1. With the alphabet soup and acronyms for the compliance, Im concerned that were overdoing our compliance...
Question:
1. With the alphabet soup and acronyms for the compliance, I’m concerned that we’re overdoing our compliance efforts. Aren’t HIPAA, GLBA, and SOX all covering the same regulated areas? Then there’s AS5. Some people say that AS5 covers all IT systems and applications are affected, but others say that AS5 compliance is limited to financial reporting. Just what are our compliance requirements? Where is any overlap? What’s your plan for a more efficient, structured approach?
2. As you’ve heard, we’ve completed negotiations to purchase the fifth-largest competitor in our key market. Something you should know is that their security awareness seems to be somewhat lax (after all, during negotiations, they let me roam around unescorted, and somehow I ended up in their network control room). We want to make the transition for their employees as smooth as possible, but our tight security will likely clash with their environment. Would you please give me a detailed outline of the plan you’ll use to get them up to our standards? Be sure to give me a rough timeline and the estimated cost, too. Oh, and I’ll need this by next Tuesday before the Board meeting! Thanks!
3. This is a heads-up that the recent audit brought up the fact that several aspects of IT are either lacking policies or are quite out of date. In particular, I was surprised that they focused on incident response and disaster recovery. Unfortunately, the Board Chairman promised the auditors that we’d have this finding corrected within 45 days (I know, I know, you already have your hands full with my request on compliance impact). I’ll try to get you the high-level support, if it’s needed. Please give me a concise summary showing milestones, deliverables, due dates, and working group members by the end of tomorrow.
4. As a cost-cutting and quality measure, we’re looking at outsourcing the monitoring and incident response for the company. What are some of the key concerns we should have regarding the outsourcing scope, quality control, and contract? More importantly, before this goes to the CEO and the Board, can you check out the references (both formal and informal) on SawingLogs.com? One of the Board members brought that name to me last week. I’d appreciate your input by Thursday morning.