Cover the Basics
Karl Perman, manager of corporate security programs for Exelon Corp., one of the nation’s largest electric utilities, agrees that participation is key to the development of attainable regulation. Exelon Security team members are involved with the security sub-committees of both Edison Electric Institute and the American Gas Association and regularly meet to discuss the regulatory environment and best practices. “If we don’t take on our own destiny by policing ourselves, someone else will write regulations for us,” he says.
The energy industry has dealt with security regulation for some time and has long-standing rules under control. Perman says it is the emerging regulations that are consuming a lot of resources. Right now, that means the North American Electric Reliability Corporation (NERC) Reliability Standards for Critical Infrastructure Protection and cyber security. The compliance deadline for these standards is the end of the year. NERC’s cyber security standards provide a cyber security framework for the identification and protection of critical cyber assets to support reliable operation of the bulk electric system. Says Perman: “They cover everything from physical security of critical cyber assets to background investigations for individuals accessing these assets — it’s ‘How You Do Security 101.’ Exelon has a team of cross-functional people working on this. We have numerous security policies and procedures in place , and we’re updating several of those based on these standards.”
Despite these massive changes, Perman knows that Exelon is having an easier time meeting the compliance deadlines because the basic tenets of strong security are already in place. “If you haven’t already completed the fundamentals on these, you’ve got big problems,” he says. “If you’ve got the fundamentals, then at least you have started down the road to being compliant.”
Across the board, executive and organizational support has also made compliance easier within Exelon. “The key ingredient for success in achieving compliance with myriad regulations is to establish working relationships with the major operational groups within the organization and to educate these folks on the regulations and the importance of compliance,” Perman says. “A security compliance council is an excellent way to do this.
“It is key to socialize and determine the feasibility of an idea prior to engaging the senior executives,” he continues. “I have found that if operations leaders are with you, then it is easier to win over the other executives. Most executives know that if you are the security leader, then you will be pushing security and compliance initiatives. But if someone in operations starts saying that they need to focus on a compliance issue, then the other executives in the room listen.”
Security professionals must know their business and their compliance issues to be able to sell them to other operational groups, and each security director much choose the most appropriate way of establishing relationships and garnering support.
Gather a Support Group
The financial services sector has held up under rigorous security and information protection regulation for decades. Security professionals at banks and other financial institutions have adapted to many drastic changes in their regulatory environment, from the Bank Protection Act of 1968 and the Bank Secrecy Act of 1970 to Gramm-Leach-Bliley and the Guidance on Authentication in Internet Banking Environments.
“I would say the amount of regulation we deal with as a publicly traded financial services company is a significant piece of our business,” says Stanley Jarocki, vice president of Wells Fargo. “There are dozens of regulations at the federal, state and international levels that we have to look at every day, and that’s not even including privacy.”
In banking specifically, there are requirements for recording and monitoring legitimate transactions of a certain size and transactions that appear suspicious, freezing accounts or blocking money movement to certain countries, managing fraud risk, developing business continuity plans, and managing financial risk and liquidity.
One might expect to find frustration in a security executive in such an environment, but Jarocki sees a positive side to all this regulation. “A lot of it is just an amplification of doing good business. I think that’s an important thing to remember,” he says. “We would do it anyway, because we want to offer our clients something of value. We do it because it’s part of a good client relationship and partnership, and it’s also tied to regulation.”
Jarocki sees a trend of financial services companies bringing compliance, risk management, security, and privacy under a single umbrella — and security often takes the lead. Even in organizations where one executive does not have responsibility for these areas, a team approach is extremely important, Jarocki says. An information security council, for example, should not involve just information security personnel. The issues of information security also deal with privacy and risk management — representatives with those responsibilities must be involved as well. Then, individual business units must be made aware of their own responsibility for maintaining security in the organization and should be encouraged to take ownership of their role in security.
Common Areas in Security Regulation
Participating in regulatory initiatives, maintaining security fundamentals, building effective relationships and developing cross-departmental teams have helped executives in some of the most highly policed industries ease their compliance burdens. Another way to facilitate compliance in any industry, whether heavily regulated or not, is to identify common elements among applicable guidelines and regulations. When an organization attempts to comply with regulations one at a time, it may end up duplicating efforts to address concerns that appear in more than one. By identifying commonalities ahead of time, the organization can deal with common issues at once, sometimes with a single process or solution, saving time and money.
The Security Executive Council maintains a large and growing list of laws, regulations, voluntary compliance guidelines and standards (LRVCS) that impact security. (To view the current list and propose new rules for inclusion, visit https://www.securityexecutivecouncil.com/public/lrvc). After extensive cataloging and research of these LRVCS, the council has identified more than a dozen major categories that most requirements or controls (options recommended by guidelines for voluntary compliance) fit under.
For example, if we look at a selection of laws and guidelines such as ISO 17799, NFPA 1600, NIST Special Publication 800-53 Minimum Security Controls (Low, Moderate and High Baselines), the NERC Critical Infrastructure Protection cyber security standards, and PCI, we can find nearly 100 requirements or controls that can be categorized as specific to business continuity management. Similarly, we can find common governance issues in the Maritime Transportation Act, SOX, the U.S. Federal Sentencing Guidelines, HIPAA and NFPA 1600, among others. Additionally, many of the laws and guidelines already evaluated include considerations for security awareness and training. It is unlikely that any single business would need to comply with all the laws and guidelines cited in these examples, but if an organization can find common elements between even two of the LRVCS that are relevant to it, the cost and time savings can be significant.
By evaluating these common areas in their own organizations, security executives and other security professionals could put themselves several steps ahead of new legislation waiting down the pike.
Whether regulatory compliance is your biggest concern or the last item on your priority list, guidelines and regulations with security implications will impact your organization. Heeding the advice of those who have already been there will make that long and winding road a little easier. To find out more about the Security Executive Council’s LRVCS research, contact firstname.lastname@example.org.