Do We Need a Sarbanes-Oxley for The Internet?

An anonymous reader asks: "Since 2002, corporate executives have been held accountable through the Sarbanes-Oxley Act (SOX) for their own internal IT security (with heavy fines and even prison terms when SOX isn't complied with) despite the fact that this level of accountability doesn't exist for some critical elements of the internet. Is it high time for industry to collaborate on a stringent security doctrine to hold organizations accountable for operating, providing and commercializing Internet service, in effect a Sarbanes-Oxley Act for the Internet?"

Short answer

[truthsearch]

NO!

I spent 10 years in IT of the financial industry. The day SOX got passed everything went downhill. The problem is that it's more about accountability that actually doing things right. Now I can't blame the law for that. The law makes lots of sense. But the way companies handle it adds 100 times the overhead and even more technical problems. Entire systems are built so there's a "signiture" of approval and record of every little thing. People are so busy making others accountable (basically flowing both uphill and downhill) and no one takes accountability for their own actions and quality of work goes way down. What happens in the company is whatever intrisic trust there was between coworkers disappears. All the company wants and needs is the paper trail. Cost of the service goes up while quality goes down.

So while we want some accountability, and IT version of SOX is not the way to go. There are other good reasons, but this is one I'm personally experienced with. It's among the reasons I left the financial industry 2 months ago.

Re:Short answer

[truthsearch]

The idea was to hold the right employees accountable when regulations or laws are broken within a company. It's a response to Enron and WorldCom.

The problem with doing this with the internet is its built-in distribution of responsibilities across many companies. If I get a virus do we audit my ISP, the company that built the routers, the telecom company that owns the wiring, the source's ISP, the developer of the virus (who's rarely found), the developer of the OS, server admins?

Within one company it's relatively easy to trace responsibility. Over the internet there would be many debates, very costly audits, and rarely prosecutions.

Re:Short answer

The problem is that it's more about accountability that actually doing things right.

The most eloquently stated description of SOX that I've come across yet!I would posit that this is a result of another observation you made:

People are so busy making others accountable (basically flowing both uphill and downhill) and no one takes accountability for their own actions and quality of work goes way down

No one can afford to be singly accountable for the work we do in corporate IT. If I unintentionally introduce a defect to a piece of software I maintain, am I responsible for it? Absolutely. Can I possibly be accountable for it? No way! I can't personally reimburse the company or its customers or its overseers for the consequences of an honest mistake. Shall I spend time in prison instead? No thanks, I think I'll find another line of work. As a result, the corporation has developed an accountability system so serpentine as to make it impossible to actually determine who's accountable. The corporate attention is so narrowly focused on maintaining the accountability machine that all other aspects of our work have gone downhill, including the quality of software.

It's among the reasons I left the financial industry 2 months ago.

Ironically, the financial institution I was with a year ago handled SOX compliance much, much more sanely than the retail organizaiton I work for now. Then again, that financial institution had a cultural ethos of "do the right thing" which made compliance a bit easier.

Re:Short answer

[SuperBanana]

The problem is that it's more about accountability that actually doing things right.

I worked for a company that had to follow Sarbanes-Oxley.

We were required to force password changes every month or two.

Except Mac users (at least half the company) didn't get a warning their password was about to be disabled, nor could they actually change their password, because Outlook and Microsoft's appletalk server don't allow you to change an active directory password.

So every month or two, for two days, the phone would ring off the fucking hook with people whose email accounts didn't work. And, out of curiosity, since the phone system didn't have caller ID for external lines, guess what? Anyone could call up and request a password change, since there was no policy requiring us to a)look up the employee's # and call them back, or b)deny the request if we couldn't verify it. They could, of course, just claim to be traveling on business, in a hotel or with a client. If we DID do too much due dilligence, someone would scream about how much time we were taking to get their password to them.

Way to go.

Oh, and then there were the audits of the trouble-ticket database, where some pencil-pusher who knows nothing about the department goes through and critiques those.

And then a few weeks later, you get to do it all over again, and then ONCE MORE, because you had two firms that did audits, and then a THIRD that came along and compared the first two. What a clusterfuck.

Typical Crap

[bsdbigot]

Yes, obviously the answer to EVERY problem about the Internet is more laws on the books. The scary thing is, with things like SOX, we spend more money and time on bureaucracy than fostering an environment which would preclude the need for SOX in the first place. Instead of criminalizing bad conduct, why doesn't the government try to encourage could conduct by, say, granting tax relief for companies that are fully SOX compliant instead of prosecuting executives that fail to make this happen. That would encourage good behavior far better than turning people off to being in business in the first place.

