SarBox Lawsuit Could Rewrite IT Compliance Rules

← Back to Stories (view on slashdot.org)

SarBox Lawsuit Could Rewrite IT Compliance Rules

Posted by kdawson on Tuesday December 1, 2009 @08:45AM from the sluice-gate-to-security-spending dept.

dasButcher notes that the Supreme Court will hear arguments next week brought by a Nevada accounting firm that asserts the oversight board for the Sarbanes-Oxley Act is unconstitutional. If the plaintiffs are successful, it could force Congress to rewrite or abandon the law used by many companies to validate tech investments for security and compliance. "Many auditing firms have used [Sarbanes-Oxley Section] 404 as a lever for imposing stringent security technology requirements on publicly traded companies regulated by SOX and their business partners. SOX security compliance has proven effective for vendors and solution providers, as it forces regulated enterprises to spend billions of dollars on technology that, many times, doesn’t prevent security incidents but does make them compliant with the law."

124 comments

Min score:

Reason:

Sort:

not found by Anonymous Coward · 2009-12-01 08:47 · Score: 5, Funny

I tried to look up this 404 thing, but I couldn't find it anywhere.
1. Re:not found by sbeckstead · 2009-12-01 09:11 · Score: 2, Funny
  
  I tried to look up this 404 thing, but I couldn't find it anywhere.
  
  That's funny I found it all over the web. But I couldn't find anything else...
  
  --
  Why bother
2. Re:not found by Rudeboy777 · 2009-12-01 09:14 · Score: 4, Funny
  
  SOX 404 - Usefulness not found
  
  --
  From hell's heart I fstab at /dev/hdc
3. Re:not found by IrquiM · 2009-12-01 10:43 · Score: 2, Interesting
  
  I found it 5 years ago - and it pays pretty good too!
  
  --
  This is blinging
4. Re:not found by sexconker · 2009-12-01 12:44 · Score: 3, Insightful
  
  I came to see the 404 jokes.
  I was not disappointed.
Budgest re-adjustment... by bluesatin · 2009-12-01 08:48 · Score: 1

Well at least now they'll spend all that money on making sure things are actually secure!
1. Re:Budgest re-adjustment... by halcyon1234 · 2009-12-01 08:51 · Score: 2, Insightful
  
  And to do that, they'll need a definition of "secure". One that everyone can agree on. A standard definition, on might say. And to ensure everyone who says they're secure actual is, it might be a good idea to draft a formal document that explicitly lays out those standards, as well as methods for one company to ensure another company meets those standards. Heck, if it's that important, it might be worth thinking about turning that document into a law...
  
  --
  UTF-8: There and Back Again
2. Re:Budgest re-adjustment... by Red+Alastor · 2009-12-01 09:15 · Score: 1
  
  What about realizing that it's impossible to define security for the vast diversity of setups we all use and forget about compliance but instead draft a list of bad stuff that shouldn't happen (leaking customer info for instance) and make a law that says that companies have to do whatever they have to to avoid the things on that list. Incident would be interpreted as negligence and heavily fined.
  
  --
  Slashdot anagrams to "Sad Sloth"
3. Re:Budgest re-adjustment... by ThatMegathronDude · 2009-12-01 09:21 · Score: 1
  
  You may as well make it a requirement to spend X funds on security, because requirements like that guarantee that it will be cheaper to pay the fines than to "do whatever they have to".
4. Re:Budgest re-adjustment... by Red+Flayer · 2009-12-01 09:30 · Score: 1, Offtopic
  
  OT, but re your sig:
  
  Slashdot anagrams to "Sad Sloth"
  You do know that Red Alastor anagrams to "Retard Also", right?
  
  It also anagrams to "Trades Oral".
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
5. Re:Budgest re-adjustment... by guruevi · 2009-12-01 09:31 · Score: 1
  
  Or they'll be able to invest that money somewhere else and become a better business. The things SOX 'protects' against are 1) outdated and 2) remotely plausible which doesn't actually protect anything. So business will still not protect anything however they won't have to invest in lawyers and consultants to implement rules that only bother the sysadmins and general productivity.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
6. Re:Budgest re-adjustment... by Bigjeff5 · 2009-12-01 09:49 · Score: 2, Interesting
  
  Not if the fines scale in relation to the amount of information that was lost, and compensatory damages are included requiring payment of the estimated damages for each individual person's data loss (not an average spread to everyone). Of course the individual data evaluations must be done by a firm chosen by the courts, and paid in full by company that lost the data.
  It's pretty easy to structure the law such that almost any company will be bankrupted by failing to secure data. That would also be silly, because no company can guarantee that no data will ever be stolen, so if you place the requirements too heavily on the fact that the data went missing, and disregard the amount of effort the company put into keeping the data safe, you could be destroying companies that do not desearve to be destroyed.
  Generally, the best way to handle these things is to keep the language of the law vague enough that it can be decided on a case by case basis - i.e. the company did their best to protect their data, and so should recieve little or no punishment.
  SarBox is the worst possible solution - it mandates security measures that are ineffective (because in the real world, the mandated measures were obsolete after a few months time) that are expensive to impliment and yield little or no added security.
  One visible example is banking - you now have an image tied to your account login to prevent phishing. However, most people don't pay too much attention to it, and wouldn't care if it were different. Or, they'll use it that one time, it doesn't work like it is supposed to (because it's actually at a phishing site), they try again later and now it works (because it is now actualy at the bank website). Since it works, it must have just been some minor hiccup, and all is right with the world. Right? No, they just got their account access stolen, and if a person is smart they'll slowly siphon the money off instead of withdrawing large chunks of cash.
  It's also easy to harass someone now, because of the strict regulations if you manage to find someone's account (or at a big bank, just randomly choose numbers) but can't access it, just plug a bunch of gibberish in a few times and they don't have access to their own money. That can be devastating, and it's untraceable if the harasser is using a public terminal.
  SarBox aught to have been more vague, and focused on the good faith effort to secure a client's data. People get into trouble when they aren't handling data using the industry's best practices that way, for if the institution never bothered to check what the latest best practices were, they obviously weren't too interested in data security.
  Setting it up that way, instead of with complex rules and regulations, give it the flexibility to adapt and apply to each situation, and there is no risk of it ever going obsolete, unlike the current SarBox law.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
7. Re:Budgest re-adjustment... by omnichad · 2009-12-01 09:54 · Score: 1
  
  That sounds so logical and reasonable. Too bad that fact prevents it from being included in a law.
8. Re:Budgest re-adjustment... by Fulcrum+of+Evil · 2009-12-01 09:58 · Score: 2, Interesting
  
  One visible example is banking
  My banking site decided that 2 factor auth meant that I had to type my info into a flash widget that analyses the typing style - I sort of doubt this is even half a factor. The CC sites I use demand I have 2 passwords - 1.1 factor auth. Basically, I'm saying that it's crap.
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
9. Re:Budgest re-adjustment... by morgan_greywolf · 2009-12-01 10:00 · Score: 1
  
  Yeah? Well your name anagrams to Fed Relay! Oh, wait...*runs*
  
  --
  My blog
10. Re:Budgest re-adjustment... by DarkOx · 2009-12-01 10:13 · Score: 1
  
  Probably because nobody really wants that. The point of most polices is ultimately to ensure that there is no responsibility for acts of GOD. Bad stuff is always going to happen. You can have good policies in place and generally do a good job of administration and still get hacked; its possible. Someone you thought you could trust could walk away with sensitive data.
  I think most people agree that if you can show that you did your due diligence and complied with a good solid set of requirements and something still happens that its not your fault its just something that happened. That lets you keep your job; otherwise someone has to take the fall for political reasons if nothing else; and that person is probably some sysadmin who may or may not have been doing a good job. You can't prevent every emergency, but you can take and show that you took reasonable precautions; its actually a good thing when what those precautions entail is formalized.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
11. Re:Budgest re-adjustment... by c6gunner · 2009-12-01 10:48 · Score: 3, Funny
  
