Leadership Solutions

glasses2_copy.jpg

Knowledge Corner - Regulations & Compliance

The Knowledge Corner offers many resources to help you manage risk. Explore the topics offered in the navigation bar or if you can't find what you're looking for, use Find it For Me!™

The icons shown adjacent to the titles of these resources provide information about sources.
  • blue icon = Tools, solutions, research and publications created by Security Executive Council
  • cyan icon = Materials created by Security Executive Council strategic alliance partners
  • green icon = Other material reviewed and deemed relevant to security and risk management executives by the Security Executive Council




Tools

   

Cost of Compliance Model This is Security Executive Council material  

Created By: Security Executive Council
A model to help estimate the likely cost impact resulting from proposed or new government (or trade group) security regulations and guidelines.
Resource is for Tier One Leaders only
Resource is for Tier One Leaders only
   

Cost of Compliance Model: Executive Summary This is Security Executive Council material  

Created By: Security Executive Council
This is an overview of a tool developed to calculate the cost for a site to become compliant with different security regulations. The model helps estimate the likely cost impact resulting from proposed or new government (or trade group) security regulations and guidelines. Tier 1 Security Leaders have access to the full document.
Resource is for SEC Vanguard membership or Tier One Leaders only
Resource is for SEC Vanguard membership or Tier One Leaders only
   

Regulation and Compliance Management Tool This is Security Executive Council material  

Created By: Security Executive Council
The Regulation and Compliance Management Tool (RoCM) provides members a method of measuring and recording compliance to various security related standards, guidance and regulations over time. The tool also allows comparisons between multiple regulations.
     Click here to view a short video describing this resource in more detail.
Resource is for Tier One Leaders only
Resource is for Tier One Leaders only
   Security Executive Council Collective Knowledge: Business Continuity Program V.3 This is Security Executive Council material  
Created By: Security Executive Council
This document is based on a presentation in response to new regulations and corporate scrutiny on business crisis management planning, as a result of national incidence, business reporting requirements and corporate and board level risk.
A member item available for purchase. Visit our store.
     Click here to view a short video describing this resource in more detail.
Resource is for Tier One Leaders only
Resource is for Tier One Leaders only
   Security Program Playbook This is Security Executive Council material  
Created By: Security Executive Council
This book and accompanying CD have been developed to provide a series of short subjects on risk mitigation essentials. It was designed to save you time when enhancing or developing risk management programs. Included are actual program elements, documentation, examples, templates, outlines, presentations, tips and more.

This resource is a compilation of elements that should be in place to constitute the “baseline” of a security program (industry neutral). Practitioners, Council faculty and staff provided input on what they found to be the most critical elements of a successful program. Also incorporated are key materials from Council projects and deliverables. This guide is useful when creating a new program or validating an existing program to identify missing elements or other ways to approach an issue. It is also valuable as a check as to whether your programs are adding business value.

TIER 1 SECURITY LEADERS:To obtain your complimentary copy contact the Director of Member Services.

Research & Benchmarks

   Benchmarking: Getting the most from your helpline data  This has been vetted by Security Executive Council  
Created By: Society of Corporate Compliance & Ethics
Addresses challenge of analyzing data in a way that provides meaningful interpretation, meets US Sentencing standards and gives early warning of potential problem areas.
 
   Cybervetting: Developing a Cybervetting Strategy for Law Enforcement This has been vetted by Security Executive Council  
Created By: International Association of Chiefs of Police (IACP) and the Defense Personnel Security Research Center (PERSEREC)
Cybervetting is an assessment of a person’s suitability to hold a position using information found on the Internet to help make that determination. The purpose of this document is to present policies and practices to consider when using the Internet to search for information on law enforcement applicants, candidates, and incumbents, and when developing social media policies to limit inappropriate online behaviors. Cybervetting guidelines need to strike the right balance between individuals’ constitutional rights and law enforcement agencies’ due diligence responsibilities for screening out undesirable job applicants and employees.
Click to download PDF file
8MB
   Findings From the OCEG GRC Strategy Study: How We Develop, Manage and Evaluate GRC Efforts  This has been vetted by Security Executive Council  
Created By: Open Compliance and Ethics Group (OCEG)
The findings offer a roadmap for improvement through integrated GRC, which can help to drive what OCEG calls Principled Performance.
 
