13- Assignment

Colin Horn

Lesson13.pdf

Home >Information Systems homework help >13- Assignment

ISOL 634 Physical Security

Lesson 13 - Standards, Regulations and Guidelines

Standards, Regulations, and Guidelines

• Some industries heavily regulated – Example: Nuclear Regulatory Commission

responsible for defining/enforcing security requirements at U.S. nuclear power stations • Publishes range of guidelines to support compliance

1 6 S

ta n d a rd

s , R

e g u la

tio n s , a

n d G

u id

e lin

e s

Mandatory Practices

• Essential for compliance requirements

– Legislative

– Regulatory

– Licensing

– Registration

Benchmark (Minimum) Practices

• Approaches that, in legal terms, could “reasonably” be expected to be followed

– Example: ISO 31010:2009, “Risk Management— Risk Assessment Techniques”

• Generic guidance to assessing wide range of risks

• Compliance not necessarily mandatory

Benchmark (Minimum) Practices

• Standards published by recognized standards bodies are only mandatory if they are specified for compliance

– If clear application in security management risks, should be considered as a potential benchmark

Benchmark (Minimum) Practices

• Strategy implementation can depart from non mandatory standards/guidelines

– Decisions made in informed manner

– If not following published standards, important to determine any litigation or public relations risks

Standards

• A document published by a recognized standards body to specify requirements and an approach to a specific subject area

– Hundreds of recognized standards bodies

– International levels—develop/publish standards for universal use

• One of largest—International Organization for Standardization (ISO; www.iso.org)

Standards

• Not all ISO standards adopted by regional or national standards bodies

– May still be applicable for security programs in those areas

• Example: ISO standard for risk assessment widely adopted by standards bodies, but has not been embraced by Australian/New Zealand standards bodies

Standards

• Application of any published standard must be considered in context with benefits

– Standards developed by industry bodies specific and underpin benchmark practices

– Many recognized industry associations develop working relationships with standards bodies to jointly develop standards and guidelines

Standards

• Consider standards that cover both mandatory and benchmark practices

– If no local standards, review those applying in other jurisdictions

– Provisions in a standards can:

• Provide structured approach to an issue

• Deliver defensibility for decisions

• Establish consistency across a security program

Regulations

• Must consider regulatory compliance with workplace safety and life safety

– Other areas where compliance requirements impact on security program

• Example: CCTV—may have regulations for deploying/operating camera within a given space

Regulations

• Regulatory considerations for CCTV:

– Licensing of installer and camera operator

– Conditions for installation

– Registration of system

– Training for operators

– Privacy management

– Documentation

Regulations

• Private security industry impacted by escalation in regulatory obligations because of community concerns of:

– Training

– Competence

– Suitability of personnel to perform duties

Regulations

• In some jurisdictions, licensing and training requirements only for security contractors

– In other areas, requirements for both contractors and in-house personnel

– May want to consider benefits of licensing in- house personnel anyway

• Criminal background checks

• Basic training requirements

• Legal defensibility

Guidelines

• Range of published guidelines to support implementation of security programs in specific settings

– Term guidelines includes other publications, such as:

• Manuals and fact sheets

• Specifications and checklists

• Protocols and practices

Guidelines—FEMA • FEMA guidelines on physical security; resources

include:

– FEMA 426: “Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings”

– FEMA 452: “A How-To Guide to Mitigate Potential Terrorist Attacks Against Buildings”

– E155 and L156: “Building Design for Homeland Security

– FEMA 453: “Safe Rooms and Shelters—Protecting People Against Terrorist Attacks”

Guidelines—FEMA

• FEMA resources (con’t)

– FEMA 389: “Communicating with Owners and Managers of New Buildings on Earthquake Risk”

– FEMA 430: “Site and Urban Design for Security: Guidance Against Potential Terrorists Attacks

– FEMA 427: “Primer for Design of Commercial Buildings to Mitigate Terrorists Attacks

– FEMA 428: “Primer for Design Safe School Projects in Case of Terrorist Attacks”

Guidelines

• Industry associations as source

– ASIS International guideline subjects:

• Business continuity

• Facilities physical security measures

• General security risk assessment

• Information asset protection

• Private security officer selection and training

• Workplace violence prevention

Guidelines

• Industry associations as source (con’t):

– American Public Transportation Association samples:

• APTA SS-SEM-RP-003-08, “Recommended Practice: Security and Emergency Management Aspects of Special Event Service”

• APTA SS-SEM-RP-004-09, “Recommended Practice: General Guidance on Transit Incident Drills and Exercises”

Guidelines

• Ensure guidelines do not conflict with regulations or published standards

– Hierarchy of authority:

• Legislation/regulations

• Standards (by recognized standards body)

• Guidelines

Guidelines

• Regulators also publish guidelines to assist with compliance

– Foundation for applicable areas of security program

– Example: State of Queensland in Australia developed crime prevention through environmental design guidelines that are referenced by local government in their policies

Guidelines

• Government-developed guidelines not necessarily linked to regulatory requirements but should still be considered

• Standards bodies—guidelines often complementary documents to published standards

Managing Compliance

• Every organization benefits from a structured security management plan

– Needs to recognize range of risks, including specific compliance-related risks

– Need mechanisms for monitoring compliance obligations and prioritizing decisions

Managing Compliance

• Example, SOX 2002— administered by U.S. Security and Exchange Commission

– Implications for physical and information security programs.

• Full range of strategies necessary to prevent records from compromise through:

– Loss or destruction

– Denial of access

– Unauthorized modification or alteration

– Contamination

Managing Compliance

• SOX legislation defines required outcome, not how protection should be done

• Some government agencies publish resources to support compliance with policy/regulatory obligations

Managing Compliance

• Example: “Australian Government Protective Security Policy Framework” provides a range of supporting documents, such as:

– “Protective Security Guidance for Executives”

– “Security Awareness Training Guidelines”

– “Australian Government Personnel Security

Managing Compliance

• Requires structured approach to understanding obligations and risks

– Facilitates defensible obligations and risks based on implications for noncompliance

– Guidance may be available, but:

• Responsible parties to ensure direct and indirect requirements are identified and acted on

Management Compliance

• Well-conceived and implemented program for security-related risks essential

– Increasing frequency of litigation and regulatory prosecutions show a need for a defensible basis for security program

– Resources available through:

• Regulatory agencies

• Standards bodies

• Industry associations

• Read Chapter 16

Assignment