The Business of Security: The New Rules of Security

Oct. 27, 2008
How many security regulations apply to your company? Odds are, there are more than you think

Few CSOs today can call their security organizations unregulated, and those who do are probably in for an unpleasant surprise.

Since the Sept. 11 terrorist attacks, a hyper-charged interest in national security has propagated a spate of new laws, regulations and voluntary guidelines that impact the operations of security programs in both the private and public sectors. Growing concerns about the privacy of information, business conduct and ethics have also helped to boost the number of rules.

At a surface level, this isn't news to anyone. The effect of regulation on the U.S. and international aviation industry has been headline news for more than five years. So have the types of corporate corruption scandals that led to the development of accountability rules like Sarbanes-Oxley. Legislation to increase the security of sensitive government information, the U.S. critical infrastructure and the national food supply has similarly received a great deal of public attention. But not all such legislation is high-profile. There are numerous rules with security significance that appear to have slipped under the radar of both the general public and of many security professionals.

The Security Executive Council has begun working to compile the first comprehensive international security law, regulation, and guideline database – both for corporations in general and for specific industries. Right now, the council's list of U.S. federal legislative actions (including executive orders and statutes) sits at 35, the list of U.S. federal regulations at 46, and the list of voluntary guidelines or standards at 44. This current list only scratches the surface.

For one thing, security professionals have more than federal mandates to contend with. As of April of this year, for example, 35 states had implemented their own legislation requiring corporations and/or state agencies to disclose any security breaches involving personal information. States also develop their own rules dealing with such varied issues as critical infrastructure protection, employee and workplace security, and identity theft. For global corporations, international law also plays a major role in operations.

The length and breadth of legislative and regulatory coverage poses a significant challenge for many security professionals, a challenge complicated all the more by the fact that they are often unaware of many of the rules that apply to their operations. New rules are being developed all the time, new amendments are changing older rules, and some regulations that would appear to apply to a specific industry group sometimes carry a longer reach than their creators intended. For example, the DHS' Chemical Facility Anti-Terrorism Standards — the stated intent of which is to provide tighter security for high-risk chemical facilities — is proving to be a thorn in the side of the food industry. Because the thresholds of many of the regulated chemicals are low, many facilities that use, for refrigeration purposes, even small amounts of a certain type of ammonia, puts them under the thumb of the regulations.

The good news is, security professionals need not feel entirely helpless in the face of this onslaught of governmental activity. By understanding how these regulations and laws are made and knowing how and when to take action, security professionals can become agents of change for the good of their organizations, their industries, and ultimately, their nation.

The LRVC Breakdown

LRVC stands for Legislation, Regulation and Voluntary Compliance. The first step is to clarify the differences in the nature and development of legislation, regulations and industry voluntary guidelines.

Legislation encompasses both executive directives and statutes. An executive order, sometimes called a presidential directive, is issued by the executive branch and may deal with such matters as internal operations, national security or foreign policy. Executive orders are binding on their own, but they are often accompanied or followed by congressional statutes that make them indisputable law. Statutes are the approved legislative acts that are developed by congress, such as the Federal Anti-Tampering Act and the Homeland Security Act. These begin as proposed bills in either the House of Representatives or the Senate. If a bill is introduced in the House, it is first sent to committee for research and consideration, amended and sent up for debate, and finally voted upon. The approved act is then sent to the Senate, which also puts it through committee and votes before returning it to the House. The final step is the President's approval.

Legislation is generally broad in scope. It mandates that certain objectives be achieved, but it rarely digs into the details of who, what, when, where and how. Instead, legislation appoints certain federal agencies to develop and enforce specific regulations that will accomplish the stated goals.

The appointed agencies carefully research the issue and then develop rules that are intended to be fair to the regulated group by identifying multiple options and requesting public comment.

Voluntary guidelines may be created by federal and state agencies or by industry organizations and associations. Government entities may issue guidelines where regulation would be unfeasible for an entire industry, or where strict regulation could impose an unbalanced business or economic risk. C-TPAT, the Customs-Trade Partnership Against Terrorism, is a good example of a voluntary guidelines. Organizations that follow it earn the reward of easier, quicker international shipping. Industry organizations often create guidelines to avoid future legislation; if they police their own members through voluntary compliance, the government may see no need to step in and mandate change. Often it works, as is the case with C-TPAT. Other times it does not, and the need for regulation surfaces again. Industry and government standards created by organizations like the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), the Information Systems Audit and Control Association (ISACA), the National Fire Protection Association (NFPA) and the American Institute of Certified Public Accountants (AICPA) also fit in this category.

The Security Professional's Role

Security professionals and their corporations can play a part in the creation of any legislation or regulations that may impact their business. It's just a matter of knowing how to do it and recognizing when the window of opportunity is opened.

Legislation. A bill receives its most intense scrutiny when in committee. Committees request multiple reports on differing views for all proposed legislation, and they are also authorized to hold hearings that incorporate testimony from qualified experts on the subject in question. There are a few ways to ensure your voice is heard when it matters in the legislative process.

• Make contact: It is important to make your views known to your Senators and Representatives if you become aware of proposed legislation that may impact your organization's security operations. You can reach members of Congress by phone, mail, or e-mail. Complete directories are available at www.house.gov and www.senate.gov . When contacting a member of Congress, keep your comments clear and concise. If appropriate, request an in-person meeting with the Congressperson, or offer yourself as an on-call resource.

