Legislation, Directives, and Standards
The Sarbanes-Oxley Act of 2002, drawn up in response to corporate scandals such as Enron and WorldCom/MCI, made many of these concerns more acute in the U.S. (Equivalent legislation is gradually coming into effect in many European countries.) Section 404 of the Act requires that corporations have good financial controls, especially IT-related controls. In modern times, because most organizations store much of their financial information in IT systems, and many can go out of business if IT systems are not available 24x7 every day of the year, business continuity and disaster recovery measures must be effective and must be regularly audited in order to comply with the Act.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) passed in the U.S. to ensure that customers are able to switch between health insurance providers as smoothly as possible without unavailability, total loss, or loss of integrity of their health data, dictates that organizations must have a contingency plan in place in order to conform to the Act. Organizations dealing with "life safety data" must provide continuous availability of such data in order to be HIPAA-compliant. This contingency plan is in addition to other measures required to ensure continuous availability of critical data and to ensure the "chain of integrity" of data.
The following list describes several other U.S. acts that require affected organizations to have a business continuity plan/disaster recovery plan in place:
- The Gramm-Leach Bliley Act (GLBA) affects financial institutions and their storage of personal financial data. Such data must be kept secure even in the event of disaster, of course.
- The Federal Information Security Management Act (FISA) affects all federal computer systems.
- The Occupational Safety and Health Act (OSH Act) dictates organizations' need to be prepared for emergencies.
- The California Security Breach Notification Act requires organizations to provide strong security for personal information as well as notification of breaches to security of personal information (social security numbers, drivers' licenses, credit card info) to all those affected.
In the UK, the Civil Contingencies Bill, introduced in April 2005, requires that government and local authority agencies carry out proper business continuity management. It's hoped that this requirement will have a knock-on effect in the business community that—alongside existing data protection legislation, tougher standards requirements and directives from various industry organizations, and so on—will prevent the need for formal legislation similar to Sarbanes-Oxley.
In addition to legislation, many organizations are required to abide by standards and directives governing aspects of their business, and these often require business continuity plans. Here are some examples:
- The National Association of Security Dealers (NASD) rules 3510 and 3520 require that all members have a BCP in place and provide emergency contact information.
- FDA regulations (such as FDA 21 CFR 11) require backup power and backup software for key systems.
- SEC regulations (for example, SEC 17 CFR 240) require that financial transaction histories be maintained for all electronic securities transactions, and backup power be in place to maintain continuity.
- Basel II requires accurate maintenance of historical transaction data and continuous availability of all components of distributed financial systems involved in the Bank of International Settlements (BIS) systems. RIPA in the UK and COB in France are precursors to this requirement in their respective countries.
- Office of Management and Budget (OMB) Circulars (for instance, A-130, dated November 2000) require disaster recovery plans to be in place.
- ISO 17799 (the code of practice for IT security management) compliance requires business continuity and disaster recovery plans to be in place.
- COBIT audits require a BCP to be in place and to be effective in order to meet compliance requirements.
- Business continuity and disaster recovery plans are a key component of any ISACA audit.
- Many organizations are voluntarily adhering to IT Infrastructure Library (ITIL), a set of best practices in IT service management. ITIL has strong guidelines for the business continuity planning process and documentation.
The gist of these laws, regulations, and standards in terms of business continuity and disaster recovery is the same in all cases: The organization must ensure that critical data and systems are available at all times, even in the event of a crisis situation, and various penalties will be imposed on the organizations if such systems and data are not available. However, compliance is a moving target, with requirements increasing constantly; accordingly, the BCP process must be changed in the light of changing requirements.