Security regulations and standards can impact your security career

Today's security professional needs to understand the nature of regulations, standards and guidelines to advance their career.

AndreyPopov / iStock / Getty Images Plus via Getty Images

Organizations have increasingly added compliance with security-related regulations and standards to their CSO’s responsibilities. Depending on the nature of the requirement, this may fully reside within the security department’s scope or be jointly managed with other groups. Your organization may very well have obligations dictated by governments outside the United States. These obligations may affect you because of the nationality of your employees or suppliers, even though they are not in the country that passed the law. Further, organizations may choose to embrace a non-regulated standard or guideline.

As a security professional, it is imperative for you to understand the nature of these to advance your career. Being conversant in them and ensuring your company’s program is aligned with and incorporates these requirements is critical. Maintenance of your continued education around these issues will help you recognize evolving patterns and predict the impact of what is coming next. Further, understanding the existence of those security related regulations and standards that are relevant to industries outside of your current employer will better prepare you if you shift your career into a different industry.

Below are representative samples of regulations and standards we have identified within a variety of job descriptions relevant to security professionals. These examples do not include many of those pertaining to the information technology community but note that some intersect due to components for other functional areas.

U.S. Regulatory

Banking Act of 1933
Chemical Facility Anti-Terrorism Standards (CFATS)
Customs-Trade Partnership Against Terrorism (C-TPAT)
Dodd-Frank Act
DOT HM-232, Security of Hazardous Materials
Electronic Records; Health Insurance Portability & Accountability Act (HIPAA)
Fair and Accurate Credit Transaction Act (FACTA)
Fair Credit Reporting Act (FCRA)
Family Education Rights and Privacy Act (FERPA)
Federal Aviation Regulations (FAR 135)
Federal Information Security Management Act (FISMA)
Federal Sentencing Guidelines
Food Safety Modernization Act (FSMA)
Foreign Corrupt Practices Act (FCPA)
Freedom of Information Act (FOIA)
Gramm-Leach-Bliley Act (GLBA)
Health Information Technology for Economic and Clinical Health Act (HITECH)
International Traffic in Arms Regulations (ITAR)
Maritime Transportation Security Act (MTSA)
Nuclear Security Standards
Occupational Health & Safety Standards (OSHA)
Sarbanes-Oxley Act (SOX)
SAFETY Act (DHS)
Trafficking Victims Protection Act (TVPA)

Government Regulated Security Program Standards (Sensitive & Classified Environments)

Director of Central Intelligence Directives (DCID) 6/xx
US Department of Defense (DoD) Directive 5200
US Department of Defense (DoD) Directive 5800
US Department of Defense (DoD) NISPROM / 32 CFR Part 117
Defense Federal Acquisition Regulation Supplement (DFARS)
Federal Information Security Management Act (FISMA)

International Regulatory

CSA Z246.1 - Security Management for Petroleum and Natural Gas Industry Systems
Data Protection Act UK
EU Dangerous Preparations Directive (DPD)
EU Data Protection Directive
EU General Data Protection Regulation (EU GDPR)
EU Markets in Financial Instruments Directive (MiFID)
Indonesian Chief of Police Regulation 24/2007
International Ship and Port Facility Security Code (ISPS)
Maritime Transport & Offshore Facilities Security Act (MTOFSA)
Personal Information Protection & Electronic Documents Act (PIPEDA)
PTK 49 on Security of Oil and Gas Upstream Business Activity
Ship and Port Facility (Security) Regulations (UK)
UK General Data Protection Regulations (UK GDPR)
Voluntary Principles on Security and Human Rights (VPSHR)

Non-Regulatory Guidelines / Standards

Air Cargo Security Standard (TACSS-TAPA)
API/ANSI RP 780: Security Risk Assessments
Facility Security Requirements (FSR-TAPA)
Generally Accepted Information Security Principles (GAISP)
ISO 22300 (Security & Resilience)
ISO 27000 (Information Security Management Systems)
ISO 28000 (Security and Resilience Security Management Systems Requirements)
Joint Commission on Accreditation of Health Care Organizations (JCAHO)
North American Electric Reliability Corp. (NERC) Standards
Payment Card Industry Data Security Standard (PCI DSS)
Trucking Security Requirements (TSR-TAPA)

These regulations and standards are a starting point to aid you in expanding your knowledge of growing responsibilities within the security profession. They also provide insight into business processes that have an impact on your organization. Understanding them will better position you to partner cross functionally as you align security programs in support of your company’s current and future goals.

There is a constant flow of new and changing regulatory obligations with built-in requirements to improve security and safety while reducing potential vulnerabilities. You must continuously stay up to date on these to ensure both your organization’s compliance and the success of your security career.

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jerry Brennan is co-founder and Chief Executive of the Security Management Resources Group of Companies (www.smrgroup.com), the leading global executive search practice focused exclusively on corporate and information security positions.

Joanne R. Pollock is the co-founder and President of Security Management Resources. Previous to SMR, she had a 20-year career at leading global corporations, working across diverse functional areas including human resources, sales and marketing, and information technology services.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.