|
Since September 11, 2001, there is no doubt that the entire security industry has been fundamentally changed. In shock waves that reached out across borders to the boardrooms of the world, security moved from a misunderstood backroom function to the number one priority of both government organizations and Fortune 1000 companies.
Finally, organizations were ready to "do whatever it takes" to improve security and that meant a plethora of new regulations that require more stringent security and other requirements that influence the nature of both physical security and information security. These new requirements are mandatory -- and most are subject to either audit or review, by an outside organization. A key element in these new requirements was the risk analysis/risk assessment requirement that forces organizations to conduct a formal assessment of their security profile -- the threats that are present, the assets that need protection, a review of existing vulnerabilities and the analysis of these elements, such as threat/vulnerability pairing, culminating in a list of controls that will be implemented.
Moving Security up to the Boardroom
The effect of these new regulations is to elevate the security program up to the boardroom. It integrates the security function into the management of the organization, primarily because security is now a major element in an organization's ability to carry out its primary function -- whether that function is manufacturing products, providing services, moving cargo, providing infrastructure or administering programs. Security budgets are important now and those budgets are being evaluated with a risk management perspective -- how much security do we need to be secure? How much does it cost to improve our security program to the most effective level? And, for the first time, are we, as an organization compliant with the new security guidelines?
Where Compliance Meets Security
The chart below illustrates some of the many requirements that affect different organizations, many which were created after 9/11. They are found in almost all industries?financial services, healthcare, transportation, manufacturing, pharmaceuticals, and technology. Unrelated to terrorism, but a sweeping piece of security legislation is the HIPAA Regulation?the U.S. Healthcare Insurance Portability and Accountability Act. This requirement, which primarily concerns the protection of "electronic protected health information (ePHI)" has turned the healthcare industry upside down and cost the industry billions of dollars. As well as being a requirement that requires a annual security risk analysis, HIPAA carries stiff penalties for noncompliance. Individuals can go to jail for up to 25 years and be required to pay fines of up to $250,000 if they disclose protected health information for malicious purposes or for financial gain. The HIPAA regulation covers two basic elements, privacy and security and compliance deadlines are different. The Privacy Rule requirement required a gap analysis that had to be completed by April, 2004, and the Final Privacy Rule has to be complied with by April 2005.
Similar requirements for privacy as are found in the HIPAA regulation, are applied to financial institutions in the Gramm Leach Bliley Act (GLBA) which requires all financial institutions to safeguard consumer information and also dictates various type of consent that the consumer has to agree to before the financial institution can do certain things with their private information.
In the realm of homeland security and antiterrorism, the transportation industry is currently being transformed by the many new security requirements. The transportation industry has always been focused on speed and easy movement of goods but the major vulnerabilities in these critical supply chains have spawned requirements from the United States, such as the Maritime Transportation Security Act of 2002, to international requirements such as the ISPS Code (the International Ship and Port Security Code) from the International Maritime Organization (IMO). The ISPS Code also requires every ship in the world, and every port in the world to do a security vulnerability assessment which had to be completed by July, 2004. The requirement also tasked countries to appoint RSOs, Recognized Security Organizations, which are approved to do the security assessment required by the ISPS Code.
|