  And you get "Flame Wrong Orgy", which, strangely, doesn't seem all that unusual on Slashdot.
12. Re:Budgest re-adjustment... by Bigjeff5 · 2009-12-01 12:23 · Score: 2, Interesting
  
  Exactly.
  Really, two factor authentication only offers meager protection from a subset of attacks, yet I can tell you that implimenting it at each company was probably a $50k project, or, for the less efficient companies, a $200k project.
  ROI for Sar-Box is shit. We've got a hell of a lot more expenses for a teeny bit more security.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
13. Re:Budgest re-adjustment... by turbidostato · 2009-12-01 13:53 · Score: 1
  
  "Well at least now they'll spend all that money on making sure things are actually secure!"
  Why, oh why!!!???
  No sir: they'll spend all that money on making sure they earn even *more* money. What else?
SarBox is always the excuse by blitzkrieg3 · 2009-12-01 08:50 · Score: 2, Insightful

How about rewriting the law so that every request to my IT department doesn't result in "This functionality would break SarBox compliance", regardless of how related to SarBox the request actually is?
1. Re:SarBox is always the excuse by Anonymous Coward · 2009-12-01 08:57 · Score: 0
  
  What type of requests are you talking about? Without such details, you sound like a typical grousing user who doesn't understand the hell that our knee-jerk Congress has forced us into.
2. Re:SarBox is always the excuse by mujadaddy · 2009-12-01 10:37 · Score: 1
  
  How about rewriting the law so that every request to my IT department does result in "This functionality would break SarBox compliance", regardless of how related to SarBox the request actually is?
  T,FTFY
  
  --
  Populus vult decipi, ergo decipiatur...
  "Force shits upon Reason's back." - Poor Richard's Almanac
3. Re:SarBox is always the excuse by IrquiM · 2009-12-01 10:48 · Score: 3, Informative
  
  How about rewriting the structure of the management as they clearly do not understand what 404 is all about?
  404 doesn't tell you to do anything. It only ask you to show that you have internal controls and that they are deemed sufficient for a company of the type/size you're working for, and that you actually is following your controls. The auditors only task (related to 404) is to check that you do what you are saying and make a judgment on their observations.
  
  --
  This is blinging
4. Re:SarBox is always the excuse by Bigjeff5 · 2009-12-01 11:28 · Score: 2, Informative
  
  The sad fact is, it probably WOULD break SarBox compliance, it's frickin retarded.
  Just about everything a company does relates to SarBox either directly or indirectly, so often an IT department will become terrified to make the smallest change to avoid inadvertantly breaking compliance, or making a change while staying compliance will require more money than the change is worth.
  I.e. if you request a change to save $2000 a month in productivity losses, but maintaining the change will cost $4000 a month, it does not make sense to make the change. Period. SarBox has significantly raised the cost of even minor IT changes that have anything to do with private data (even indirectly).
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
5. Re:SarBox is always the excuse by Bigjeff5 · 2009-12-01 12:37 · Score: 3, Informative
  
  404 doesn't tell you to do anything. It only ask you to show that you have internal controls and that they are deemed sufficient for a company of the type/size you're working for, and that you actually is following your controls.
  That's the rub, and that's why this guy is suing. He owned a small accounting firm because, no matter what he did, the SarBox auditor's board determined what he was doing wasn't good enough, and the only changes they would accept would prevent him from turning a profit.
  The SarBox board killed a legitimate business that was operating in good-faith compliance.
  That's far, far too much power for a bunch of nameless beureaucrats.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
6. Re:SarBox is always the excuse by Bigjeff5 · 2009-12-01 13:06 · Score: 1
  
  He owned a small accounting firm that went out of business, damnit.
  Preview is my friend.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
7. Re:SarBox is always the excuse by b4dc0d3r · 2009-12-01 15:21 · Score: 1
  
  http://it.slashdot.org/comments.pl?sid=1462988&cid=30289812
  
  Yeah, but you need to look at the bright side of SOX for us (educated security geeks). When someone wants to do something really dumb like put a web app into production with no logging and no security, you can just tell them to fuck off, because of SOX. Also, if you're a security consultant with half a brain and know how to setup auditing on *nix related systems you can make a lot of money consulting.
  SOX is worth it just for being able to tell a stupid developer that he can't do something that puts the security of my systems in jeopardy.
  The circle is complete.
Strange by PiAndWhippedCream · 2009-12-01 08:51 · Score: 0, Redundant

I was never able to find that section, kept returning a "not found" error or something.
Rule #1 of government.... by croftj · 2009-12-01 08:51 · Score: 2, Informative

The primary purpose of every law passed has the creating 1 or more jobs, whether they are productive jobs or not.

--
-- Many men would appreciate a woman's mind more if they could fondle it
1. Re:Rule #1 of government.... by BitHive · 2009-12-01 09:00 · Score: 1
  
  Wow, thanks for that keen insight into government! Maybe next you can give us a one-line treatise on the irrelevance of unions.
2. Re:Rule #1 of government.... by gandhi_2 · 2009-12-01 09:03 · Score: 3, Informative
  
  I'll field that one:
  Unions are irrelevant.
  
  --
  THL phish sticks
3. Re:Rule #1 of government.... by Gudeldar · 2009-12-01 09:09 · Score: 2, Funny
  
  A comment critical of government that isn't +5?
  
  This is Slashdot I'm reading right?
4. Re:Rule #1 of government.... by Anonymous Coward · 2009-12-01 09:20 · Score: 1, Funny
  
  As part of a prank, we have replaced Slashdot with the Daily Kos. Let's see what happens!
5. Re:Rule #1 of government.... by daveatneowindotnet · 2009-12-01 09:27 · Score: 1
  
  It'd be nice if they were irrelevant, unfortunately all they are managing to do is drive up the cost of everything the government pays for and shield incompetent and even dangerous employees working for the government while providing no protection for the american worker from big business. Or at least that is how they work in America, that and they bury Jimmy Hoffa in Giants Stadium.
6. Re:Rule #1 of government.... by megamerican · 2009-12-01 09:38 · Score: 1
  
  Wrong.
  The primary function of government is to pretend to fail.
  That way they get more money and power to correct the failure. If the purpose was to "fail" then it is no longer a failure and should be considered an accomplishment.
  Anytime you hear "failure of..." anything involved with government replace it with accomplishment.
  
  --
  If you have something that you dont want anyone to know, maybe you shouldnt be doing it in the first place -Eric Schmidt
7. Re:Rule #1 of government.... by Anonymous Coward · 2009-12-01 10:40 · Score: 2, Insightful
  
  I don't know. Unions have brought us a couple nice things here in the US until recently:
  8 hour workdays.
  5 hour work weeks.
  Our 8 year old kids out of the coal mines.
  Worker's comp for injuries.
  Unemployment.
  Labor laws.
  Banning of blacklists.
  Minimum wage.
  Vacation leave.
  Sick leave.
  Liability.
  Basic safety.
  With all the bellyaching about unions, I think people would love it if they would have to work 12-16 hour days, 7 days a week with their kids doing 12 hour days right by them. Of course, if anyone complained about it, they would be flagged in a database, and guarenteed to never have a job again, just like a felon. Get sick? Work, or have unlimited time off when fired for missing a single day. Also, I guess people don't mind working all this for $100 a month, which is what would be paid without the min wage laws.
  No, unions may not be perfect, but the workaday life would be a lot different and a lot worse. But they are the same people who brought you the weekend.
8. Re:Rule #1 of government.... by dgatwood · 2009-12-01 10:55 · Score: 1
  
  8 hour workdays.
  5 hour work weeks.
  Really? So you work a single 8-hour shift every second week that spans from Saturday night to Sunday morning? How odd.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
9. Re:Rule #1 of government.... by cayenne8 · 2009-12-01 14:29 · Score: 2, Insightful
  
  True, the unions served their function in the early days of their existance, but, they are an anachronism today, and serve more to hurt workers and business than they do good in this day.
  They are a hindrance in the 21st century USA.
  
