The Business of Security: The New Rules of Security

How many security regulations apply to your company? Odds are, there are more than you think

Legislation encompasses both executive directives and statutes. An executive order, sometimes called a presidential directive, is issued by the executive branch and may deal with such matters as internal operations, national security or foreign policy. Executive orders are binding on their own, but they are often accompanied or followed by congressional statutes that make them indisputable law. Statutes are the approved legislative acts that are developed by congress, such as the Federal Anti-Tampering Act and the Homeland Security Act. These begin as proposed bills in either the House of Representatives or the Senate. If a bill is introduced in the House, it is first sent to committee for research and consideration, amended and sent up for debate, and finally voted upon. The approved act is then sent to the Senate, which also puts it through committee and votes before returning it to the House. The final step is the President's approval.

Legislation is generally broad in scope. It mandates that certain objectives be achieved, but it rarely digs into the details of who, what, when, where and how. Instead, legislation appoints certain federal agencies to develop and enforce specific regulations that will accomplish the stated goals.

The appointed agencies carefully research the issue and then develop rules that are intended to be fair to the regulated group by identifying multiple options and requesting public comment.

Voluntary guidelines may be created by federal and state agencies or by industry organizations and associations. Government entities may issue guidelines where regulation would be unfeasible for an entire industry, or where strict regulation could impose an unbalanced business or economic risk. C-TPAT, the Customs-Trade Partnership Against Terrorism, is a good example of a voluntary guidelines. Organizations that follow it earn the reward of easier, quicker international shipping. Industry organizations often create guidelines to avoid future legislation; if they police their own members through voluntary compliance, the government may see no need to step in and mandate change. Often it works, as is the case with C-TPAT. Other times it does not, and the need for regulation surfaces again. Industry and government standards created by organizations like the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), the Information Systems Audit and Control Association (ISACA), the National Fire Protection Association (NFPA) and the American Institute of Certified Public Accountants (AICPA) also fit in this category.


The Security Professional's Role

Security professionals and their corporations can play a part in the creation of any legislation or regulations that may impact their business. It's just a matter of knowing how to do it and recognizing when the window of opportunity is opened.

Legislation. A bill receives its most intense scrutiny when in committee. Committees request multiple reports on differing views for all proposed legislation, and they are also authorized to hold hearings that incorporate testimony from qualified experts on the subject in question. There are a few ways to ensure your voice is heard when it matters in the legislative process.

• Make contact: It is important to make your views known to your Senators and Representatives if you become aware of proposed legislation that may impact your organization's security operations. You can reach members of Congress by phone, mail, or e-mail. Complete directories are available at and . When contacting a member of Congress, keep your comments clear and concise. If appropriate, request an in-person meeting with the Congressperson, or offer yourself as an on-call resource.

• Build relationships: Particularly if you are in a heavily regulated industry, it will be useful for your organization to build ongoing relationships with legislators. There is no reason to wait until a significant bill comes along; if your legislators know your organization already, they may be more inclined to give weight to your concerns when it really counts. Advanced notice of legislative hearings is sometimes sent to relevant individuals and organizations, so it is a good idea to get yourself on that list. Introduce your business early. Some organizations even invite legislators on facility tours to build a more lasting impression.

• Become active in industry and security organizations: Industry associations can amplify your voice by joining it with the voices of others. They also have their own resources dedicated to monitoring legislative and regulatory proposals, and their own government relations teams with existing legislator relationships. Speaking through an association also allows your organization to work against sometimes publicly popular legislation without suffering a PR hit for doing so.