In the July issue of Security Technology & Design , we discussed the growing mountain of security legislation, regulations and guidelines and what you can do to influence the creation and passage of new rules (“The New Rules of Security,” p.24). But what of the rules already in place? How can you keep track of them, how might they impact you, and what can your organization do to comply cost-efficiently?
The answers to these questions will vary based on the nature and culture of the organization, but all effective solutions share one vital element: a unified, enterprise approach to risk.
When the Security Executive Council (SEC) was launched as the CSO Executive Council in 2005, its research showed that legislative and regulatory compliance was one of the top three issues for senior security executives. Since then, security leaders' concern about compliance and regulation has grown in tandem with the wave of legislation.
Elizabeth Lancaster Carver, member services and projects manager for the council, says: “What concerns security executives the most is the challenge to be compliant with each law without wasting precious human or capital resources due to varying requirements for similar controls. That is to say, access control requirements for C-TPAT, federal sentencing guidelines and PCI could all apply to one company, yet the controls vary significantly, and the challenge is to implement one control that will meet the requirements for all three.” The SEC members pictured on the cover of this month's issue have all struggled with compliance, and they all recognize the immense challenges that often stand in the way.
The increase in security-specific regulation has been accompanied by an increase in non-security regulation that contains security components. To get an idea of the depth and breadth of this increase, visit the Security Executive Council's library of laws, regulations, voluntary guidelines and standards at www.csoexecutivecouncil.com/public/lrvc.html/?sourceCode=std. This library is updated constantly and continues to grow at a rapid pace.
Whereas many CSOs are aware of the security-specific rules coming down the pike, they may not be as familiar with the security aspects of non-security rules, and in some cases they're completely unaware of the impact such rules might have on their organizations.
You can increase your own awareness of new laws and regulations in one or all of the following ways: One way is to increase your participation in industry groups and associations, which keep tabs on such issues for their membership and sometimes offer tools and advice on how to comply.
A second option is to use tools specifically intended for security executives, regardless of industry. For instance, as mentioned in last month's article, the Security Executive Council has created a tool to help member organizations identify, track and comply with security-significant laws, regulations and guidelines. “One of the main ways we found members using the tool is to bring in their colleagues who are also dealing with regulations and compliance to work on the project together,” says Kathleen Kotwica, the council's vice president of research and product development. “Although the tool is specific to security requirements and controls per member requirements, we have had requests to extend it to the entire regulation. We are currently trying to load as many regulations and guidelines as possible, including by industry. This allows our members, for example, to examine if a standard currently used in the organization also fulfills the requirements of another regulation and where the gaps are.”
A third way to increase your awareness is to read industry publications like ST&D, which is partnering with the Security Executive Council to publish regular updates on compliance issues and expert commentary on laws that may impact you in our monthly Compliance Scorecard column.