| DR Rules and Regulations |
 Note: A Special Thank you DRJ's Editorial Advisory Board for their incredible efforts to identify and compile this information. *UPDATED - OCTOBER 2011 Rules & Regulations … The Source By Martin Myers, MBCP If you’re like I am, I have kept my own list of rules and regulations pertaining to Business Continuity for years. I trade my list with fellow BC professionals for a copy of their prized list. We trade links for good sites where additional regulations may be found. This is a somewhat tedious activity, and certainly not a good way to share with the world of BC planning. Luckily, a fellow member of the DRJ EAB had the idea to start a committee to compile a list of regulations that could be shared through the DRJ to the entire BC world.
We formed a team, shared our lists and on-line resources. Each team member scoured the internet and their own list of BC contacts to glean additional rules and regulations to include in our data base. After a few iterations we realized that our list will never truly be complete, and as long as there are lawmakers and bureaucrats, new laws will be added. We double-checked the list we had compiled, confirmed the links, categorized them as best we could, and we are now ready to release our data base to the BC world. Knowing full-well that our starting list will grow with your help.
The committee worked to categorize our findings in ways that will be helpful. There is a column for country, so the list may be sorted or searched in that manner. Where possible, we also indicated what industry the rule was likely to pertain to. At the bottom of our list we also share other links where a compiled list may be found.
We have cross-checked our list to be sure we have included all the items found elsewhere. We recognize that this list will always be growing as contributions are made, and those contributions are a vital part of the usefulness of tool.
The DRJ Rules & Regulations data base is intended to provide each of us a singular resource where we can go to and find the most complete and comprehensive list or BC-related rules and regulations. This can only be accomplished with you help. If you find a new regulation, send it to us. If you see a way to enhance this lest, let us know. This list is intended to help us all and is intend to be supported by us all as well.
*UPDATED - OCTOBER 2011
Acknowledgements: DRJ EAB Rules & Regulations Working Committee: Co-chairs were Martin Myers (Bank of America), and Yvonne Lewis (Canadian Imperial Bank of Commerce). Committee members included Dave Shimberg (Premeir, Inc.), Deidrich Towne (Forsythe), Glen Curole (Category 5 Services), Lisa Smallwood (Comprehensive Emergency Management Professionals), Peter Laz (Forsythe), and William Greenlee (Forsythe).
Martin Myers, MS, MBCP, is a Business Continuity Manager in the Card Services division of Bank of America. He has more than 19 years of experience in developing and evaluating disaster recovery and business continuity plans including emergency preparedness and response, and crisis management for prominent domestic and international companies. His work has taken him throughout the U.S., and to Canada, Bermuda, Panama, Costa Rica, Ireland, the United Kingdom, and South Korea. Mr. Myers is currently a member of the DRJ Editorial Advisory Board and is the Vice-President of the Contingency Planning Association of the Carolinas (“CPAC”).
Tags:
Comments (23)IS Disaster Recovery Analysis Manager
This is a great list, however, it must include Federal Continuity Directives 1 & 2, released in April 2008.
,
July 02, 2009
Manager - Risk Analysis & Control
Ditto on the thanks! Great job and a lot of work! I hope you will share periodically share updates.
,
April 07, 2009
Lead IT Auditor
Thanks so much for this compilation. It will prove to be very usefull in my internal audit work.
,
February 25, 2009
Great list.
I would add that the FFIEC booklet on Business Continuity Planning was updated in March 2008. I would also add the FFIEC booklet on Outsourcing Technology Services (issued June, 2004) which specifies a financial institutions responsibility to include BCP in vendor contracts.
,
February 12, 2009
Lead consultant-IS/BC
Thank you Martin for the exorbitant compilation of regulations across; very useful for every practioner / involved
,
February 06, 2009
BCM Director
Thank you very much for providing this consolidation of information. You save a number of us a lot of time and work. I appreciate it and I believe I am not alone in that sentiment. I will pass it forward.
,
February 06, 2009
BC/DR Administrator
A lot of information to review...Thank You for putting this together.
,
February 05, 2009
Rules & Regulations
many thanks for producing such an excellent document. Seeing the comments here already begs the question of updated versions - is this something you will be continuing with (it's inferred but not confirmed in the document). I did notice that BS 25999 Part 1 was still documented as PAS 56 but I imagine that it will be updated in due course.
Again, many thanks! Shaun
,
February 05, 2009
Business Recovery Analyst
This is a great body of work, thank you!