  --
  Light travels faster than sound. This is why some people appear bright until you hear them speak.........
10. Re:Rule #1 of government.... by Maxo-Texas · 2009-12-01 16:03 · Score: 1
  
  Hmmm.
  That's a toughy. So many to choose a couple from...
  I guess Vacation Leave and 5 hour work weeks?
  
  --
  She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
11. Re:Rule #1 of government.... by Anonymous Coward · 2009-12-01 17:51 · Score: 0
  
  The problem is that after Unions got us all of those great things they continue to try and justify their existence with stupid things like, "You can't use a broom to sweep your working area, because that's a 'union job' and if you try to clean up after yourself you're taking work away from 'union worker'."
  This happens in many areas. Once an organization had basically achieved its main (and useful) goals, it usually doesn't disband, but it needs to do *something* to justify its existence...
12. Re:Rule #1 of government.... by hmar · 2009-12-02 02:24 · Score: 1
  
  No one really claims that unions were never relevant, the issue is that they have outlived their purpose, and are now nothing more than one more drain on budgets that can't afford them.
13. Re:Rule #1 of government.... by dcollins · 2009-12-02 02:34 · Score: 1
  
  "I'll field that one: Unions are irrelevant."
  Now, I was going to respond thusly -- If that's true, then:
  (a) Why do about half of Americans approve of labor unions?
  http://www.gallup.com/poll/122744/Labor-Unions-Sharp-Slide-Public-Support.aspx#1
  (b) Why is there a multi-billion dollar union-busting legal industry?
  http://www.inthesetimes.com/article/3326/unionbusting_confidential/
  But then I realized that the line "the union is irrelevant" is actually a quote from one of the union-busting lawyers in the article linked above. So I suspect that the parent post is actually just propaganda/astroturfing.
  
  --
  We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
SarBox? by omnichad · 2009-12-01 08:59 · Score: 4, Informative

I've seen SOX, but never SarBox. If you're going to CamelCase, do it right: SarbOx.
1. Re:SarBox? by HaeMaker · 2009-12-01 09:07 · Score: 1
  
  Agree. Don't make up your own abbreviation when there is already a standard one.
2. Re:SarBox? by Anonymous Coward · 2009-12-01 09:15 · Score: 0
  
  "SarBox" is frequently used in marketing publications.
  At a previous job I had a marketing idiot come up to me and ask about our compliance. He kept using that term, and I had no idea what he meant at first.
  But like you mentioned, most auditors, techs and engineers prefer "SOX".
3. Re:SarBox? by stefanlasiewski · 2009-12-01 09:38 · Score: 1
  
  No no no, you have it all wrong. You didn't need to go through all that effort, and all that detail.
  All I meant was that I wanted to monitor a Unix box using Sar.
  That should have been easy, and I guess it's my fault for not being clear. But look at all this paperwork you generated... wow you guys sure did work hard didn't you. Sorry for the misunderstanding...
  
  --
  "Can of worms? The can is open... the worms are everywhere."
4. Re:SarBox? by pentalive · 2009-12-01 09:41 · Score: 1
  
  The box SARS http://en.wikipedia.org/wiki/Severe_acute_respiratory_syndromecame in?
5. Re:SarBox? by Bigjeff5 · 2009-12-01 15:01 · Score: 1
  
  But I like SarBox...
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
6. Re:SarBox? by Bigjeff5 · 2009-12-01 16:12 · Score: 1
  
  Who the hell cares about Oxley? Of course it should be SarBanes-oxley.
  Pfffft.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
7. Re:SarBox? by Curmudgeonlyoldbloke · 2009-12-02 00:56 · Score: 1
  
  That may be so, but the only hit on Google's front page with that spelling is this story.
8. Re:SarBox? by Anonymous Coward · 2009-12-02 03:56 · Score: 0
  
  Posted by kdawson, obviously.
SOX is choking our companies, kill it. by SuperKendall · 2009-12-01 09:06 · Score: 4, Insightful

I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, or indeed for rational process to take place in the daily operation of IT.
SOX was meant to prevent another ENRON, but those things will happen regardless of rules - look at the collapse of organizations like FannieMae, well after SOX was in place. Instead we are harming all large businesses just to prevent a one-off case that we are not really preventing anyway!
Kill SOX and let companies get back to what they do best, instead of spending a lot of time simply deciding what compliance means and using the rules to build (even more) fiefdoms within giant companies.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:SOX is choking our companies, kill it. by Knara · 2009-12-01 09:09 · Score: 2, Insightful
  
  There's a large deal of truth to this. If you want to do (or not) do something in a large company these days, the way to justify it is to write up a proposal that uses SOX or HIPAA (preferably both) a few dozen times. Your chance of getting money for it increases exponentially.
2. Re:SOX is choking our companies, kill it. by Anonymous Coward · 2009-12-01 09:14 · Score: 0
  
  I've worked in companies where SOX was used to make processes more stringent and intelligent. And I work in a company where SOX has allowed the accounting/finance department to dictate all manner of corporate and IT policy. In order to survive SOX, companies need keen leadership -- one that will prevent the sort of "SOX run amok" mentality and provide solid guidance to the company as a whole.
3. Re:SOX is choking our companies, kill it. by Archangel+Michael · 2009-12-01 09:26 · Score: 3, Interesting
  
  You can usually make the case for MOST government regulations of businesses. Laws aren't for the lawful, but for the unlawful. Wherever the line is drawn, there will always be people who skirt around at that edge.
  If laws and regulations move too far away from the edge, the laws themselves become the end of, not the means of, compliance. Everyone becomes a lawbreaker, and there is no room for discretion.
  You can see this in all the zero tolerance laws in place. Zero tolerance laws do not stop anything, and just make more people criminals, like little boys coming to kindergarten with a camping fork, knife, spoon gadget getting expelled because he brought a knife to school. Zero Tolerance! No excuses! He Broke the LAW!!!!
  I've written on this before. I call it the "There ought to be a law" syndrome. Everytime someone says "there ought to be a law", someone needs to ask a simple question "WHY?". WHY is it that the existing laws aren't applicable? How will this new law break the necessary shades of gray around the edges? Asshats live there, we all agree. Changing this isn't going to change the asshats.
  Sometimes the only thing that will change the asshats is a good old fashion asswhooping.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
4. Re:SOX is choking our companies, kill it. by BlueBoxSW.com · 2009-12-01 09:46 · Score: 1
  
  Also look at HealthSouth, which never would have been found out if it weren't for SOX.
  I think we need to keep it around, but a better breed of companies need to come around to take the pain out of it.
5. Re:SOX is choking our companies, kill it. by Zalbik · 2009-12-01 09:46 · Score: 3, Insightful
  
