on 01-02-2013 12:57 PM
Regulatory compliance is a critical factor in the development of an IT Business Continuity strategy. The requirements vary across industry sectors and geographies. It is also worth noting that not all regulations may apply in a specific business situation but it is important for every business to be cognizant of these legislations and use them as a basis for developing a Business Continuity strategy.
When a disaster, natural or otherwise impacts normal operations of a business, Business Continuity processes kick in to ensure that services remain available. The effectiveness of a Business Continuity plan is measured by how long it takes the business to recover the critical services (Recovery Time Objective or RTO) and how much data is lost in the process of recovery (Recovery Point Objective or RPO). Business Continuity plans typically specify the RPO and RTO goals for all the business-critical services. In addition to these internal business objectives, formal regulations exist across various industries in all parts of the world. Regulations can be broadly classified into two areas: (1) Standards that must be met in order to become a member of an organization and (2) Regulations imposed on specific industries to create and protect national standards of uniformity.
This article is applicable to Business Continuity planners and IT administrators, tasked with ensuring the compliance of their business recovery strategy to meet government/industry specific legislations and regulations.
This section provides an overview of IT Business Continuity regulations across specific industry verticals in the United States as well as regulations in various countries across the world.
Business Continuity Regulations: USA – All Industries |
||
Laws & Regulations |
Impact on Business Continuity plan (BCP) |
Comments |
Sarbanes-Oxley Act |
Corporate officers are liable for business continuity |
Relevant for publicly held companies in the U.S |
IRS Procedure 86-19 |
Requires off-site protection and documentation of computer records of tax information |
Records must be available in the event that the primary facility is subjected to unplanned outage |
Consumer Credit Protection Act (CCPA) Section 2001 Title 1X |
Due diligence for availability of data in Electronic Funds Transfers including Point of Sale |
|
Foreign Corrupt Practices Act 1977 |
Publicly held corporations must provide “reasonable protection” for IT systems |
Holds management accountable |
Business Continuity Regulations: USA – Healthcare |
||
Health Insurance Portability and Accountability Act (HIPAA) of 1996 |
Requires data backup plan, DR plan and emergency mode operation plan |
Requires increased budgets, new job descriptions, as well as additional staff and infrastructure |
Food and Drug Administration (FDA) Code of Federal Regulations (CFR), Title XXI, 1999 |
Establishes the requirements for electronic records and electronic signatures |
Acceptability of electronic records may require organizations to update BC measures to ensure availability of information |
Business Continuity Regulations: USA – Government |
||
Federal Information Security Act (FISMA) 2002 |
Requires electronic data to be available during a crisis |
Emphasis of FISMA is on data security |
Continuity of Operations (COOP) and Continuity of Government (COG). Federal Preparedness |
Establishes minimum planning considerations for federal government operations |
Business Continuity Plan (BCP) maintained at high level of readiness; operational no more than 12hrs after activation |
NIST 800-53,Security Controls for Federal Systems, 2005 |
Mandatory security controls that have specific requirements for continuity planning and testing |
Specific details on policy and procedures, plans, training, testing, and updating |
FEMA FRPG 01-94 |
All department heads must plan for continuity of operations |
Written documents for BC must be maintained and current |
National Institute of Standards & Technology (NIST), SP800-34 2002 |
Requires electronic data to be available during a crisis. Requires BC/DR and Continuity of Operations (COOP) plans |
|
Business Continuity Regulations: USA – Finance |
||
Federal Financial Institutions Examination Council (FFIEC), 2003-2004 |
Specifies that Board of Directors is responsible for ensuring that a comprehensive BC plan has been implemented |
Covers companies regulated by FDIC, FRB, Treasury Department
|
Basel II, Basel Committee on Banking Supervision, 2003 |
Requires that banks put in place BC and DR plans to ensure continuous operation and to limit losses |
Best Practice Standard 2007 |
Expedited Funds Availability (EFA) Act, 1989 |
Federally chartered financial institutions must have demonstrable BC plans |
To ensure prompt availability of funds |
GAO/IMTEC-91-56 Financial Markets: Computer Security Controls |
Outlines need for risk assessments, data back-up procedures, Business Continuity operations, and security of U.S. Stock Exchanges |
Guidelines for stock markets |
Business Continuity Regulations: USA – Utilities |
||
North American Electric Reliability Council (NERC) P6T3 |
Interim provisions if it is expected to take >1hr to implement BC/DR Plan |
Details on BC/DR plan for communications, monitoring utilities, training and testing |
Governmental Accounting Standards Board (GASB),1999 |
Requires a BCP to ensure that agency mission continues in time of crisis |
Applies to all government entities that operate utilities |
Fed Energy Regulatory Commission(FERC),2003 |
Mandates recovery plans |
Does not apply to Rural Utilities Service (RUS) borrowers and limited distribution co-ops |
NERC Urgent Action Standard 1216 |
DR Plans and procedures must be in place |
BC plans only for facilities considered “critical” |
Presidential decision directive 13010 |