   Legislation, Regulations, Voluntary Compliance & Standards Library (LRVCS) This is Security Executive Council material  
The Council is collecting the ever growing LRVCS related to security. Contribute a missing item and receive a free metrics presentation PowerPoint. Send suggestions to contact@secleader.com
     Click here to view a short video describing this resource in more detail.
   Security Barometer Results: Mexico Drug Decriminalization  This is Security Executive Council material  
Will the recent changes in drug laws affect you? A common theme from respondents was their concern regarding transportation and cargo. Even if your organization does not have facilities in countries with lax drug laws you may want to give thought to the risks in your supply chain.
 
   Trend Research: Comprehensive Business Continuity Programs  This is Security Executive Council material  
Created By: Security Executive Council
This compilation of publicly available information, Council research and observations on business continuity is intended to supply background to use to assist in developing a business continuity program or weighing the effectiveness of an existing program.
A member item available for purchase. Visit our store.
     Click here to view a short video describing this resource in more detail.
Resource is for Tier One Leaders only
Resource is for Tier One Leaders only
   True Cost of Compliance This has been vetted by Security Executive Council  
Created By: Ponemon Institute and Tripwire, Inc
Ponemon Institute and Tripwire, Inc. conducted The True Cost of Compliance study to determine the full economic impact of compliance activities for a representative sample of 46 multinational organizations. This benchmark study is the first to use empirical data to estimate the full cost of an organization’s compliance efforts, including the cost of non-compliance with laws, regulations and policies.
Click to download PDF file
825KB

Presentation Materials

   Certified Cargo Screening Program: Non-SSI Presentation  This has been vetted by Security Executive Council  
Created By: Transportation Security Administration
Provide transportation security stakeholders with the best practices for handling SSI.
 

Books/Guidelines/Manuals

   Frequently Asked Questions Relating to Transfers of Personal Data from the EU/EEA to Third Ccountries  This has been vetted by Security Executive Council  
Created By: Data Protection Unit of the Directorate-General for Justice, Freedom and Security
Answers to these FAQs may help to clarify understanding of the legal framework in force in the EU with regard to transfers to third countries of personal data processed in the EU/EEA.
 

Articles

    2011 Annual Report for the Security Executive Council  This is Security Executive Council material  
Created By: Security Executive Council
This year's report covers activities, initiatives and resources in a three page condensed document. The information may be used to learn the kinds of support the SEC can offer you as well as a glimpse into what its members are tackling.
Click to download PDF file
745KB
   Calling In Corruption  This has been vetted by Security Executive Council  
Created By: Treasury & Risk
Hotlines may be old hat, but the growing ubiquity of all sorts of media to spread the word, enhanced enforcement against corruption by the Securities and Exchange Commission and the recent Dodd-Frank Act's promise of bigger bounties to whistleblowers are focusing new attention on what used to be just a red phone in the corporate counsel's outer office.
 
   Compliance Scorecard - Importer security filing sees 80 percent compliance This is Security Executive Council material  
Created By: Marleah Blades, Security Executive Council Staff
In mid-October, the Government Accountability Office reported that importers have achieved an 80-percent rate of compliance with Customs & Border Patrol's Importer Security Filing, otherwise known as the 10+2 rule. The rule went into effect in January 2009, and CBP began full enforcement in January 2010.
 
   Compliance Scorecard : 100-Percent Screening By 2010  This is Security Executive Council material  
Created By: Greg Halvacs, Security Executive Council Member; Marleah Blades, Security Executive Council Staff
Examining the state and potential impact of the TSA’s 100% screening initiative. From the September 2008 issue of ST&D magazine.
 
   Compliance Scorecard: Is Your Security Awareness Program All It Can Be? This is Security Executive Council material  
Created By: Kathleen Kotwica, Secutiy Executive Council Staff
Some questions to ask yourself about the basic robustness of your security awareness and training program.
 
   Compliance Scorecard: Access Management and SOX Compliance This is Security Executive Council material  
Created By: Leslie Lambert, Security Executive Council Member
When a company looks at implementing or expanding internal information access controls, it must consider more than compliance and security — it must also consider the impact on IT operations. From the October 2007 issue of ST&D magazine.
 
