Business Continuity Forum Support guidance 25999 standards
The US Commodity Future Trading Commission is proposing to introduce new regulations affecting Business Continuity and Disaster Recovery, based on an expected standard for Designated Contract Markets and the associated Derivative Clearing Organisations. The CFTC has recommended that rule changes be put in place requiring both DCM’s and DCO’s to harden measures that aim to prevent wide scale disruption to Commodity trading arising from an event.
BSI British Standard BS 25777 for Information and Communications Technology continuity management.
Following on from the development of BS25999 BSI has announced a complimentary standard aimed at detailing good practice at the ICT level, BS25777 for ICT Continuity.
ICT continuity management, a key part of the overall business continuity management (BCM) process of an organization, ensures that ICT services are resilient and in the event of disaster, can be recovered within timescales agreed with senior management.
Taking Decisions about Evacuation during a Chemical Incident
From a Business Continuity or Emergency Planning perspective is it better to evacuate people in the vicinity of a serious chemical fire or should they remain where they are?
A study* comparing the health outcomes in sheltered and evacuated populations after a chemical fire suggests that there are health advantages in people sheltering rather than evacuating. The study is published in the BMJ and was based on a real incident in 1999. It involved collaboration between public health staff at a local health authority and national health experts (now at Bristol University and the Health Protection Agency).
In a recent interesting piece by Dr Eric Schmidt of TDS Inc. he explores some of the background of the Sarbanes Oxley and looks at the implications it has for Organisations affected and specifically the impact on Business Continuity Practitioners. He argues persuasively that regulatory initiatives and world events are driving the convergence of business continuity, security and information management under the umbrella of enterprise risk management, sometimes referred to as global assurance.
Part 1 of the Civil Contingencies Act 2004 – and supporting Regulations and statutory
guidance – establishes a new legislative framework for civil protection in the United
Kingdom. The Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005
were laid before Parliament on Wednesday 27 July, and the final version of the statutory guidance document Emergency Preparedness was published on Thursday 28 July.
Information could have been used to clone credit cards
Police are investigating reports that an Indian call centre worker sold the bank account details of 1,000 UK customers to an undercover reporter.
The Sun claims one of its journalists bought the personal details from an IT worker in Delhi for £4.25 each.
They included account holders' secret passwords, addresses, phone numbers and passport details, it reports.
City of London Police has begun an investigation after being handed a dossier by the newspaper.
While the allegations made in the dossier are very serious, City of London Police would like to remind people that incidents of this kind are still relatively rareCity of London Police
The centre worker reportedly told the Sun he could sell up to 200,000 account details each month.
Details handed to the reporter had been examined by a security expert who had indicated they were genuine, the paper said.
The information passed on could have been used to raid the accounts of victims or to clone credit cards.
'Reflect on decision'
More than one bank is thought to be involved in the fraud.
A police spokeswoman said officers were not yet aware of "the breadth of what we are going to be investigating".
"While the allegations made in the dossier are very serious, City of London Police would like to remind people that incidents of this kind are still relatively rare," she said.
The Amicus union said it had warned of the "data protection implications" of offshoring financial services.
"Companies that have offshore jobs need to reflect on their decision and the assumption that cost savings benefiting them and their shareholders outweigh consumer confidentiality and confidence," senior finance officer Dave Fleming said.
Continuity Forum Comment
In the past few months we have seen an increased media focus on the security of Electronic Banking Systems with both TV and Print news sources citing alarming lapses in the procedures followed.
While technology can go a long way to 'secure' information there remains for many the issue of the 'insider'.
Whilst a lot of time and money is spent combating external Security threats it appears as though there is still some way to go to protect the organisation and its stakeholders from the actions of someone on the 'inside'. Whatever the motivation, Greed or Revenge, the threat posed can be far greater both in financial terms and in damage to the Reputation of the organisation.
To help you consider the risks to your organisation we have listed below some of the common characteristics of the 'insider' below:
The majority of the insiders were former employees.
• At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contractors.
• The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%). Most insiders were either previously or currently employed full-time in a technical position within the organization.