Think about it - let's say you're Bill Gates or Scott McNealy; would you really want to be in a position where failure to do your job correctly would result in jail time? SOX is stupid for exactly this reason.

Now, translate that to the internet. You are a webmaster, and because you didn't install NT4SP26 on your IIS farm, you could face 20 years in jail. Utter bullshit. Let's kill this idea before it gets any momentum!

Re:Typical Crap

[jbolden]

All SOX requires is that when you make statements in sworn legal documents, intend for broad public consumption, you can make a reasonable argument as to why you believe those statements are true. That's not exactly asking for the sun and the moon.

25 years ago we had far less IT but SOX wasn't needed because we didn't have a culture of corruption in the United States.

Too much corruption to be able to make a good law.

[Futurepower(R)]

This kind of law requires a huge amount of wisdom to write and implement. The U.S. government just does not have that ability at present. Instead, the government is being sold to whomever will pay the most: Unprecedented Corruption: A guide to conflict of interest in the U.S. government.

NO

No, we don't need ANY further regulation for the net! Net issues need to be handled by the net community and by technology. All others should keep their big fucking noses out of net business!

That doesn't mean anything.

[Elwood+P+Dowd]

Are you talking about regulating ISPs differently? Corporate IT departments? Home computer software? All of the above? What are you talking about regulating? What is the problem that you would like to solve?

"Sarbanes-Oxley Act for the Internet" is meaningless. How would that be significantly different from a Sarbanes-Oxley Act for your dumb face?

Security is a process not a project

[NoSuchGuy]

As a CEO you can't start a project called "Let's get secure!" and expect to be immune to all threats.

Security isn't a one time spending.

You can't spend 2 times the amount of X Dollars and expext to be 2 times more secure than spending only X Dollars!

Security is a process.
Security is a process.
Security is a process.
Security is a process.
Security is a process.
Security is a process.


You have to rethink everthing everytime.
Security nees a steady budget.

as a person working for a company doing SOX

[krist0]

Jesus Christ for the love of god (whichever one)...NO!...run away from SOX, its just blame deferral, endless policy creation (and not even the few needed good ones), its endless "clarifying meetings", its getting ITIL'd, its an endless stream of crap, like getting burried under a mountain of wet blankets.

You and your colleuges get suffocated in crap, stuff that you where hired to do because, well, you know what you are doing...oh no, you must get approval to shit....

RUN AWAY!!!!

Death knell for amateur computer science...

[Leadhyena]

It's inevitable... the government will demand for accountability of all actions on the internet. Run with me on this argument before you call me chicken little, and you will see the slippery slope that we're treading upon. Already the internet has entered case law and precedent has been set in many situations. Congress has also made some laws over actions on the net, and they plan to do more. It's only a matter of time until the whole thing gets regulated.

And what does this imply? Well, for starters it'll require something like a SOX regulation; while it won't demand packet sniffing per se, it will demand that source and destination ip addresses, MAC addresses, and ports be logged, so that people who release viruses/trojans/spyware/spam et. al. can be held accountable. Then anyone running a "web service" may be required to take logs of activites (to be used in investigations of fraud or terrorist activities), so that authorities may request these materials upon subponea.

And even then it won't be enough to stop identity theft, copyright infringement, and other criminal activities on the net. That when Congress will come to the "realization" that programming is what makes everything on the net possible, and finally demand that programmers be held accountable for their code. That will be the death-knell of amateur computer science, for you won't be permitted to write a program and run it on an internet-enabled computer without having to take responsibility for that program's actions, limiting one's recreational programing to toy computers and sandboxes. It will progress to the point where it will be "impossible" for a programmer to take responsibility for writing something on the internet, because he/she cannot afford the insurance that he/she will have to take out to cover the insurance necessary to protect themselves from programming lawsuits when a program they authored is used to perform evil actions.

Obviously some people will have to be allowed to program on the net everyday, to patch programs that users find bugs in or black-hats find exploits in. The only way for these programmers to obtain programming insurance is to partake in several programming certification classes in order to obtain a license to program. Maybe I'm being paranoid, but this seems to be the logical extension of the government's desire to determine accountability for all activities towards the internet.

Who are you regulating?

[rnxrx]

SOX deals with accountability within US corporations. It doesn't speak to the operations of companies outside the US. Attempts by particular countries to legislate the Internet have historically been ineffectual at best. This would be no exception.