   Compliance Scorecard: Air & Transportation  This is Security Executive Council material  
Created By: Security Executive Council Staff
Last year, the European Union passed regulations that would require electronic transmission of an Entry Summary Declaration (ENS) at least 24 hours before loading cargo on a vessel bound for an EU port or, for short-sea traffic, two hours before entry at its first EU port. The ENS must include information such as the ocean carrier’s EORI number, the container number and the master and house bill of lading numbers. This information allows the customs office of first entry to perform a cargo risk assessment for all shipments, and if risk is identified it is authorized to take prohibitive action, including Do Not Load orders.
 
   Compliance Scorecard: Air & Transportation This is Security Executive Council material  
Created By: Security Executive Council staff
Last year, the European Union passed regulations that would require electronic transmission of an Entry Summary Declaration (ENS) at least 24 hours before loading cargo on a vessel bound for an EU port or, for short-sea traffic, two hours before entry at its first EU port. The ENS must include information such as the ocean carrier’s EORI number, the container number and the master and house bill of lading numbers. This information allows the customs office of first entry to perform a cargo risk assessment for all shipments, and if risk is identified it is authorized to take prohibitive action, including Do Not Load orders.
 
   Compliance Scorecard: Airports Encouraged to Use E-Verify This is Security Executive Council material  
Created By: Marleah Blades, Security Executive Council Staff
The TSA has asked all airport employers to electronically check the employment eligibility of newly hired employees. This is currently voluntary, but it might become mandatory for all U.S. employers. From the February 2008 issue of ST&D magazine.
 
   Compliance Scorecard: Airports Encouraged to use E-Verify 
Created By: Marleah Blades, Security Executive Council Staff
Airport operators & employers should familiarize themselves with the security pros and cons of using E-Verify.
 
   Compliance Scorecard: Banking & Financial Regulations This is Security Executive Council material  
Created By: Security Executive Council Staff
The financial industry is one of the United States' most regulated sectors. Risk issues in this industry can easily impact the livelihoods of thousands if not millions of people, as corporate ethics scandals and our current economic recession have clearly shown. The federal government has set forth number of well-recognized rules intending to better secure this high-profile sector.
 
   Compliance Scorecard: Be Careful What You Wish For This is Security Executive Council material  
Created By: Bob Sypult, Security Executive Council Member
Compliance requirements for the energy sector have proven burdensome. Sypult offers tips for security professionals working in this difficult regulatory climate. From the November 2008 issue of ST&D magazine.
 
   Compliance Scorecard: Better Safe than Sorry This is Security Executive Council material  
Created By: Marleah Blades, Security Executive Council Staff
The new edition of NFPA 1600 could impact your emergency management or business continuity program. From the January 2008 issue of ST&D magazine.
 
   Compliance Scorecard: CFATS Continued  This is Security Executive Council material  
Created By: Marleah Blades, Security Executive Council Staff
In November, the U.S. House of Representatives passed H.R.2868, the Chemical and Water Security Act of 2009. As of this writing, the Act is in committee in the Senate and may or may not come out. A bipartisan group of senators has already announced separate legislation, which has been referred to as the "Continuing Chemical Facilities Antiterrorism Security (CFATS) Act" (S.2996), that it says addresses some of the "problems" inherent in the House version. It is currently unclear how or whether the two bills will be reconciled, but chemical, water and wastewater facilities, as well as other facilities subject to CFATS, should pay attention.
 
   Compliance Scorecard: Environmental Compliance This is Security Executive Council material  
Created By: Liz Lancaster Carver, Security Executive Council Staff
Industrial security, environmental, health and safety professionals must be aware of the range of environmental regulations impacting security. From the July 2008 issue of Security Technology & Design magazine.
 
   Compliance Scorecard: FERPA Compliance This is Security Executive Council material  
Created By: Materials created by Security Executive Council strategic alliance partners
Jon Oliver, assistant dean and director of IT for the School of Communication, Information and Library Studies at Rutgers University, writes about the security fundamentals of complying with the Family Educational Rights and Privacy Act (FERPA). From the August 2008 issue of ST&D magazine.
 
