One example is the Payment Card Industry Data Security Standard (PCI DSS). This set of security requirements applies to all companies that process, store or transmit credit card information, providing for a secure environment. Another example is the new security regulations being imposed on critical infrastructure facilities around the country. In this instance, compliance requires a significant and burdensome investment. As security professionals, it is important for us to work with regulatory agencies to reach guidelines that balance risk mitigation and the impact on the business environment.
When looking at how organizations have been impacted by new regulations since 9/11, it seems appropriate to note the trend among global organizations toward the development of risk management and resilience programs. While it is neither possible nor desirable to eliminate all risks, it is necessary for organizations to prioritize and determine a risk strategy to cost-effectively establish adaptive, proactive, and reactive approaches to control risks. To adequately manage the risks of disruptive events and assure resilience, organizations must engage in a comprehensive and systematic process of prevention, protection, preparedness, mitigation, response, continuity, and recovery.
In 2009, ASIS published the “Organizational Resilience: Security, Preparedness and Continuity Management Systems - Requirements with Guidance for Use Standard.” This standard provides steps necessary to prevent, prepare for, and respond to a disruptive incident to manage and survive the event and take actions to ensure the organization's resilience. The standard was adopted by the U.S. Department of Homeland Security (DHS) for the DHS Private Sector Preparedness (PS-Prep) Program. It is available for free download at www.asisonline.org.