Regulation. When a government entity has created a draft regulation, it is required to allot at least 30 days for public comment. Typically, agencies allow 90 days of public comment on proposals. The Web site www.regulations.gov provides an up-to-date list of all proposals up for public comment that is searchable by agency and keyword.
• Make your own comments: You may generally submit comments on behalf of yourself or your organization through www.regulations.gov or by mail (providing three copies of comments and referencing the appropriate docket number in your notice).
• Comment through an industry organization: As noted above, associations provide a unique opportunity to approach an issue with a loud and unified voice.
Regulatory agencies carefully evaluate all public comments and execute revisions before drafting final regulations for approval.
Voluntary Guidelines. As in legislative development, it is important to approach government agencies and industry organizations with your input on proposed voluntary guidelines. This means maintaining strong relationships and being active in your association's meetings and committees where appropriate. Voluntary guidelines or industry standards are the most frequent starting point for new regulations.
If you decide to take any of the above actions, you will find success only if you act as a knowledgeable representative of your enterprise, having coordinated with all relevant corporate entities and keeping the best interest of the business in mind.
Know When to Act
Unfortunately, it does not help to know how you can impact new rules if you are unaware of them. You cannot change anything without knowing what's on the docket and what it might mean to you.
While a security department can try to keep track of all security-significant legislation, the complexities of proposed rules and regulations make this a sometimes insurmountable challenge. It takes some digging to get to the security impact of many regulations, and often that impact is not explicitly stated — it might not be recognized until the rule is put into action.
While most large companies already rely on government affairs to watch laws that effect their business (i.e. taxes, EPA issues, FDA issues), no one outside security is watching laws affecting security regulations. Organizations would do well to make security-related law-watching a coordinated, enterprise effort.
Security must partner with other corporate entities, such as government affairs, legal, quality, safety and human resources, to jointly track and understand the import of proposed rules. An enterprise view helps individual departments more clearly understand when it is important to act and when it is not. Some legislation affects numerous aspects of an enterprise, some positively and some negatively. Only with a business mindset can the benefits and drawbacks be accurately measured.
The Security Executive Council has created a tool to help member organizations identify, track and comply with security-significant laws, regulations and guidelines. The regulation and compliance management tool allows members to view a baseline list of requirements or controls and assess how compliant they are and what they still need to do. The tool breaks requirements into 11 main categories, such as information protection, physical security and governance. The tool can also show users commonalities between requirements to allow them to make the best use of their resources.
The council's list of legislation, regulations, and guidelines is quite lengthy, but it is still incomplete, so it is asking for input from Security Technology & Design readers. If you submit to the council a law, regulation or guideline with a security component that is not currently on the list — laws may be industry-specific, state or federal — the council will provide you a free $50 metric tool for your participation. To see a list of rules already compiled, visit www.csoexecutivecouncil.com/public/lrvc.html.
In Security Technology & Design's August issue, the Security Executive Council will take an even deeper look into the state of security-significant mandates and the security professional's role in dealing with them. We'll drill down to discuss specifically what type of legislation is out there and who it impacts, how the corporation can coordinate an enterprise-wide compliance effort, and how management can justify or minimize the cost of compliance.