   Compliance Scorecard: FRCP's new ediscovery rules This is Security Executive Council material  
Created By: William Plante, Security Executive Council Member
eDiscovery rules address corporate electronically stored information (ESI) that may be subpoenaed under a civil action. From the April 2007 issue of ST&D magazine.
 
   Compliance Scorecard: Financial Sector Security Faces a Tough Road Ahead This is Security Executive Council material  
Created By: Marleah Blades, Security Executive Council Staff
What financial sector security professionals can do to weather the recession storm. From the December 2008 issue of Security Technology Executive magazine.
 
   Compliance Scorecard: Gaming and Casinos 
Created By: Security Executive Council Staff
Seven key regulations that security executives in this sector need to know.
 
   Compliance Scorecard: Knowledge of CPTED Useful in Meeting Public and Private Security Standards This is Security Executive Council material  
Created By: Marleah Blades, Security Executive Council Staff
The principles of Crime Prevention through Environmental Design (CPTED) can help ensure that property design will include appropriate levels of built-in security, and they play a role in a number of voluntary guidelines and standards in the public and private sectors. From the April 2008 issue of ST&D magazine.
 
   Compliance Scorecard: Leveraging ILM for Convergence and Compliance This is Security Executive Council material  
Created By: Miki Calero, Security Executive Council Member
The Information Lifecycle Management (ILM) strategy ensures protection and enables compliance with both information and physical requirements of existing laws, rules and regulations. From the December 2007 issue of ST&D magazine.
 
   Compliance Scorecard: Medical Labs Could See Changes as a Result of Proposed HHS Rule  
Created By: Security Executive Council Staff
In September, Department of Health and Human Services (HSS) Secretary Kathleen Sebelius announced a proposed rule that could impact IT security and privacy requirements for medical laboratories.
 
   Compliance Scorecard: Municipal Compliance  This is Security Executive Council material  
Created By: Security Executive Council Staff
Six regulations that security executives need to know
 
   Compliance Scorecard: Proposed Parking Ordinance Could Impact Small Retailers This is Security Executive Council material  
Created By: Marleah Blades, Security Executive Council Staff
Broward County, Florida is considering a Retail Establishment Parking Security Ordinance that would require 24/7 video surveillance of employee and customer parking areas at retail stores across the county. What can we learn from this? From the October issue of Security Technology & Design magazine.
 
   Compliance Scorecard: Proposed Parking Ordinance Could Impact Small Retailers This is Security Executive Council material  
Created By: Marleah Blades, Security Executive Council Staff
Broward County, Florida is considering a Retail Establishment Parking Security Ordinance that would require 24/7 video surveillance of employee and customer parking areas at retail stores across the county. What can we learn from this?
 
   Compliance Scorecard: Seven Steps to Information Security Compliance This is Security Executive Council material  
Created By: Lou Magnotti, Security Executive Council Staff
To achieve compliance, any organization must master the “Big Four”—perimeter defenses, system certifications, auditing, and user involvement. From the July 2007 issue of ST&D magazine.
 
   Compliance Scorecard: Supreme Court Expands Employee Protection This is Security Executive Council material  
Created By: John Thompson, SEC content expert faculty
Employees have broad protection against retaliation after they have made complaints of discrimination — broader protection than previously understood. From the August 2007 issue of ST&D magazine.
 
   Compliance Scorecard: The False Claims Act  This is Security Executive Council material  
Created By: Marleah Blades, Security Executive Council Staff
Could your company be held liable for defrauding the government? Don’t be so sure. The purpose of the False Claims Act, which was enacted during the Civil War, has always been to protect the government from losing money to fraud. Its primary targets were federal contractors who deceived the government for gain. The legislation was significantly strengthened in 1986, when Congress amended the FCA to provide protections for whistleblowers and increased the related penalties — allowing the government to collect damages and civil penalties of up to $11,000 per claim. Any whistleblower whose suit is successful receives a share of the money recovered. Since these amendments, the government has recovered more than $21 billion under the FCA, with more than half coming through private whistleblower suits.
 
   Compliance Scorecard: The Hidden Healthcare Security Regulation: PCI This is Security Executive Council material  
Created By: Eric Cowperthwaite, Security Executive Council Member; Marleah Blades, Security Executive Council Staff
There are many rules hospitals need to be thinking about, but one has slipped under the radar: the Payment Card Industry Data Security Standards (PCI DSS). From the June 2008 issue of ST&D magazine.
 