  SOX was meant to prevent another ENRON, but those things will happen regardless of rules - look at the collapse of organizations like FannieMae, well after SOX was in place.
  Huh? Do you even have a clue what caused the collapse of Enron vs. what caused the collapse of Fannie Mae?
  To use the mandatory car analogy, your argument is something like:
  I put winter tires on my car, but then I was t-boned at an intersection when I ran a red light. See, winter tires don't help prevent accidents!
  The two scenarios were completely different. Most of what SOX requires for IT should fall under good IT practice anyways. It basically requires controls to be implemented on financial systems in order to prevent fraudulent changes to financial data.
  Now I realize people at some corporations have used SOX as a big bat to force in their own pet IT projects. Or as a way of preventing any IT changes that they don't agree with, but that isn't the fault of SOX.
  If people are building personal fiefdom's within corporations, they'll do so with or without some legislation to use as an excuse.
6. Re:SOX is choking our companies, kill it. by SuperKendall · 2009-12-01 10:14 · Score: 2, Insightful
  
  Huh? Do you even have a clue what caused the collapse of Enron vs. what caused the collapse of Fannie Mae?
  It's a loose analogy to be sure, but think about it - in both cases shareholders (or stakeholders if you like in the case of FM) were lied to about financial stability. Fannie Mae claimed there were "no issues" just months before the collapse, while hiding the true extent they were in peril with the huge number of sub-prime loans they were carrying.
  If you think about it there are way more parallels than it seems at first glance. They were manipulating the output of supposed financial stability, in the end the OUTPUT is what matters here.
  It basically requires controls to be implemented on financial systems in order to prevent fraudulent changes to financial data.
  But in requiring this, it also mandates the companies be audited. Which means the companies performing the audit dictate what practices you follow to pass the audit. Which means that instead of rational processes meant to actually prevent fraudulent changes to financial data, you are making the changes required simply to pass the audit - just like many schools "teach to the test" when the only metric is standardized tests meant to measure school performance.
  Instead we should have devastating fines or other punishment for companies that are found to have problems preventing fraudulent changes to data, so that companies could build in meaningful safeguards around ACTUAL financial data (with the ROI being the prevention of said fines so security groups could get funding), as opposed to safeguarding anything that smells like financial data to auditors (with the auditors of course paid more the more systems they have to audit). Let auditors audit crooks, not the innocent. Then we could also document the real bypasses to processes instead of having them but having to pretend they do not exist because auditors and high-level execs Cannot Know.
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
7. Re:SOX is choking our companies, kill it. by illumin8 · 2009-12-01 10:16 · Score: 4, Interesting
  
  I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, or indeed for rational process to take place in the daily operation of IT.
  Yeah, but you need to look at the bright side of SOX for us (educated security geeks). When someone wants to do something really dumb like put a web app into production with no logging and no security, you can just tell them to fuck off, because of SOX. Also, if you're a security consultant with half a brain and know how to setup auditing on *nix related systems you can make a lot of money consulting.
  SOX is worth it just for being able to tell a stupid developer that he can't do something that puts the security of my systems in jeopardy.
  
  --
  "When the president does it, that means it's not illegal." - Richard M. Nixon
8. Re:SOX is choking our companies, kill it. by pauls2272 · 2009-12-01 10:16 · Score: 4, Interesting
  
  >I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, >or indeed for rational process to take place in the daily operation of IT.
  Absolutely agree. Although the smart companies are now just giving SOX lip service and ignoring it pretty much entirely. The company I work for now, has all kinds of memos issued saying they support SOX, hotlines, etc but it doesn’t impact real work.
  When SOX hit, the company I worked at, the Accounting dept came out with the required SOX doc and it was non negotiable. They had worked with an auditor that knew nothing of IT and it showed. I had to attend a week long class on how to fill out the dozens of new SOX forms (all manual paper forms) that were to be kept in notebooks!
  I was told that ALL CHANGES had to go on the CEO change calendar and that we would become very familiar with the assistant that scheduled the CEO change meetings. All changes had to have the 10 pounds of forms and 10+ signatures before you could implement. There also had to be “separation of duty” which meant if you were making the change, someone else had to implement it I said “great, your gonna hire another IT group – one to implement and another to install and test”. Of course, they never did this and this “separation of duty” was never followed.
  It was COMPLETE AND TOTAL NONSENSE designed by people who had no clue what they were doing or what the real world was like. Yeah, I need to put a hotfix on a server to fix a problem – I’m gonna wait 2-3 months to get on the CEO change calendar and have a meeting with the CEO But trying to talk to the accounting morons was useless – they insisted every change had to follow their written in stone procedure
  After a few weeks of complaining, the process was “refined” by having Small, Medium and Large changes and Large changes were only the changes had to go thru the above process. The difference being the number of “elements” in the change – but “element” wasn’t defined by the accounting/auditing people. The solution became that all IT changes were SMALL since there was only 1 datacenter so 1 element changing!
  The fact is that SOX was doomed to fail because you can’t impose rigorous rules on US companies if foreign companies don’t have to follow the same rules – it is a Global world out there and adding huge overhead to your domestic companies just mean more outsourcing and more domestic bankruptcies as they can’t compete with slimmer/trimmer overseas companies.
9. Re:SOX is choking our companies, kill it. by hemp · 2009-12-01 10:37 · Score: 2, Insightful
  
  I think you don't understand segregation of duties. It doesn't mean having a separate IT group, it means splitting duties between more than one person. For example, the person coding the change and the person implementing the change would be two separate people. Testing should also be separated out from the person who implemented the change.
  This does wonders for the midnight-cowboy coder who sticks in changes at 2 am and doesn't tell anyone or bother to test.
  In the case of a true emergency change, they can be done and documented after the fact (but should still be documented).
  Its not that hard and really has little to do with SOX and more to do with running a class operation.
  
  --
  Skip ------ See the latest from http://www.anArchyFortWorth.com
10. Re:SOX is choking our companies, kill it. by pauls2272 · 2009-12-01 10:53 · Score: 1
  
  I understand it completely and it doesn't happen in the real world in real IT depts. First, we aren't coding anything - we are implementing PTFS, hotfixes, new software releases, etc. And every place I've worked, the guy that gets the fix, tests it and implements it himself. There is no Change Control group for the sysadmins/sysprogs.
  To do that you would need to have 2 separate groups - one that downloads, installs and tests on test servers and another that just implements changes into production.
  Duplication of effort and just pure overhead. Also when dealing with complex products -DB2, SQL Server, IMS, CICS etc, companies can not afford to have multiple people with that knowledge not doing real work. Small companies have 1 guy with many, many hats. Larger companies are lucky if they have multiple people that can back each other up - but they don't have time to do each others work.
  You deal with the midnight cowboy dude by firing him.
11. Re:SOX is choking our companies, kill it. by Nausea · 2009-12-01 11:10 · Score: 1
  
  AMEN! To rub salt in the wounds, SOX implementation in an existing company doing an IPO is, to say the least, horrifically *painful*! Nevermind all the 'wasted' money and time on compliance audits. "Oh, you have put in a ticket to make that little change" results in a ticket that several others have to touch/test/verify - thus even menial changes to systems can potentially rot for weeks. While I'm not saying it isn't good to have a paper trail / change log and verification of work, SOX adds a whole new level of idiocy to what would otherwise be 10 minutes of actual work. I can see some parts of it remaining viable, such as accounting practices - but most of the IT portions need to be trashed. One of my big beefs with SOX compliance is that it doesn't really mean better _anything_ to the company (though it *might* bring about a handful of better practices here & there). Instead, it saddles most of the staff with a bunch of inefficient 'busywork' - and in many cases extra software and other crap the company never really needed in the 1st place - all for the mere illusion of a better business 'machine' (one that honestly worked great before SOX came along). I'd love to see some real examples of how SOX has actually _improved_ companies that are forced to implement it...
12. Re:SOX is choking our companies, kill it. by aynoknman · 2009-12-01 11:11 · Score: 1
  
  The fact is that SOX was doomed to fail because you can’t impose rigorous rules on US companies if foreign companies don’t have to follow the same rules – it is a Global world out there and adding huge overhead to your domestic companies just mean more outsourcing and more domestic bankruptcies as they can’t compete with slimmer/trimmer overseas companies.
  This is also known as 'race to the bottom.' It happens with corporate governance as well as taxes and wages.
  
