The Compliance Spending Surge
				Few issues are driving information security spending these days like regulatory compliance. TheInfoPro, a research firm that investigates technology sectors in six-month intervals, conducted 172 one-on-one interviews with information security professionals in the fall of 2005. Its findings suggest that most security budgets are increasing due to compliance. "The additional money is being spent on technologies such as identity management and data encryption, which have been identified as effective at addressing compliance requirements, and on additional staff to handle the growing workload," said Henry Nissenbaum, managing director of TheInfoPros' information security practice. For more information, visit www.theinfopro.net

Lessons Learned & Best Decisions

Herath
Lessons Learned
You have to be a diplomat...be flexible...and deal with different people in different ways. Some of them will get it with just an explanation of why they need to do something to comply with GLBA; others you will have to cajole, and others you will have to pound on the table.

Best Decisions
Choose one central person to manage the compliance effort. My group and I created virtual privacy teams and built them around our major business units. I asked all of the leaders underneath those headings to provide me with people to help implement GLBA.

Morenzoni
Lessons Learned
As information went from being paper-based to electronic, it took time to realize that IT would have to store, for instance, the pension report because human resources needed to keep it forever. Comprehensive information management was something we had to embrace.

Best Decisions
Y2K taught us very well and early on that HIPAA compliance has to be an organization-wide effort, not just an IT effort.

Dennedy
Lessons Learned
Know exactly what data is affected. SB 1386 was interesting because affected data was well defined. Having a database with unstructured data where you have not delineated sensitive categories or mapped data to business units was a wake-up call for SB 1386 compliance.

Best Decisions
The best decision we made was to communicate with the people who may be impacted [by SB 1386] and offer training for every director who conveyed information about SB 1386 to a team at Sun.

Dotson
Lessons Learned
Develop and maintain direct open communication with your auditor. I can't say we started that way. We made assumptions, and they did, too. It didn't work. So now each time we take a major step, we talk. It's not uncommon for us to talk weekly, or at least monthly.

Best Decisions
Define the right number of key controls. These are the rules you place on yourself to ensure your financial statements are going to be stated accurately. When SOX first came along, we had 132 key controls. We've been able to refine down to those that are absolutely critical: 32.

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   7  |   8  |   9  |   10  |   NEXT PAGE  >