You may wish to include the APRA Std APS232. APRA is the Australian Prudential Regulatory Authority which regulates all banks, insurance companies and buillding societies in Australia. It's website is http://www.apra.gov.au/ and the standard can be found at http://www.apra.gov.au/Policy/...gement.pdf
,
September 12, 2008
DR & Business Continuity Support
Excellent Document, thank you so much for telling about it in the DRJ Spring 2008 Issue.
,
July 07, 2008
Rules & Regulations Additions
Here are some R&R based on DHS, NIST, etc as applicable to Federal, State & Local Governments in the USA.
There are a few additional NIST Special Publications that are note worthy for inclusion in the R&R: > NIST SP 800-53: Recommended Security Controls for Federal Information Systems, Revision 1, dated December 2006 > NIST SP 800-60: Guide for Mapping Types of Information and Information Systems to Security categories, Volume 1 Revision 1 dated November 2007 >NIST SP 800-84: Guide to Test, Train, and Exercise Programs for IT Plans and Capabilities, dated September 2006 This set has a direct relationship to Continuity of Operations & IT Contingency Planning (some previously noted in a separate comment): > Federal Continuity Directive (FCD) 1, Federal Executive Branch National Continuity Program and Requirements, February 2008. > Federal Continuity Directive (FCD) 2, Federal Executive Branch Mission Essential Function Identification and Submission Process, February 2008. > National Response Framework, January 2008 > National Infrastructure Protection Plan, January 2006. > National Strategy for Pandemic Influenza, November 1, 2005. > National Strategy for Pandemic Influenza Implementation Plan, May 2006 > National Incident Management System (NIMS), March 1, 2004 > The National Security Act of 1947 (50 U.S.C. § 404), July 26, 1947. > Homeland Security Act of 2002 (6 U.S.C. § 101 et seq.), November 25, 2002. > Executive Order 12148, Federal Emergency Management, July 20, 1979, as amended. > Executive Order 12472, Assignment of National Security and Emergency Preparedness Telecommunications Functions, April 3, 1984, as amended. > Executive Order 12656, Assignment of Emergency Preparedness Responsibilities, November 18, 1988, as amended. > Executive Order 13286, Establishing the Office of Homeland Security, February 28, 2003. > National Security Presidential Directive 51/Homeland Security Presidential Directive 20, National Continuity Policy, May 9, 2007. > Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization, and Protection, December 17, 2003. > Homeland Security Presidential Directive 8, National Preparedness, December 17, 2003. > National Continuity Policy Implementation Plan, August 2007 R Stacey
,
June 25, 2008
Fantastic Job, Thank You
This spreadsheet is exactly what I needed. There is a new Federal Regulation to replace FPC65. It is called the Federal Continuity Directive 1&2. I did not see it on the list, but I may have missed it.
The Directive was published in February, 2008. I have a public copy and I will be happy to provide it.
,
May 03, 2008
Thank you
It is great work man ; must have taken a lot of time . It is worthwhile reading your report .
Regards Vinoth
,
April 08, 2008
Corporate Emergency Management Coordinator
This is a great work!!! Definitely going to be very useful and helpul to all of us in BC/DR/ER profession. I will take my time to go through the list and revert accordingly.
,
April 08, 2008
Record Retention Regulations
I have been looking for information about the retention of Information Technology records within the banking and financial community. Is there a guideline or regulatory requirement for server logs, e-mail, firewall logs, etc. other then the individual company standard? After the IT privacy breaches of the past year are there standards for investigative retentions? The FFIEC IT examiners book is silent on these IT related items. Can anyone steer me to a guideline or one that is under consideration? Is there an informal policy or recommendation for the banking industry? Thank you.
,
April 03, 2008
CBCP
There is a rather new Specification in Sweden
SIS-ISO/PAS 22399:2008, published 17 January 2008, Societal security - Guideline for incident preparedness and operational continuity management.
,
March 28, 2008
...
Thank you for a valuable compilation. Who can direct me to the specific OSHA regulation on Row 98 of the spreadsheet? I have done several searches on the website without success.
,
March 28, 2008
Great job
Thank you for the significant effort that went into this document. As the POC for BC planning within an international organization, this will be an additional tool in bolstering support for our program, and will help me stay on top of our regulatory requirements in this arena.
,
March 27, 2008
Write comment |
By the way, OCC 99-09 (Infrastructure Threats from Cyber-Threats) has been rescinded and replaced by FFIEC Information Security bklt. All the information I have at this time.