A Special Thank you to SunGard Planning Solutions, many of these from the list originally came from their Knowledge Net

We have tried to locate the numerous Regulations that are now ensuring organizations plan for Business Continuity and Disater Recovery. The list will hopefully be a growing work-in-progress, so if you know of any further Laws or Regulations please let us know and we'll add them to the list.

All Industries

Financial

Healthcare

Electric Industry

• Presidential Decision Directive 63
  Addressing interdependent and cyber-supported infrastructures vulnerabilities to equipment failures, human error, weather and other natural causes require evolutionary approaches that span both the public and private sectors, and protect both domestic and international security. HSPD-7, Section C) encourage risk management strategies to protect against and mitigate the effects of attacks against critical infrastructure and key resources.
• Presidential Decision Directive 13010
  National infrastructures to develop a strategy for protecting and assuring continued operation.
• North American Electric Reliability Council (NERC) – Urgent Action Standard 1216
  The entity performing the reliability authority shall create action plans and procedures to recover and each responsible entity shall exercise these plans at least annually. Additional standards recommend “best practices” for the electricity infrastructure in the area of “Continuity of Business Processes” for facilities and functions considered critical.
• North American Electric Reliability Council (NERC) P6T3
  Interim provisions must be included if it is expected to take in excess of one hour to implement the loss of Primary Control Facility contingency plan.
  The contingency plan must meet the following requirements:

  The contingency plan shall not rely on data or voice communication from the primary control facility to be viable.
  The plan shall include procedures and responsibilities for providing basic tie line control and procedures and responsibilities for maintaining the status of all inter area schedules such that there is an hourly accounting of all schedules.
  The contingency plan must address monitoring and control of critical transmission facilities, generation control, voltage control, time and frequency control, control of critical substation devices, and logging of significant power system events. The plan shall list the critical facilities.
  The plan shall include procedures and responsibilities for maintaining basic voice communication capabilities with other control areas.
  The plan shall include procedures and responsibilities for conducting periodic tests, at least annually, to ensure viability of the plan.
  The plan shall include procedures and responsibilities for providing annual training to ensure that Shift Operating personnel are able to implement the contingency plans.
  The plan shall be reviewed and updated annually.

• FTC’s - Federal Information Security Management Act 2003 16-CFR-314
  Developed policies and procedures that addressed various security issues, such as password management, incident response reporting, remote access, certification and accreditation and Disaster Recovery Planning (DRP).
• DOT-OPS - Hazardous Materials – 49-CFR-172
  

Telecom

• TL9000 Section 7.1.C.3, Disaster Recovery, says:
  • "The organization shall establish and maintain methods for disaster recovery to ensure the organization's ability to recreate and service the product throughout its life cycle."
    This section of TL9000 references ISO/IEC 12207.