• Build relationships: Particularly if you are in a heavily regulated industry, it will be useful for your organization to build ongoing relationships with legislators. There is no reason to wait until a significant bill comes along; if your legislators know your organization already, they may be more inclined to give weight to your concerns when it really counts. Advanced notice of legislative hearings is sometimes sent to relevant individuals and organizations, so it is a good idea to get yourself on that list. Introduce your business early. Some organizations even invite legislators on facility tours to build a more lasting impression.

• Become active in industry and security organizations: Industry associations can amplify your voice by joining it with the voices of others. They also have their own resources dedicated to monitoring legislative and regulatory proposals, and their own government relations teams with existing legislator relationships. Speaking through an association also allows your organization to work against sometimes publicly popular legislation without suffering a PR hit for doing so.

Regulation. When a government entity has created a draft regulation, it is required to allot at least 30 days for public comment. Typically, agencies allow 90 days of public comment on proposals. The Web site www.regulations.gov provides an up-to-date list of all proposals up for public comment that is searchable by agency and keyword.

• Make your own comments: You may generally submit comments on behalf of yourself or your organization through www.regulations.gov or by mail (providing three copies of comments and referencing the appropriate docket number in your notice).

• Comment through an industry organization: As noted above, associations provide a unique opportunity to approach an issue with a loud and unified voice.

Regulatory agencies carefully evaluate all public comments and execute revisions before drafting final regulations for approval.

Voluntary Guidelines. As in legislative development, it is important to approach government agencies and industry organizations with your input on proposed voluntary guidelines. This means maintaining strong relationships and being active in your association's meetings and committees where appropriate. Voluntary guidelines or industry standards are the most frequent starting point for new regulations.

If you decide to take any of the above actions, you will find success only if you act as a knowledgeable representative of your enterprise, having coordinated with all relevant corporate entities and keeping the best interest of the business in mind.

Know When to Act

Unfortunately, it does not help to know how you can impact new rules if you are unaware of them. You cannot change anything without knowing what's on the docket and what it might mean to you.

While a security department can try to keep track of all security-significant legislation, the complexities of proposed rules and regulations make this a sometimes insurmountable challenge. It takes some digging to get to the security impact of many regulations, and often that impact is not explicitly stated — it might not be recognized until the rule is put into action.

While most large companies already rely on government affairs to watch laws that effect their business (i.e. taxes, EPA issues, FDA issues), no one outside security is watching laws affecting security regulations. Organizations would do well to make security-related law-watching a coordinated, enterprise effort.

Security must partner with other corporate entities, such as government affairs, legal, quality, safety and human resources, to jointly track and understand the import of proposed rules. An enterprise view helps individual departments more clearly understand when it is important to act and when it is not. Some legislation affects numerous aspects of an enterprise, some positively and some negatively. Only with a business mindset can the benefits and drawbacks be accurately measured.

The Security Executive Council has created a tool to help member organizations identify, track and comply with security-significant laws, regulations and guidelines. The regulation and compliance management tool allows members to view a baseline list of requirements or controls and assess how compliant they are and what they still need to do. The tool breaks requirements into 11 main categories, such as information protection, physical security and governance. The tool can also show users commonalities between requirements to allow them to make the best use of their resources.

The council's list of legislation, regulations, and guidelines is quite lengthy, but it is still incomplete, so it is asking for input from Security Technology & Design readers. If you submit to the council a law, regulation or guideline with a security component that is not currently on the list — laws may be industry-specific, state or federal — the council will provide you a free $50 metric tool for your participation. To see a list of rules already compiled, visit www.csoexecutivecouncil.com/public/lrvc.html.

Stay Tuned

In Security Technology & Design's August issue, the Security Executive Council will take an even deeper look into the state of security-significant mandates and the security professional's role in dealing with them. We'll drill down to discuss specifically what type of legislation is out there and who it impacts, how the corporation can coordinate an enterprise-wide compliance effort, and how management can justify or minimize the cost of compliance.

* Bob Hayes is Managing Director of the Security Executive Council, a cross–industry professional organization of security executives devoted to advancing strategic security leadership solutions, founded by CSO magazine. He also serves as chief security officer of CXO Media Inc. and its parent company, International Data Group. Mr. Hayes has more than 25 years of experience developing security programs and providing security services. Prior to joining CXO, he spent eight years as the CSO at Georgia Pacific and nine years as security operations manager at 3M.

* Marleah Blades is senior editor for the Security Executive Council. Before joining the council she served six years as managing editor of Security Technology & Design magazine.

* Greg Halvacs is SVP and CSO for Cardinal Health, a pharmaceutical services company operating in over 30 countries with 55,000 employees. Mr. Halvacs has more than 22 years in the security industry. Prior to joining Cardinal, he was the senior director of corporate security at Kraft Foods, where he had national and international security responsibility. He is a member of ISMA and ASIS.

* Sandy Sandquist is director of global security for General Mills. He is a member of ISMA and ASIS and currently serves on the Business Roundtable Security Coordinating Committee and the Twin Cities Security Partnership Resource Sharing Committee.