 |
 |
 |
|
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
 |
10/28/2009 - Voluntary PS-Prep Program Seeking Support for Private Sector Preparedness The Department of Homeland Security is requesting comments regarding standards under consideration for the Voluntary Private Sector Accreditation and Certification Program. One of the standards under consideration by DHS is the ANSI/ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management System. This would be a great time for anyone who favors management systems and standards over the regulatory approach imposed by governmental entities to write DHS in support of this standard. For those not familiar with this particular standard, below is a brief outline of some of its features. ASIS SPC 1-2009 is written in a familiar format and is 100 % compatible with existing ISO management system standards, such as ISO 9000 (management), ISO 14000(environment), ISO 27001 (information technology) ISO 28000 (supply chain security management) and BSI 25999 (Business Continuity). Because the ANSI Standard is written in the ISO format there are supporting materials readily available. The supporting materials provide guidance for the development, implementation, monitoring and improvement of prevention, preparation, response and recovery activities for businesses large and small. The ANSI/ASIS Organizational Resilience (OR) standard takes an enterprise wide view of risk. Some elements of the standard focus on understanding and reducing the threats facing organizations, whether they are the result of a malevolent attack, accident or a natural disaster. Other elements of this standard focus on reducing the consequences of disruptive events regardless of the cause. There are at least three reasons for businesses to seek accreditation under these standards:
Voluntary adoption of standards designed to certify an organization's preparedness for disruptive events should provide substantial relief to organizations from what Andrew Grainger refers to as "security spaghetti." Since 2001, there has been a proliferation of security programs by governmental entities. Many of these programs are little more than what Bruce Schneier refers to as "Security Theater" but they require attention and effort from organizations so they do not run afoul of governmental regulations. Aggravating the situation, regulations issued by one nation have no authority in other nations. Finally, adding insult to injury regulations by departments in one nation sometimes conflict with the regulations of another department within the same nation. The competition between regulations makes the business of doing business complex and more expensive than it needs to be. All of these initiatives tax the organizations under their control. The result is increased cost for goods and services and increased risk to organizations. This risk arises not from the threat of terrorism but from the threat of litigation, whether there is a disruptive event or not. OR accreditation and certification standards provide evidence that organizations are acting reasonably with respect to risks involving security, preparedness and business continuity. The evidence arising out of the process of accreditation and certification could be used in actions involving premise liability, safety in the workplace, breach of contract, sections 401 and 404 of Sarbanes-Oxley legislation, Customs-Trade Partnership Against Terrorism (C-TPAT), World Customs Organizational Framework of Standards to Secure and Facilitate Global Trade, International Ship and Port Facility Security (ISPS), International Air Transport Association (IATA) and many others, depending on the needs of the organization. The foremost goal of the Organizational Resilience: Security, Preparedness, and Continuity Management System and the quality movement has been and continues to be improved performance. It is here that the proposed standards are likely to have their most important benefit to organizations. The quality movement focuses on meeting the needs of customers. It is a process of asking good questions, using data to measure performance, minimizing bias through the use of independent assessors, and a commitment to continual improvement. The Organizational Resilience: Security, Preparedness, and Continuity Management System standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organizations security, preparedness and business continuity management systems. It is an independent certification process which can show stakeholders that goals, objectives and programs are working as designed and meeting the goals of the stakeholders. Unlike regulations, goals, objectives, and programs are not intended to fit all but are designed around a specific set of circumstances. The continual improvement clauses of the Organizational Resilience: Security, Preparedness, and Continuity Management System standards ensure that organizations are continually seeking improvements. The benefits of accreditation will have to be realized before they can be marketed. Recognizable benefits such as fewer visits from regulators to faster processing of goods and services of accredited organizations similar to C-TPAT or CFATS. Also, when standards are effective, insurance rates eventually drop for accredited organizations. The first organizations to adopt the Organizational Resilience: Security, Preparedness, and Continuity Management System will be those already committed to the management system approach. As these organizations prove more effective in mitigating their risks, then other organizations will follow. So? "Can the private sector manage risks better with standards than it does following regulations?" The answer lies in the expertise supporters can bring to bear on the understanding and management of risk. The credibility and integrity of the auditing process is essential because these standards focus on the sensitive area of risk management. For this reason the program should require RABQSA and IRCA certified Lead Auditors. If sufficient expertise is developed to support the accreditation and certification process, the Voluntary Private Sector Accreditation and Certification program will succeed. Accreditation will demonstrate an organization's ability to deal with security, preparedness and business continuity. This is important to organizations that rely on other organizations for parts of their supply chain. This market based management system is more likely to be effective than regulatory based systems that have taken root and mushroomed since 2001. The cost or return on investment associated with implementation of the Organizational Resilience: Security, Preparedness, and Continuity Management System standard will be different for each organization. It will depend on how well the organization has managed risk in the past and how much improvement it is able to secure through its efforts associated with this program. Tolerance and exposure to risks creates a problem because of the growing interconnectivity and interdependency that businesses have with other businesses. Catastrophes to one organization often cascade into problems for other organizations. This is why it is important that systems designed to mitigate some of these risks are developed and implemented. Since the intent of the DHS "Voluntary Private Sector Accreditation and Certification Preparedness Program" is preparedness in the private sector, audits conducted by internationally certified RABQSA or IRCA Lead Auditors are accepted and recognized by the Organizational Resilience: Security, Preparedness, and Continuity Management System program. This encourages more participants in the program and eliminates potential risk of loss of confidential information. Security Engineers encourages those who favor management systems and standards over the regulatory approach imposed by governmental entities to write to DHS in support of the ANSI/ASIS Organizational Resilience: Security, Preparedness, and Continuity Management System. The easiest way to do that is by E-mail to FEMA-Policy@DHS.gov. DHS requires that "Docket ID FEMA-2008-0017 be in the subject line. |
|
 |
||
| © Copyright Security Engineers Inc All Rights Reserved | Web Development by Infomedia |