BC/DR plans required for all national infrastructures |
|
Business Continuity Regulations: USA – Manufacturing |
||
ISO 9000 Qualifications |
Requires incident preparedness, BC/DR plans, testing and assurances |
Operational Continuity Management |
Business Continuity Regulations: Australia |
||
Protective Security Framework – June 2010 |
Applies to all Australian Government Agencies and mandates BCM for all agencies |
Authority of Australian Government |
Prudential Standard APS232 Business Continuity Management |
APRA regulation for BCM in Authorized Deposit-taking Institutions |
Australian Prudential Regulation Authority (APRA) |
AS/NZS 5050:2010 Business continuity - Managing disruption-related risk |
Describes the application of the principles, framework and process for risk management to disruption-related risk |
Standards Australia
|
HB 221:2004 Business Continuity Management Handbook |
Process for business continuity management and workbook to assist organizations in implementation |
Standards Australia
|
Business Continuity Regulations: Brazil |
||
NBR15999-1 Gestão de continuidade de negócios - Parte 1: Código de prática
|
Brazilian Portuguese translation of the English standard BS 25999-1 Business continuity management. Code of practice |
Authority of ABNT (Associação Brasileira de Normas Técnicas)
|
Standard: NC nº06/IN01/DSIC/GSIPR – Gestão De Continuidade de Negócios |
Establishing guidelines for BCM, in the bodies and entities of Federal Public Administration |
Institutional Security Cabinet – Information Security and Communication Department |
Business Continuity Regulations: Canada |
||
Regulation: IDA By-Law 17.19 – Business Continuity Plan Requirement |
Establish and maintain a business continuity plan, such that the member can stay in business in the event of a significant business disruption |
Authority of OSC (Ontario Securities Commission)
|
CSA Z1600-08 |
Canadian standard for integrating business continuity and emergency management programs |
Authority of CSA (Canadian Standards Association) |
Guideline: Government of Saskatchewan Business Continuity Guide |
Business Continuity Guidelines
|
Authority of Government of Saskatchewan |
Business Continuity Regulations: Hong Kong |
||
Regulation: Business continuity planning supervisory policy manual – TM-G-2 |
Sets out HKMA‘s supervisory policies and practices in order to satisfy the requirements of the Banking ordinance |
Authority of The Hong Kong Monetary Authority (HKMA)
|
HKMA Supervisory Policy Manual, BCP TM-G-2 V1 02.12.02 |
Requires need for BC plan documentation and testing at least annually |
Hong Kong Monetary Authority |
Business Continuity Regulations: India |
||
Regulation: India BCP |
Enforced by audit, requires need for BC plan documentation and testing for least annually |
Authority of 1. Reserve Bank of India (RBI) 2. Securities & Exchange Board of India (SEBI) 3. National Stock Exchange (NSE) 4. Bombay Stock Exchange (BSE) |
Good practice: BPO (Business Process Outsourcers) |
In IT/BPO organizations, BCM is based on internal business requirements and often global customer specific requirements |
|
Business Continuity Regulations: Japan |
||
Regulation: Business Continuity at Bank of Japan |
Assures a consistent approach to operational continuity |
Authority of BOJ (Bank of Japan) |
Manual for the Development of Contingency Plans in Financial Institutions. Japan FSA |
Regular review of plan Corporate-wide testing at least annually |
Authority of FISC (The Centre for Financial Industry Information System) |
Business Continuity Regulations: Singapore |
||
Regulation: MAS Business Continuity Management Guidelines |
Testing BC plan regularly, completely and meaningfully; developing recovery strategies |
Authority of MAS (Monetary authority of Singapore)
|
Regulation: SGX Member Rules |
Rules requiring SGX member firms to develop robust Business Continuity Management (BCM) arrangements |
Authority of SGX (Singapore Exchange Limited) |
Standards: SS507:2004
|
Standard for business continuity/disaster recovery service providers |
Authority of SPRING Singapore (Singapore productivity and innovation) |
Business Continuity Regulations: UK |
||
Regulation: Business Continuity Practice Guide: 2006 |
Guidance on BC management requirements for regulated firms |
Authority of UK Authorities - Financial Services Authority (FSA) - HM Treasury - Bank of England |
Standard: BS25999-2 : 2007 Specification for Business Continuity Management |
Specifies requirements for setting up and managing an effective business continuity management system |
Authority of British Standards Institution |
Veritas Cluster Server from Symantec provides the ability to test the readiness of business-critical applications to meet Business Continuity needs without any application downtime. Specifically, the Veritas Cluster Server Fire Drill feature in conjunction with Veritas Operations Manager resolves these challenges by allowing a disaster to be simulated and have the complete recovery plan tested comprehensively with no impact to the business-critical applications at the production data center. This enables IT to earn the full confidence of senior management and business owners in assessing the readiness level of business-critical services. For more information about Symantec Veritas Cluster Server, please visit www.symantec.com/cluster-server.
Written by: Sai Mukundan, Product Management, Symantec Storage and Availability Management Group
Sources: Business Continuity Institute, Geminare Overview of US Regulations pertaining to Business Continuity, Gartner: Laws influence Business Continuity and Disaster Recovery Planning among Industries
Copyright © 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
Excellent article !!! Many thank indeed Sai.