Organizations have increasingly added compliance with security-related regulations and standards to their CSO’s responsibilities. Depending on the nature of the requirement, this may fully reside within the security department’s scope or be jointly managed with other groups. Your organization may very well have obligations dictated by governments outside the United States. These obligations may affect you because of the nationality of your employees or suppliers, even though they are not in the country that passed the law. Further, organizations may choose to embrace a non-regulated standard or guideline.
As a security professional, it is imperative for you to understand the nature of these to advance your career. Being conversant in them and ensuring your company’s program is aligned with and incorporates these requirements is critical. Maintenance of your continued education around these issues will help you recognize evolving patterns and predict the impact of what is coming next. Further, understanding the existence of those security related regulations and standards that are relevant to industries outside of your current employer will better prepare you if you shift your career into a different industry.
Below are representative samples of regulations and standards we have identified within a variety of job descriptions relevant to security professionals. These examples do not include many of those pertaining to the information technology community but note that some intersect due to components for other functional areas.
U.S. regulatory
- Banking Act of 1933
- Chemical Facility Anti-Terrorism Standards (CFATS)
- Customs-Trade Partnership Against Terrorism (C-TPAT)
- Dodd-Frank Act
- DOT HM-232, Security of Hazardous Materials
- Electronic Records; Health Insurance Portability & Accountability Act (HIPAA)
- Fair and Accurate Credit Transaction Act (FACTA)
- Fair Credit Reporting Act (FCRA)
- Family Education Rights and Privacy Act (FERPA)
- Federal Aviation Regulations (FAR 135)
- Federal Information Security Management Act (FISMA)
- Federal Sentencing Guidelines
- Food Safety Modernization Act (FSMA)
- Foreign Corrupt Practices Act (FCPA)
- Freedom of Information Act (FOIA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- International Traffic in Arms Regulations (ITAR)
- Maritime Transportation Security Act (MTSA)
- Nuclear Security Standards
- Occupational Health & Safety Standards (OSHA)
- Sarbanes-Oxley Act (SOX)
- SAFETY Act (DHS)
- Trafficking Victims Protection Act (TVPA)
Government regulated security program standards (sensitive & classified environments)
- Director of Central Intelligence Directives (DCID) 6/xx
- US Department of Defense (DoD) Directive 5200
- US Department of Defense (DoD) Directive 5800
- US Department of Defense (DoD) NISPROM / 32 CFR Part 117
- Defense Federal Acquisition Regulation Supplement (DFARS)
- Federal Information Security Management Act (FISMA)
International regulatory
- CSA Z246.1 – Security Management for Petroleum and Natural Gas Industry Systems
- Data Protection Act UK
- EU Dangerous Preparations Directive (DPD)
- EU Data Protection Directive
- EU General Data Protection Regulation (EU GDPR)
- EU Markets in Financial Instruments Directive (MiFID)
- Indonesian Chief of Police Regulation 24/2007
- International Ship and Port Facility Security Code (ISPS)
- Maritime Transport & Offshore Facilities Security Act (MTOFSA)
- Personal Information Protection & Electronic Documents Act (PIPEDA)
- PTK 49 on Security of Oil and Gas Upstream Business Activity
- Ship and Port Facility (Security) Regulations (UK)
- UK General Data Protection Regulations (UK GDPR)
- Voluntary Principles on Security and Human Rights (VPSHR)
Non-regulatory guidelines / standards
- Air Cargo Security Standard (TACSS-TAPA)
- API/ANSI RP 780: Security Risk Assessments
- Facility Security Requirements (FSR-TAPA)
- Generally Accepted Information Security Principles (GAISP)
- ISO 22300 (Security & Resilience)
- ISO 27000 (Information Security Management Systems)
- ISO 28000 (Security and Resilience Security Management Systems Requirements)
- Joint Commission on Accreditation of Health Care Organizations (JCAHO)
- North American Electric Reliability Corp. (NERC) Standards
- Payment Card Industry Data Security Standard (PCI DSS)
- Trucking Security Requirements (TSR-TAPA)
These regulations and standards are a starting point to aid you in expanding your knowledge of growing responsibilities within the security profession. They also provide insight into business processes that have an impact on your organization. Understanding them will better position you to partner cross functionally as you align security programs in support of your company’s current and future goals.
There is a constant flow of new and changing regulatory obligations with built-in requirements to improve security and safety while reducing potential vulnerabilities. You must continuously stay up to date on these to ensure both your organization’s compliance and the success of your security career.