  --
  We need a "+1 -- nice sig" moderation.
13. Re:SOX is choking our companies, kill it. by blitzkrieg3 · 2009-12-01 11:16 · Score: 1
  
  You're exactly the type of person I was talking about.
14. Re:SOX is choking our companies, kill it. by dstar · 2009-12-01 11:26 · Score: 3, Informative
  
  I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, or indeed for rational process to take place in the daily operation of IT.
  It's doing no such thing. People may be using it as an excuse to build an empire or do stupid things, but that's not the fault of SOX. I worked for a *VERY* large financial company (the overall IT budget, across all branches, businesses, etc, was measured in the *billions* of dollars), and not once were we stopped from doing anything because of SOX. Not once was it even an issue, either.
  Put the blame where it belongs, on stupid people. Then fire them.
15. Re:SOX is choking our companies, kill it. by FatSean · 2009-12-01 11:40 · Score: 3, Insightful
  
  So you're the developer who doesn't think about logging, security or any other kind of operational issue when you develop? Sounds like your company has you in the right box.
  
  --
  Blar.
16. Re:SOX is choking our companies, kill it. by hemp · 2009-12-01 12:19 · Score: 1
  
  I sure hope you don't work at NASA or a nuclear power plant.
  
  --
  Skip ------ See the latest from http://www.anArchyFortWorth.com
17. Re:SOX is choking our companies, kill it. by techno-vampire · 2009-12-01 13:34 · Score: 1
  
  I was told that ALL CHANGES had to go on the CEO change calendar and that we would become very familiar with the assistant that scheduled the CEO change meetings.
  Sounds to me like somebody in your company has a micro-management fetish. BTDTGTTS. You have my sympathy!
  
  --
  Good, inexpensive web hosting
18. Re:SOX is choking our companies, kill it. by Anonymous Coward · 2009-12-01 14:15 · Score: 0
  
  10+ signatures just means that 9 more people are required to approve the stuff that Enron got up to. For example the Risk group could cancel a programme but a senior executive could override this.
19. Re:SOX is choking our companies, kill it. by Bigjeff5 · 2009-12-01 15:18 · Score: 2, Insightful
  
  It sounds like you're a dumbass who doesn't give a shit about your clients' data if you think you don't need authentication and logging for a web app. You're about the only type of idiot SOX actually protects us from. If IT guys didn't need to SOX to tell dumbasses like you to fuck off, we wouldn't be stuck with SOX in the first place.
  I hope you don't do work for any systems that hold my data, that's all I'm saying.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
20. Re:SOX is choking our companies, kill it. by Anonymous Coward · 2009-12-01 16:57 · Score: 0
  
  Get rid of SOX, but just don't tell the developers :)
21. Re:SOX is choking our companies, kill it. by gullevek · 2009-12-01 17:39 · Score: 1
  
  Unelss the webapp is developed for a financial system using SOX here does not really work at all.
  
  --
  "Freiheit ist immer auch die Freiheit des Andersdenkenden" - Rosa Luxemburg, 1871 - 1919
22. Re:SOX is choking our companies, kill it. by RMH101 · 2009-12-01 21:30 · Score: 1
  
  Agreed. There's all sorts of regulatory pressure that can apply to different industries: SoX compliance for US companies and any publically-traded foreign countries that do business with the US, there's financial regulation like Visa/Mastercard's EMV accreditation and PCI/DSS for those in the financial sector, there's the FDA for those that work in Pharma, and there's others such as the Data Protection Act in the UK - all or none may apply to your specific business, but in principle they are outlining a bare minimum level of competence, with the stick of financial penalties for non compliance that an accountant understands and fears.
  From my background in Pharma IT, it allowed a tech to be able to just stop or challenge major projects in a heartbeat: the beancounters *have* to consider regulatory "licence-to-operate" issues like this. Crappy documentation from a vendor? Being forced down the route of using an insecure system with no audit trail? Under the terms of FDA compliance you're gonna be responsible as an individual for what you sign off, so you don't sign it unless you're damn sure it's done right.
  The problem arises in that most regulations are descriptive, not prescriptive - they don't tell you *exactly* what to do: they set out a standard and tell you that you need to meet it. This can and often does lead to playing safe, and it being interpreted in a way-over-the-top way that means you have a million forms to fill out in triplicate before you can change anything.
  It's designed to give a basic level of accountability and best practice - not to make millions for Accenture. Doesn't always turn out that way, I know, but if the alternative is big companies being able to run their credit card databases like a drunken pirate ship then I'd rather they had some regulatory responsibilities with teeth than none.
23. Re:SOX is choking our companies, kill it. by Anonymous Coward · 2009-12-02 03:12 · Score: 0
  
  I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, or indeed for rational process to take place in the daily operation of IT.
  It's doing no such thing. People may be using it as an excuse to build an empire or do stupid things, but that's not the fault of SOX. I worked for a *VERY* large financial company (the overall IT budget, across all branches, businesses, etc, was measured in the *billions* of dollars), and not once were we stopped from doing anything because of SOX. Not once was it even an issue, either.
  Put the blame where it belongs, on stupid people. Then fire them.
  I've worked for two companies that dealt with Federal Contracts and we didn't have to deal with the insanity of SOX, now I work in a company where simple IT day to day tasks take a minimum of 10 times as long as the same tasks from the previous two companies. How pathetic is it when dealing with Federal Contracts are easier than SOX?
24. Re:SOX is choking our companies, kill it. by alcourt · 2009-12-02 05:50 · Score: 1
  
  Actually, what is needed is a clueful audit response department. This department would be able to classify systems as SOX impacted or not depending on if they process data that is relevant to SOX. Then, you make sure you have a reasonably effective security policy and follow it.
  It seems a lot of companies have a problem with writing a security policy that is reasonably effective. Many firms I've seen seem to do the "wink system", where they write a ridiculous policy that is impossible to follow in reality, then wonder why the auditors hold them to that policy as audit findings.
  Others write policies that don't even pretend to cover basic security. The model at some of those firms seems to be "What developer wants, gets." Developer wants unrestricted permanent root on the prod box? They get it. Developer wants direct login to shared accounts as a part of the application? They get it, and no one dares tell them no.
  A lot of what I've seen as very effective in audits is to provide for a strong audit trail of who did what. There are multiple ways to do that. Have a process in place to detect errors, and a check to ensure that process is being followed. Ensure that no one person can do something malicious and erase all evidence of it.
  Disclaimer, part of my job is audit response on SOX and PCI and other audits, preparing servers for the audit, ensuring compliance outside the audit, etc.
  
  --
  "I may disagree with what you say, but I will defend unto the death your right to say it." -- Voltaire
25. Re:SOX is choking our companies, kill it. by alcourt · 2009-12-02 05:55 · Score: 1
  
  Instead we should have devastating fines or other punishment for companies that are found to have problems preventing fraudulent changes to data, so that companies could build in meaningful safeguards around ACTUAL financial data (with the ROI being the prevention of said fines so security groups could get funding), as opposed to safeguarding anything that smells like financial data to auditors (with the auditors of course paid more the more systems they have to audit). Let auditors audit crooks, not the innocent. Then we could also document the real bypasses to processes instead of having them but having to pretend they do not exist because auditors and high-level execs Cannot Know.
  Most of the IT portion of SOX is based around having meaningful tools to have an effective security policy to tell people what they can and cannot do, as well as means to detect when those rules are violated. It is the latter portion that seems to often cause the most grief. You cannot know where the problems exist unless you provide for an accountability trail to ensure that people manipulating financial impacting data are tracked.
  
