Managers share their lessons learned and best decisions for building compliancy frameworks.
Kirk Herath, CPO, Nationwide Insurance Company
Lessons Learned: "You have to be a diplomat... be flexible... and deal with different people in different ways. Some of them will get it with just an explanation of why they need to do something to comply with GLBA; others you will have to cajole, and others you will have to pound on the table."
Best Decisions: "Choose one central person to manage the compliance effort. My group and I created virtual privacy teams and built them around our major business units. I asked all of the leaders underneath those headings to provide me with people to help implement GLBA."
Stephen Morenzoni, senior network engineer, Lake Forest Hospital
Lessons Learned: "As information went from being paper-based to electronic, it took time to realize that IT would have to store, for instance, the pension report because human resources needed to keep it forever. Comprehensive information management was something we had to embrace."
Best Decisions: "Y2K taught us very well and early on that HIPAA compliance has to be an organization-wide effort, not just an IT effort."
Michelle Dennedy, CPO, Sun Microsystems
Lessons Learned: "Know exactly what data is affected. SB 1386 was interesting because affected data was well defined. Having a database with unstructured data where you have not delineated sensitive categories or mapped data to business units was a wake-up call for SB 1386 compliance."
Best Decisions: "The best decision we made was to communicate with the people who may be impacted [by SB 1386] and offer training for every director who conveyed information about SB 1386 to a team at Sun."
Tim Dotson, executive director of information technology solutions, SureWest
Lessons Learned: "Develop and maintain direct open communication with your auditor. I can't say we started that way. We made assumptions, and they did, too. It didn't work. So now each time we take a major step, we talk. It's not uncommon for us to talk weekly, or at least monthly."
Best Decisions: "Define the right number of key controls. These are the rules you place on yourself to ensure your financial statements are going to be stated accurately. When SOX first came along, we had 132 key controls. We've been able to refine down to those that are absolutely critical: 32.