• Most of the insiders (77%) were full-time employees of the affected organizations, either before or during the incidents. Eight percent of the insiders worked part-time, and an additional 8% had been hired as contractors or consultants. Two (4%) of the insiders worked as temporary employees, and one (2%) was hired as a subcontractor.
• Eighty-six percent of the insiders were employed in technical positions, which included system administrators (38%), programmers (21%), engineers (14%), and IT specialists (14%). Of the insiders not holding technical positions, 10% were employed in a professional position, which included, among others, insiders employed as editors, managers, and auditors. An additional two insiders (4%) worked in service positions, both of whom worked as customer service representatives.
Insiders were demographically varied with regard to age, racial and ethnic background, gender, and marital status.
• The insiders ranged in age from 17 to 60 years (mean age = 32 years) and represented a variety of racial and ethnic backgrounds.
• Ninety-six percent of the insiders were male.
• Forty-nine percent of the insiders were married at the time of the incident, while 45% were single, having never married, and 4% were divorced.
• Thirty percent of the insiders had been arrested previously, including arrests for violent offences (18%), alcohol or drug related offences (11%), and nonfinancial/
fraud related theft offences (11%).
The incidents affected organizations in the following critical infrastructure sectors:
• banking and finance (8%)
• continuity of government (16%)
• defence industrial base (2%)
• food (4%)
• information and telecommunications (63%)
• postal and shipping (2%)
• public health (4%)
In all, 82% of the affected organizations were in private industry, while 16% were government entities. Sixty-three percent of the organizations engaged in domestic activity only, 2% engaged in international activity only, and 35% engaged in activity both domestically and internationally.
Below we have outlined some of the effects on the organisation:
Consequences for Targeted Organizations
• Insider activities caused organizations financial losses, negative impacts to their
business operations and damage to their reputations.
• Incidents affected the organizations’ data, systems/networks, and components.
• Various aspects of organizations were targeted for sabotage by the insider.
• In addition to harming the organizations, the insiders caused harm to specific
Eighty-one percent of the organizations experienced a negative financial impact as a
result of the insiders’ activities. The losses ranged from a reported low of $500 to a
reported high of “tens of millions of dollars.” The chart below represents the percentage
of organizations experiencing financial losses within broad categories.
Percentage of Organizations Financial Loss
Direct Financial Loss
$1 - $20,000
$20,001 - $50,000
$50,001 - $100,000
$100,001 - $200,000
$200,001 - $999,999
$1,000,001 - $5,000,000
Greater than $10,000,000
For the full 45 page Report or to comment on this piece please mail us HERE! or call Russell Price directly on +44 (0) 208 993 1599.
The Government remains on track to bring the bulk of the duties in Part 1 of the Act fully into force in November 2005.
The Act requires the Government to seek the consent of the National Assembly for Wales to the revised package of Regulations and statutory guidance and to consult the Scottish Executive; this process will take place during May and June. The Government has worked closely with colleagues in all of the devolved administrations throughout the policy development process, and do not expect to make substantial further changes to the documents. Local responders should therefore continue to drive forward their implementation programmes using the revised draft Regulations and statutory guidance published today as the basis for this work.
Business continuity and disaster recovery fundamentals are strong in Singapore because of its: Strategic geographical location - Free from natural disasters such as earthquakes and typhoons, Singapore is well known as a major financial, transportation and infocomm hub, and is home to more than 7,000 multinational corporations. Many use it as a launch pad to expand into the region.
This update provides basic guidance for banks and sets out banking supervisors’ views on compliance in banking organisations.
Using a framework of principles, the latest update illustrates how compliance with the laws, rules and standards that govern banking activities helps to maintain a bank’s reputation with its shareholders, customers, employees and the markets. At the same time, the paper incorporates sound practice guidance to assist banks in designing, implementing and operating an effective compliance function. To optimise its usefulness to all banks, they stress that a single framework of principles for effective compliance risk management does not restrict individual banks to a single organisational or operational approach. However, each bank must be prepared to demonstrate that the approach adopted is effective in dealing with the bank’s unique compliance risk challenges.