  --
  "I may disagree with what you say, but I will defend unto the death your right to say it." -- Voltaire
26. Re:SOX is choking our companies, kill it. by Viperpete · 2009-12-03 03:07 · Score: 1
  
  "The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all."
  --H. L. Mencken
  
  --
  loose: not fitting closely or tightly != lose: to suffer the deprivation of
I Know! by fuzzyfuzzyfungus · 2009-12-01 09:08 · Score: 4, Funny

In order to ensure security against DOS attacks, I think it would be reasonable to mandate that all vendors be required to prove that their programs will halt in finite time, given an arbitrary input.

That seems like a wholly reasonable request, not too burdensome, and should improve security.
1. Re:I Know! by ThatMegathronDude · 2009-12-01 09:16 · Score: 1
  
  Easy enough.
  
  You heard the man, noone use the Internet until this is done.
2. Re:I Know! by fuzzyfuzzyfungus · 2009-12-01 09:21 · Score: 1
  
  Perhaps we could devise some sort of general algorithm, in order to speed the process up...
3. Re:I Know! by Bigjeff5 · 2009-12-01 09:27 · Score: 3, Funny
  
  You heard the man, noone use the Internet until this is done.
  I don't see why the Noones weren't allowed to use the internet before, or why they'll have to stop when this is over, but it's nice that you're willing to let them use it a little bit, I guess.
  Or perhaps you meant "no one"?
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
4. Re:I Know! by maxume · 2009-12-01 09:54 · Score: 1
  
  Is it okay if sometimes the program doesn't do anything useful with the input?
  
  --
  Nerd rage is the funniest rage.
5. Re:I Know! by Obfuscant · 2009-12-01 10:06 · Score: 3, Funny
  
  Is it okay if sometimes the program doesn't do anything useful with the input?
  Slashdot is already patented, isn't it?
6. Re:I Know! by Anonymous Coward · 2009-12-01 14:41 · Score: 0
  
  You joke, but I suspect a lot of vendors would be able to do everything they need to with Deciders.
Silver Lining. by FatSean · 2009-12-01 09:10 · Score: 4, Interesting

I inherited a bunch of apps that had atrocious logging practices. They were inter-twined and when a problem arose, it was very difficult to PD. Management didn't care to spend money adding some log statements, it was good enough. SOX forced us to place logging statements at system boundries. This wasn't a complete logging overhaul but it really did help with future PD.

--
Blar.
1. Re:Silver Lining. by Fractal+Dice · 2009-12-01 09:52 · Score: 1
  
  That was my experience as well ... although I was not directly involved in any SOX work, I saw it dredging up all sorts of atrociously bad practices all around that were time bombs waiting to go off (application interfaces open to the world, critical servers never being backed up, root accounts still active for people laid off years ago). Outsourcing, entropy plus plausible deniability is a dangerous cocktail in IT.
2. Re:Silver Lining. by http · 2009-12-01 10:00 · Score: 1
  
  And what, pray tell, is "PD" in this lingo you're using?
  
  --
  If opportunity came disguised as temptation, one knock would be enough.
  3^2 * 67^1 * 977^1
Can the Supreme Court efficiently rule here? by Tanks*Guns · 2009-12-01 09:11 · Score: 1

From TFA "Now, here’s where things get interesting. Beckstead decided to sue PCOAB not over the deficiencies found, but rather the oversight board’s very right to existence."
As a disclaimer I have to say I have worked for Financials IT for quite a while and SOX was quite literally the bane of our existence for over 3 years. Whether SOX is a true measure of compliance is still an open question on my mind ...
The implication here is that if the Justices do rule in favor of Beckstead, what does that say about other government organizations that "audit" citizen's affairs?
In other words, you are told that all your servers must be 1U, you know this for a long time and make an effort to make sure every server is 1U, you go as far as dedicating an entire year in ensuring that servers must be 1U, then you get audited and they happen to find that 4U box your support guys used to launch all that crap that no other box was capable of handling, simultaneously, so you fail that portion of the audit.
You just SUE the people who enforce these efforts in the hopes that the very laws you knew about and made a concise effort to abide to get disregarded or amended in the course of a hearing? that's it?
1. Re:Can the Supreme Court efficiently rule here? by CorSci81 · 2009-12-01 09:53 · Score: 1
  
  The implication here is that if the Justices do rule in favor of Beckstead, what does that say about other government organizations that "audit" citizen's affairs?
  If you had read the full article you might also have noticed that the crux of the argument is that the PCOAB is set up as an independent organization independent of the executive or legislative branches. So, if the ruling goes for Beckstead nothing happens to most other "auditing" agencies. I can't think of any off the top of my head that have been granted some manner of legal authority and are not subject to some manner of appointment process by congress or the executive branch (although some of them arguably might be better off if they were).
1U ? by sugarmotor · 2009-12-01 09:28 · Score: 1

Are you using 1U just as an example or are there really rules somewhere about using only 1U's, and not 4U ?
Stephan

--
http://stephan.sugarmotor.org
1. Re:1U ? by Tanks*Guns · 2009-12-01 09:30 · Score: 1
  
  Oh my! no, example only
2. Re:1U ? by flydpnkrtn · 2009-12-12 18:27 · Score: 1
  
  Are you using 1U just as an example or are there really rules somewhere about using only 1U's, and not 4U ?
  I know right... this is Slashdot; we stick to car analogies 'round here thankyouverymuch
  
  --
  Here's to the crazy ones
sox isn't all about IT. by L3370 · 2009-12-01 09:29 · Score: 2, Informative

SOX compliance itself has more to do with accounting practices than it does with IT. IT related affairs only come into play when it goes hand in hand with the accounting/financial requirements. If you are relying entirely on SOX compliance laws and regulations to fulfill IT requirements and security standards, you are ill-prepared for IT compliance.

For example... per SOX, business documents and financial reports must be kept for 7 years. If you're documents and records just happen to be in digital format, then your are mandated to to have digital backup retention for 7 years...otherwise sox has nothing to do with your computers. SOX doesn't have enough meat on IT specific matters to be used as your sole baseline for IT requirements.

I don't think SOX needs to be rewritten or abandoned...we just need a different solution to solve the IT problems.
1. Re:sox isn't all about IT. by WRX+SKy · 2009-12-01 09:57 · Score: 1
  
  I disagree. I work in the IT dept. for a F100 company, and SOX is a complete barrier to getting anything done in a reasonable time-frame. It needs to be abandoned and reworked from ground zero.
  
  For example, we are slowly phasing out an old mainframe system that used to "do it all" for the organization. To support each new sub-system we must create interfaces into and out of the mainframe to access legacy functions it may still retain.
  