   Compliance Scorecard: Working toward 100 percent screening  This is Security Executive Council material  
Created By: Marleah Blades, Security Executive Council Staff
The Implementing Recommendations of the 9/11 Commission Act of 2007 requires that the Transportation Security Administration (TSA) establish procedures to ensure screening of 100 percent of the cargo shipped on passenger aircraft by August 2010.
 
   Compliance scorecard: Security risk assessments - Integrating the concept  This is Security Executive Council material  
Created By: William J. Malampy and John W. Piper, Security Executive Council Content Experts
During 2006, the authors of this column were requested to execute a security risk assessment at a major liquefied natural gas facility in the Asia-Pacific region. The provincial government had ordered that significant capital projects required a security risk assessment be conducted as part of their Environmental Impact Statement (EIS) requirements - otherwise, no permits for construction would be issued.
 
   Comply Through Teamwork This is Security Executive Council material  
Created By: Kathleen Kotwica, Secutity Executive Council Staff
By coming together to resolve redundancies, you can show management that the company is as protected against regulatory risk as it can be. From the August 2007 issue of AC&SS magazine.
 
   Cybervetting: Developing a Cybervetting Strategy for Law Enforcement This has been vetted by Security Executive Council  
Created By: International Association of Chiefs of Police (IACP) and the Defense Personnel Security Research Center (PERSEREC)
Cybervetting is an assessment of a person’s suitability to hold a position using information found on the Internet to help make that determination. The purpose of this document is to present policies and practices to consider when using the Internet to search for information on law enforcement applicants, candidates, and incumbents, and when developing social media policies to limit inappropriate online behaviors. Cybervetting guidelines need to strike the right balance between individuals’ constitutional rights and law enforcement agencies’ due diligence responsibilities for screening out undesirable job applicants and employees.
Click to download PDF file
8MB
   Education Compliance - Six regulations that security executives need to know This is Security Executive Council material  
Created By: Security Executive Council Staff
The Clery Act addresses public notification of crimes committed at colleges and universities that participate in federal student aid programs. The Act was amended in 2008 by provisions of the Higher Education Opportunity Act.
 
   Emergency preparedness: Compliance, care and the long view This is Security Executive Council material  
Created By: Francis D’Addario, Security Executive Council CSO Emeritus
Our current fluid global risk cannot be read in the carefree faces of children at play. They are blissfully unaware of foreboding hazards that endanger them and their protectors. In fact, the multi-trillion-dollar all-hazard landscape - most vividly rendered by the World Economic Forum's 2010 Global Risk Report - remains unknown to many. Those with insight into these risks have a duty to help increase others' awareness of them and to measure mitigation progress. If we hope to lead our organizations through this complex global risk landscape, we must learn what we can from man-made and natural risk events to improve preparedness and resiliency.
 
   Is Your Business Subject to the Red Flags Rule?  This is Security Executive Council material  
Created By: Marleah Blades, Security Executive Council Staff
In November 2007, the FTC and other agencies issued the Final Rule on Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003, more commonly known as the Red Flags Rule. This set of regulations requires financial institutions and creditors to develop, implement and regularly update a written identity theft prevention program that will recognize indicators (red flags) of possible identity theft attempts in connection with covered accounts and work to prevent and mitigate the risk of such attacks.
 
   PCI Builds on Best Practices This is Security Executive Council material  
Created By: Eric Cowperthwaite, Security Executive Council Member
For many companies, the Payment Card Industry (PCI) Data Security Standard (DSS) will be the starting point for best-practices-based emergency response in information security. From the February 2008 issue of Security magazine.
 
   Security Contract Compliance Auditing This is Security Executive Council material  
Created By: George Campbell, Security Executive Council Emeritus Faculty
Contracts with product and service suppliers are an integral part of many corporate security service delivery programs; in fact, many companies spend millions of dollars annually for thousands of hours of service from contract guard vendors. Ensuring the effectiveness of performance terms and related compliance monitoring is a critical management objective that requires knowledgeable and engaged resources, along with the right data for performance measurement.
 
