Few CSOs today can call their security organizations unregulated, and those who do are probably in for an unpleasant surprise.
Since the Sept. 11 terrorist attacks, a hyper-charged interest in national security has propagated a spate of new laws, regulations and voluntary guidelines that impact the operations of security programs in both the private and public sectors. Growing concerns about the privacy of information, business conduct and ethics have also helped to boost the number of rules.
At a surface level, this isn't news to anyone. The effect of regulation on the U.S. and international aviation industry has been headline news for more than five years. So have the types of corporate corruption scandals that led to the development of accountability rules like Sarbanes-Oxley. Legislation to increase the security of sensitive government information, the U.S. critical infrastructure and the national food supply has similarly received a great deal of public attention. But not all such legislation is high-profile. There are numerous rules with security significance that appear to have slipped under the radar of both the general public and of many security professionals.
The Security Executive Council has begun working to compile the first comprehensive international security law, regulation, and guideline database – both for corporations in general and for specific industries. Right now, the council's list of U.S. federal legislative actions (including executive orders and statutes) sits at 35, the list of U.S. federal regulations at 46, and the list of voluntary guidelines or standards at 44. This current list only scratches the surface.
For one thing, security professionals have more than federal mandates to contend with. As of April of this year, for example, 35 states had implemented their own legislation requiring corporations and/or state agencies to disclose any security breaches involving personal information. States also develop their own rules dealing with such varied issues as critical infrastructure protection, employee and workplace security, and identity theft. For global corporations, international law also plays a major role in operations.
The length and breadth of legislative and regulatory coverage poses a significant challenge for many security professionals, a challenge complicated all the more by the fact that they are often unaware of many of the rules that apply to their operations. New rules are being developed all the time, new amendments are changing older rules, and some regulations that would appear to apply to a specific industry group sometimes carry a longer reach than their creators intended. For example, the DHS' Chemical Facility Anti-Terrorism Standards — the stated intent of which is to provide tighter security for high-risk chemical facilities — is proving to be a thorn in the side of the food industry. Because the thresholds of many of the regulated chemicals are low, many facilities that use, for refrigeration purposes, even small amounts of a certain type of ammonia, puts them under the thumb of the regulations.
The good news is, security professionals need not feel entirely helpless in the face of this onslaught of governmental activity. By understanding how these regulations and laws are made and knowing how and when to take action, security professionals can become agents of change for the good of their organizations, their industries, and ultimately, their nation.
The LRVC Breakdown
LRVC stands for Legislation, Regulation and Voluntary Compliance. The first step is to clarify the differences in the nature and development of legislation, regulations and industry voluntary guidelines.