  If I make a change to one of the compartmentalized systems (say... the shipping ETA generator for example), my change must pass through multiple SOX audits before it can be released because that "Shipping ETA" interfaces to the mainframe, which in turn interfaces to the accounting system. There is no way my Shipping ETA system could access or modify anything about the accounting system... yet I'm blocked by the SOX controls surrounding it.
2. Re:sox isn't all about IT. by Anonymous Coward · 2009-12-01 11:31 · Score: 0
  
  I have a feeling that a lot of those problems are caused by management, your company's lawyers, or auditors that don't understand what you're doing, rather than the law itself.
3. Re:sox isn't all about IT. by Anonymous Coward · 2009-12-01 13:03 · Score: 0
  
  I disagree. I work in the IT dept. for a F100 company, and SOX is a complete barrier to getting anything done in a reasonable time-frame. It needs to be abandoned and reworked from ground zero.
  It is unfortunate. It is unfortunate that the management's signature on every SEC filing is legally binding, and that management is responsible for the accuracy and fairness of the results presented therein, and that several high profile managers have decided to skirt the rules and lie. It makes life much harder for the good ones.
  But even the good ones might not know that there's a ticking time bomb under their noses. All it takes is a VP with an ambitious plan and enough stones to lie to your face.
  You might not realize this, but SOX -- as a law -- is mostly related to accounting. The point of SOX is to ensure that the signature your officers put on their documents is properly validated. Your managers are being overly cautious, as managers are prone to be.
4. Re:sox isn't all about IT. by turbidostato · 2009-12-01 14:20 · Score: 1
  
  "I have a feeling that a lot of those problems are caused by management, your company's lawyers, or auditors that don't understand what you're doing, rather than the law itself."
  Don't understand or don't *want* to understand? As the old Latin motto goes, 'Qui prodes?' who is benefited by all that papertrail? Those managers and lawyers that get empowered by the very paper mess they create, I say.
5. Re:sox isn't all about IT. by Bigjeff5 · 2009-12-01 16:07 · Score: 0
  
  Have you ever heard of Management of Change or Separation of Duties?
  Both of those are a direct result of SOX that have a massive impact on everything IT does. SOX affects backup policies, email policies, network policies, even instant messaging policies!
  I recall telecom wanting to upgrade a 100mb line to a 1000mb line, they finished all the work, everything was good to go, it's an easy change, so when they were ready the sent in the MoC request necessary to unplug the network cable from the 100mb port and plug it in to the 1000mb port. It came back a few days later that something on the form wasn't filled out quite right, ok no big deal, it's a complicated form for a stupid simple change, it can be hard to fill in all the blanks for that type of thing. So they fixed it and sent it back. Well, they didn't believe it, or something, and wanted a bigger impact study done on it. I mean, for Christ's sake it's a frickin port swap! NOBODY is going to lose connectivity during the swap, you'll know in 10 seconds if it didn't work, and fixing it is as easy as plugging it back into the old port. There is no impact at all. In all it took about a month and 20-30 man-hours to unplug a network cable and plug it in to another port.
  What does that have to do with SOX? Well, the only reason telecom has to go through that bullshit is because there are a helluva lot of accountants in the building, working with sensitive financial material, and even though there is no way such a change will ever affect them or the integrity of that financial data, it must all still comply with SOX.
  This kind of crap costs IT departments buttloads of money, I mean, that was at least $1200 just to plug a network cable into a new port, it's 99% of the cost of the entire job. This crap happens on a regular basis, hugely inflating the cost of projects.
  Separation of Duties makes some sense in some situations, but half the time it must be applied in an area that makes absolutely no sense, and that is determined entirely by these independant audit boards that have no oversight.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
6. Re:sox isn't all about IT. by StrategicIrony · 2009-12-01 17:36 · Score: 2, Insightful
  
  On the other hand, I worked in an office where a small team (three people) of server admins pulled a 10MB cable from a core infrastructure device and swapped it with a 100MB cable, with a similar attitude and the ensuing routing loop of some sort brought down an entire Fortune 100 company, costing an estimated $25 million in downtime and creating a late-night fire drill of pretty epic proportions as consultants and network admins scurried around their respective offices in 15 different cities trying to figure out why their packets were all cratering while about two dozen server admins were busy rebooting their systems, not knowing it was a network issue.
  In the process, several network admins at different properties were busy trying to create custom routes to bypass the issue, which caused months of intermittent network issues once the original link was restored properly.
  Overall, $1200 to check out the issues before hand would have seemed like a real cheap alternative, even if it was only a 1% fix.
Re:Fuck you government niggers by Anonymous Coward · 2009-12-01 09:37 · Score: 0

Shh, Adolph, Shh They think you are dead.
It's not a kind of box by jfengel · 2009-12-01 09:50 · Score: 1

Nitpicky, I know, but the title of the Slashdot article (not the underlying article) uses "SarBox", as if it were some brand name for a kind of box.
It's the "Sarbanes-Oxley" Act, sometimes "Sarbox" or "SARBOX" (for those who feel compelled to treat every new word they don't know as an initialism) but "SarBox" is right out.
"SOx" or "SOX" are much more common.
SarBox? by Lord+Ender · 2009-12-01 09:52 · Score: 1

Who refers to Sarbanes Oxley asn SarBox? I've only ever heard of it as "SOX." I can't imagine why the "b" would be stressed, anyway.
I know this is the internet, but we really shouldn't just go around inventing acronyms for headlines.

--
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
You can only lead on so many topics by SuperKendall · 2009-12-01 09:59 · Score: 1

I've worked in companies where SOX was used to make processes more stringent and intelligent. And I work in a company where SOX has allowed the accounting/finance department to dictate all manner of corporate and IT policy.
Yes it is POSSIBLE to have rational adherence to SOX. But that seems far rather the exception than the rule.
In order to survive SOX, companies need keen leadership -- one that will prevent the sort of "SOX run amok" mentality and provide solid guidance to the company as a whole.
The problem is that even if they do succeed at that, it's a huge drain to provide truly effective leadership - and all that energy and manpower that goes into smart adherence to a loose standard, could have gone instead into leadership in product development or marketing or anything that actually provided an iota of real value to the world.
Step back and think about the big picture, do we really want brilliant leaders across the nation focused simply on regulatory compliance? What a waste of human potential!

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:You can only lead on so many topics by wtbname · 2009-12-01 10:19 · Score: 1
  
  Step back and think about the big picture, do we really want brilliant leaders across the nation focused simply on regulatory compliance? What a waste of human potential!
  Hi, you've met reality right? 99% of what goes on in this world is a waste of human potential.
  Including this post!
2. Re:You can only lead on so many topics by Bigjeff5 · 2009-12-01 15:43 · Score: 1
  
  I'm not sure, but I don't think you qualify as one of the brilliant leaders across the nation that the GP was talking about.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
SOX and IT is Poorly Understood by Anonymous Coward · 2009-12-01 10:22 · Score: 2, Informative

I am a SOX IT auditor, so here are a few thoughts. Yes, I'm posting as an Anonymous Coward because I don't want my name tied to this in case someone from my firm sees this.
1. SOX is not about information security and security events. It's about determining if sufficient controls are present to prevent or detect material misstatement in the financial statements. For example, you have crappy network security. A hacker breaks in and steals customer information. While very damaging, there is no impact on the financial statements from a reporting standpoint (assuming that your accounting department properly books the entries for any fines and penalties - and this is assuming the hacker only copied data and didn't submit anything falsely). If a hacker did submit something falsely, the auditors would fall back on manual review controls, in the business processes (e.g., reconciliations) to try to identify anything major.
2. If your IT auditor's told you that to be SOX compliant you had to log everything, then you were told incorrectly. We only want to look at logs when we find major problems elsewhere, and we are only wanting to look at the logs to try to determine the level of risk associated with the issues we have identified. Logging of failed login attempts is useless, for SOX, since the account wasn't used (hence FAILED login attempts). Obviously, many of these things are good to look at for overall security, but they have no impact for SOX.
3. Here are the basics for IT SOX compliance:
a. Basic segregation of duties. The major problem here is that many companies let their developers have full access to production environments or let end users be system administrators.
b. Have a decent change management process. Again, don't let your developers have update access to the production environments. Make sure you keep documentation showing that changes are tested and approved. This doesn't have to be anything fancy.
c. Have a decent process to document new system implementations and major system upgrades. I can't begin to tell you how many times I've had clients implement new systems and give everyone full access just because it was easier or didn't check to see that they converted their data from the legacy application to the new application completely and accurately.
d. Have a process to follow-up on production processing errors / major events. If you have tons of job / batch processing abends and can't show that they were resolved in a timely manner, we can't be sure that transactions didn't get dropped.
Obviously, SOX can be very complex, especially if you have a very complex environment. However, if you actually read Section 404, there is nothing there that calls out specifics (i.e., like the specifics listed to be PCI compliant). It should be all about risk management.
1. Re:SOX and IT is Poorly Understood by afidel · 2009-12-01 10:42 · Score: 1
  
