Do We Need a Sarbanes-Oxley for The Internet?

An anonymous reader asks: "Since 2002, corporate executives have been held accountable through the Sarbanes-Oxley Act (SOX) for their own internal IT security (with heavy fines and even prison terms when SOX isn't complied with) despite the fact that this level of accountability doesn't exist for some critical elements of the internet. Is it high time for industry to collaborate on a stringent security doctrine to hold organizations accountable for operating, providing and commercializing Internet service, in effect a Sarbanes-Oxley Act for the Internet?"

Short answer

[truthsearch]

NO!

I spent 10 years in IT of the financial industry. The day SOX got passed everything went downhill. The problem is that it's more about accountability that actually doing things right. Now I can't blame the law for that. The law makes lots of sense. But the way companies handle it adds 100 times the overhead and even more technical problems. Entire systems are built so there's a "signiture" of approval and record of every little thing. People are so busy making others accountable (basically flowing both uphill and downhill) and no one takes accountability for their own actions and quality of work goes way down. What happens in the company is whatever intrisic trust there was between coworkers disappears. All the company wants and needs is the paper trail. Cost of the service goes up while quality goes down.

So while we want some accountability, and IT version of SOX is not the way to go. There are other good reasons, but this is one I'm personally experienced with. It's among the reasons I left the financial industry 2 months ago.