   Shortening the Long Road to Compliance  This is Security Executive Council material  
Created By: Marleah Blades, Security Executive Council Staff
Security Executive Council members Bill Ramsey, director of security for McCormick & Company Inc., Karl Perman, manager of corporate security programs for Exelon Corp., and Stanley Jarocki, vice president of Wells Fargo, share the lessons they have learned from years of successful security compliance. From the September 2008 issue of ST&D magazine.
 
   Surprise! We're Regulated! This is Security Executive Council material  
Created By: Bob Hayes, Marleah Blades, Security Executive Council Staff
A sequel to "The Business of Security: The New Rules of Security," this article discusses how CSOs can keep up with the flood of security-related laws, regulations, voluntary compliance guidelines and standards. From the August 2007 issue of ST&D magazine.
 
   The Business of Security: The New Rules of Security This is Security Executive Council material  
Created By: Bob Hayes, Marleah Blades, Security Executive Council Staff
How many security regulations apply to your company? Odds are, there are more than you think. From the July 2007 issue of ST&D magazine.
 
   The Case of the Reluctant Complainant  This is Security Executive Council material  
Created By: John Thompson, Security Executive Council Content Expert Faculty
Key tips for human resources professionals who are approached with misconduct concerns.
 

Forums

   Faculty Advisor: Business Continuity Plan Certification This is Security Executive Council material  
Created By: Don L. Hubbard, Security Executive Council Emeritus Faculty
We are a medium sized business and as such my team is having a hard time showing a cost-benefit to have our business continuity plan certified to a standard as recommended by Public Law 110-53. We are not a heavily regulated industry and to follow one of the recommended standards and go through the certification process seems like overkill. Can you give some examples of benefits to becoming certified?
 
   Faculty Advisor: Tis the Season - Compliant Gifting This is Security Executive Council material  
Created By: Ken Kasten, Security Executive Council Emeritus Faculty
The holiday season always brings with it the well-intended holiday gifts to our employees and, in some cases, to our clients, vendors and suppliers. How do I address the appropriateness and potential abuse of these gifts without being viewed as Scrooge? Read Security Executive Council Emeritus Faculty member, Ken Kasten's, answer to this question.
 
   

Knowledge Exchange: Private Sector Crisis Certification Law This is Security Executive Council material  

Created By: Bruce Blythe
Hear from industry expert, Bruce Blythe from CMI on a new corporate "crisis" certification law titled "Implementing Recommendations of the 9/11 Commission Act of 2007" and is also referred to as Public Law 110-53. Title IX of the Act addresses required private sector preparedness plans and the certification program.
Resource is for Tier One Leaders only
Resource is for Tier One Leaders only
   

Next Generation Security Leader Program This is Security Executive Council material  

Created By: Security Executive Council
The Security Executive Council in partnership with the University of South Carolina Darla Moore School of Business have developed a Next Generation Security Leader Development Program. It consists of six 90-minute seminars. This program features an exceptional panel of security/risk mitigation leaders. Current and future risk management leaders benefit from this affordable and eco-friendly six-month virtual long-distance course exploring cross-functional, unified risk oversight as well as return-on-investment capable approaches for board-level risk mitigation and organizational resilience. Sessions include: Aligning Board Level Risk and Business Unit Mitigation Strategies, Communicating All-hazards Risk, Mitigation and Performance Metrics, Next Generation Organizational Leadership: Running Security as a Business, Influencing Community All-Hazard Preparedness and Resilience, Adding Business Value with Mission Assurance and P&L Performance, Managing Information Protection, Breaches and Situational Intelligence.
Click here to go to the Next Generation Security Leader blog.
 

Multimedia

   C-TPAT Supply Chain Security This is Security Executive Council strategic alliance partner material  
Created By: Security Executive Council
A video for companies that have joined the Customs-Trade Partnership Against Terrorism; this program educates employees about key principles of supply chain security. C-TPAT provides discernible business value to companies but only if employees are aware of the proper procedures. Viewers go inside the mind of a criminal who shows how supply chain security can often be easily subverted. TIER 1 SECURITY LEADERS, contact the Director of Member Services for discount information.
A member item available for purchase by nonmembers. Visit our store to view the video in its entirety and to purchase.