  While that is all true, having rigorous IT compliance to SOX means that our auditors don't feel it necessary to do as deep a dive into our financial statements saving us about as much in auditing fees as our entire IT budget (which is not small for our company size). They have set a threshold for audit failures on the IT side and if we were to fail enough high priority controls they would have to do some serious forensic accounting which would be extremely labor intensive since it would have to be completed before our next SEC statement..
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
2. Re:SOX and IT is Poorly Understood by Anonymous Coward · 2009-12-01 11:49 · Score: 0
  
  Yes, pretty much the entire point of SOX is to prevent the CEO from claiming
  1) I never saw any documents regarding X and I'm a clueless fucktard who does very important things for my company but I have no idea what those things are or what my company does.
  2) Yes, I signed a document, but I clearly recall the document I signed was regarding the rescue of cute fluffy kittens from trees. Clearly some evil hacker altered the document to make it appear that I endorsed X without my knowledge.
  3) No, we don't have an income stream from X and the auditor has the complete financial record of our company.
  SOX has absolutely nothing to do with actual security, except where failure of that security may allow scenario #2 to happen.
SOX SUX by Anonymous Coward · 2009-12-01 10:30 · Score: 0

I agree with the article: it is something that auditing firms are using to scare the bejeesus out of everyone at the C-level.
It slows companies down in myriad ways. Without preventing another Enron. Evil people will do what evil people do, and SOX aint gonna stop them.
One other way it is abused: internal IT stonewalling. Now our IT group has an easy deflection for any new project: SOX. it's like a bell rings when the say it, straight out of groucho marx. I've given up even trying to fight. When they play the SOX card, I just leave the room. There's no winning the argument.
It's about time. by rickb928 · 2009-12-01 10:57 · Score: 0

We need a good Article 10 fight. Now.
Washington is out of control, and has been for a while. As good a time as any to make a stand.

--
deleting the extra space after periods so i can stay relevant, yeah.
1. Re:It's about time. by Bigjeff5 · 2009-12-01 16:21 · Score: 1
  
  I think you meant Amendment 10.
  There is no Article 10 of the US Constitution, it only has 8 articles - you referenced section 10 of Article 1, which lays out the restrictions on the States.
  Since it's short and sweet, here's the 10th Amendment to the Constitution of the United States of America:
  
  The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.
  The federal government has somehow managed to get around this to a large degree by citing inter-state commerce (which the constitution states is the purview of the Feds). SOX would fall under that as well, and actually a heck of a lot better than most of the federal government's interferance into State afairs do.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
2. Re:It's about time. by rickb928 · 2009-12-01 16:55 · Score: 1
  
  Pretty much.
  I didn't mean Article 10 of the Articles of Confederation.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
PD PD Good for you Good for me! by FatSean · 2009-12-01 11:24 · Score: 1

Problem Determination?

--
Blar.
1. Re:PD PD Good for you Good for me! by Bigjeff5 · 2009-12-01 15:46 · Score: 1
  
  Ahh, that really clears it up.
  I thought it meant "Penguin Dynamite".
  Yeah, it didn't make much sense to me either.
  Still, it should have been Troubleshoot instead of "problem determination". Why use big words when a diminutive word will suffice?
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
2. Re:PD PD Good for you Good for me! by donatzsky · 2009-12-01 23:00 · Score: 1
  
  Why use big words when a diminutive word will suffice?
  Perhaps he's a consultant or manager.
  
  --
  VPS-like shared hosting, on under-crowded servers.
3. Re:PD PD Good for you Good for me! by FatSean · 2009-12-03 04:01 · Score: 1
  
  It's the term favored by my organization, so I use it often and it has become habit.
  And PD is shorter than Troubleshoot anyway. Who doesn't know PD means Problem Determination? Given the context of the post it seemed pretty obvious.
  
  --
  Blar.
Electrical Code -- National Fire Protection Assoc by Anonymous Coward · 2009-12-01 11:32 · Score: 0

The National Fire Protection Association is another organization independent of the executive or legislative branches which has been granted legal authority to specify how you may wire a building, including your own house.
NFPA 70, aka the National Electrical Code http://en.wikipedia.org/wiki/National_Electrical_Code, "is commonly mandated by state or local law".
And did you miss all the outraged slashdot discussions spurred by private organizations claiming copyright over specifice state and local laws?
Who do you work for? by FatSean · 2009-12-01 11:44 · Score: 2, Insightful

I want to know so I can never do business which such a shoddy shop. My company has strict SOD and we enforce it through tooling. We have three groups: Development, Test, Operations. I'm on development side so I check builds and docs into the source code control system. Test pulls it out, applies it to the test environment, runs tests. Test then passes the code and documentation to operations who updates any configuration parameters that differ between test and production systems and installs it with the rest of us standing by on a chat in case anything goes wrong.

--
Blar.
1. Re:Who do you work for? by pauls2272 · 2009-12-01 12:21 · Score: 1
  
  >Development, Test, Operations. I'm on development >side so I check builds and docs into the source >code control system.
  Sounds like your an application dude and not a sysadmin/sysprog. You get source from Vendors and log that into your "source code control system"? Microsoft gives you the source to Windows so you can log the changes Microsoft makes to Windows? Who maintains this "source code control system" and who implements changes into that? Another source code control system to manage the 1st source code control system?
  The vendor fixes I get are all object code and need special software to install them - SMP/E For IBM PTFS, Smitty for AIX, etc.
  I've worked for Fortune 100 companies and I've never seen a set of "development" sysadmins/sysprogs and another set for Test and another set for Operations. Way too expensive to spend all that money paying people to do the exact same work.
2. Re:Who do you work for? by Bigjeff5 · 2009-12-01 15:39 · Score: 1
  
  What about operations where 3 people is overkill?
  Didn't think about that one eh?
  There is no reason one person can't do all of it, from developement to operations, if he follows best practices in each case. Anything more than a one-man shop should always have another person checking the work at each stage, but that does not make separation of duties necessary. It also very rarely makes sense in an IT support environment, but often the rules are made to apply to the support guys anyway.
  The easiest way to prevent midnight coders is to impliment a source control system and a daily build (or weekly or monthly, depending on the type of project, but you probably want daily builds) policy and require all new code to be in the daily build by noon each day. Your change must build and run correctly, or you can't update the build. If the code doesn't work, then the last person to update it must fix it. If a coder refuses to follow these guidlines, fire them. No matter how brilliant they may be, they will almost certainly cost you more more money than they make for you because of their disrespect for your organization.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
Getting rid of SarBox won't help with that problem by Anonymous Coward · 2009-12-02 02:13 · Score: 0

The IT department will simply come up with another excuse. The preventers of information services are quite adaptable. When you ask for something that the blessed vendors are good at (or requires actual work), the response is the excuse-du-jour. SarBox is popular, but there are many others.