getting your regulatory priorities in order Business Impact Analysis Data breach costs soar Is there a way to integrate business continuity planning and operational risk management? Business Survival 101: How to Perform a Business Impact Analysis Disaster recovery report card: Measuring your company's disaster recovery profile Digital doomsday can be avoided with preparation Infosec pros need to get 'physical' Information security, 'CSI' style Security Bytes: Shockwave flaw fixed RSA Conference 2006 What to do when you've been hacked Business Impact Analysis Research Enterprise Data Protection Are open recursive DNS servers inherently insecure? Penetration testing: Helping your compliance efforts Worst practices: Learning from bad security tips The ins and outs of database encryption RSA attendees see data classification, rights management projects stumble Worst practices: Encryption conniptions Does FTPS encrypt data packets at the hardware or software level? Should disks be encrypted at the hardware level? Is Triple DES a more secure encryption scheme than DUKPT? Will a platform-as-a-service (PaaS) environment put data at risk?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cut-and-paste attack  (SearchSecurity.com) data splitting  (SearchSecurity.com) deperimeterization  (SearchSecurity.com) Google hacking  (SearchSecurity.com) masquerade  (SearchSecurity.com) snooping  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary