Sarbanes-Oxley - How is it Affecting You?

Grant Barrett asks: "All I hear from IT directors is Sarbanes-Oxley, Sarbanes-Oxley, Sarbanes-Oxley. SOX, as they're calling it, is taxing manpower, swallowing time, and adding huge administrative headaches--not to mention incurring fees and salaries paid out to staff or third-party firms hired to ensure compliance--and that's just the IT department. How are you dealing? Did you make your compliance deadline even after the extension? Are you joining the the backlash?"

Re:World's smallest violin

[jbolden]

You can see from the above that I'm hugely in favor of this law. The World Trade Center bombing:

1) Killed thousands of highly productive people
2) Shut down a section of a major US city for days
3) Destroyed extremely expensive buildings which then required a very expensive clean up effort
4) Shut down a all foreign trade for days
5) Shut down a good chunk of the US transportation system for days
6) Resulted in large permanent increases in US airline ticket prices
7) Resulted in 2 wars
8) Resulted in an increase of oil prices from $20 barrel to about $40-50
9) May have increased cancer rates and other long term health costs for something on the order of 2 million people.

Depending on how you add this up you are talking $200b-600b in costs. I'd say Bin Ladin has Ebbers and Lay beat by about two orders of magnatide. I'd love to see Ebbers and Lay do 20 years and lose everything they own in fines. Bin Ladin is way beyond merely a criminal.

SOX Sucks

I'm posting this anonymously as I wouldn't want it traced back to me, but I can tell you not only is it costly and burdensome, but it doesn't work. We are now in "compliance", but the changes we had to make to our systems not only didn't have any affect on my ability to alter financial data, but they made them less secure in the process, because external auditors know nothing about our systems, they only have a checklist of features that have to be enabled. It's nothing more than a costly joke that wastes my time and keeps me from doing work that would actually improve our systems. I've started avoiding small, quick projects that would benefit the users, because I would spend 5 minutes making the changes and then 2 hours spread over several days documenting them and getting the required approvals to implement them.

Re:Network security measures

[tchuladdiass]

Well, the act specifies that records have to be accurate. And if corporate officers are relying on the data on the systems to be acurate, then the systems need to be secure. So anything that is part of "security best practices" is being implimented just to make sure. And yes, 90-day password expiration is generally accepted a best practice at a minimum.
Also keep in mind that even if policies can be compromised, the fact that a policy is there can protect a company in the event of a lawsuit, whereas if there was no policy then the company could be more liable for not taking reasonable measures to protect their security.
It's just like the fact that you perform system backups even though it is possible for the backup tape to break at the same time as a disk crash.

How I'm affected

I work as a geek/developer at a well known fortune 500 oil company. I can say that although I personally thought SOX was a positive step in the right direction, the knee-jerk reaction of individual companies is stifling any benefit that may have been brought about as a result of SOX.

Now, having seen the changes around the company and the assinine requirements that NON-financial related projects have to meet, I'd say it's worthless and will only cause the US economy to further stagnate.

Just a quick example:
I develop/maintain a menu of sorts used by about 800-1000 people on a daily basis to complete their daily sales paperwork. It's just an interface to the underlying software, and does not interact with financial data in any way. Since we've started SOX compliance, I've been required to document every line of code that changes and maintain a hard copy of said change for 3 years. It doesn't even do anything with financial data, it's just a user tool so they don't have to remember the commands of an archaic accounting package. Yet, because of what the company views as SOX compliance, about 50% of the time I used to put towards developing this tool and providing support/documentation to the end user, now get's spent doing diff's and printing reports.

So I ask you, /., how is this going to prevent the CEO of a company from having the books cooked? How is what I'm doing a benefit to the company? (We already use CVS, so you can't say the hard copy has any purpose other than to satisfy some bean counters wicket)

Re:How I'm affected

[bvk]

I agree that standards for security and other aspects of IT are a good thing. However, in my case, we're a group of about 10 people in a company of 400. We maintain networks/servers/vendor apps/custom apps, as well as developing new apps. We were told by our auditors to ensure that our existing standards met extremely vague "Controls", many of which have nothing IT-specific in them. This meant we had to guess at how strict the new standards would need to be to pass an audit, create the standards, and then hope that they will be good enough.

Many controls that I thought were already "reasonable" were deemed insufficient. For example, we don't let all developers log in to production systems to release updates. Only certain qualified developers can do that for each project. This seems "reasonable" to me.

We were told that this violated the controls, and *no* developers were allowed to log on to production systems. This is insane, since there is no way anyone other than a developer for the systems is qualified to do a release. It would be a much bigger risk to have a non-developer do it, but that's what was suggested.

If we had a bigger group, maybe we could afford to have a qualified person around just to do releases. But we certainly can't afford that here. And, as I mentioned, our existing process seems "reasonable".

This is just one example, I have a bunch more.

Another major area of overhead is the cost of the paperwork and useless approvals for every change to a system, even when there is no way the person approving the change can possibly understand the ramifications of the change. Peer-reviewing a change is much safer and more effective, but not sufficient (I'm told) because it doesn't separate responsibilities appropriately. So it needs to be signed-off by a Business Owner who in many cases neither understands nor cares about the technical details.

In general, your assumptions a through e are fine. But they (like SOx) leave a lot of room for interpretation, and the people doing the interpretation are the auditors, who may know very little about most aspects of IT.
There are specific problems with how SOx seems to be applied, especially to small companies which can't afford the overhead. There are companies which managed OK (pre-SOx) with only a single-digit IT staff, and run secure, reliable operations because they have limited needs. But imposing a layer of paperwork on them will rapidly kill their ability to do so, because their technical time is soaked up by paperwork. And I have no idea how a company with an IT staff smaller than ours could possibly segregate responsibilites in a SOx-compliant way.

I think the big problem is that in practice, "reasonable" varies a great deal from auditor to auditor, and the same overhead is being demanded of all organizations, without regard to size.

Re:World's smallest violin

[jbolden]

Oil prices toped out in mid '00 at about $35 a barrel. They were down 40% right before the 9/11. They have gone up since then to set record highs. 9/11 is literally a vertex in the price graph. I can't think of anything else that would cause the derivitive of the price function to go from $-12/year to $+5/year

Re:I too hear the buzz, but no real effects.

[avi33]

The most obnoxious changes have come from the IT side of things. Changing passwords every month, and having crazy requirements on them (must have two case changes, mix of numbers and letters, can not just merely end in numbers, and we can not repeat any passwords from the past year).

Funny, when some box gets rooted for having a dictionary password, there's plenty of blame to go around (for users and IT), but when rules are implemented to prevent such things, it's "obnoxious changes" from IT.

When I was an admin, I would run a script once a month trying to hack everyone's passwords...a list of users that got cracked would be sent companywide as the proverbial "walk of shame." If people showed up on that list a couple times, then the President of the company would stop them in the hall and chat about security...much more effective than a harshly worded email from the kid in the server room.

Re:Feh

[a55mnky]

I too am an InfoSec guy and I have seen exactly the opposite.

I work with fortune 500 clients and they are scared s-less - the threat of jail time makes the security concerns appear more real.

All of the services and products we have been pushing - identity management, e-mail archiving, log analysis, data correlation are all growing by leaps and bounds.

my sponsors are loving it as well. The projects they have been trying to jump-start for months if not years now are getting the go ahead due to SOX audit reports.

it is amazing that all of the concerns i have had for years are now important