SarBox Lawsuit Could Rewrite IT Compliance Rules

dasButcher notes that the Supreme Court will hear arguments next week brought by a Nevada accounting firm that asserts the oversight board for the Sarbanes-Oxley Act is unconstitutional. If the plaintiffs are successful, it could force Congress to rewrite or abandon the law used by many companies to validate tech investments for security and compliance. "Many auditing firms have used [Sarbanes-Oxley Section] 404 as a lever for imposing stringent security technology requirements on publicly traded companies regulated by SOX and their business partners. SOX security compliance has proven effective for vendors and solution providers, as it forces regulated enterprises to spend billions of dollars on technology that, many times, doesn’t prevent security incidents but does make them compliant with the law."

SarBox is always the excuse

[blitzkrieg3]

How about rewriting the law so that every request to my IT department doesn't result in "This functionality would break SarBox compliance", regardless of how related to SarBox the request actually is?

Re:Budgest re-adjustment...

[halcyon1234]

And to do that, they'll need a definition of "secure". One that everyone can agree on. A standard definition, on might say. And to ensure everyone who says they're secure actual is, it might be a good idea to draft a formal document that explicitly lays out those standards, as well as methods for one company to ensure another company meets those standards. Heck, if it's that important, it might be worth thinking about turning that document into a law...

SOX is choking our companies, kill it.

[SuperKendall]

I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, or indeed for rational process to take place in the daily operation of IT.

SOX was meant to prevent another ENRON, but those things will happen regardless of rules - look at the collapse of organizations like FannieMae, well after SOX was in place. Instead we are harming all large businesses just to prevent a one-off case that we are not really preventing anyway!

Kill SOX and let companies get back to what they do best, instead of spending a lot of time simply deciding what compliance means and using the rules to build (even more) fiefdoms within giant companies.

Re:SOX is choking our companies, kill it.

[Knara]

There's a large deal of truth to this. If you want to do (or not) do something in a large company these days, the way to justify it is to write up a proposal that uses SOX or HIPAA (preferably both) a few dozen times. Your chance of getting money for it increases exponentially.

Re:SOX is choking our companies, kill it.

[Zalbik]

SOX was meant to prevent another ENRON, but those things will happen regardless of rules - look at the collapse of organizations like FannieMae, well after SOX was in place.

Huh? Do you even have a clue what caused the collapse of Enron vs. what caused the collapse of Fannie Mae?

To use the mandatory car analogy, your argument is something like:
I put winter tires on my car, but then I was t-boned at an intersection when I ran a red light. See, winter tires don't help prevent accidents!

The two scenarios were completely different. Most of what SOX requires for IT should fall under good IT practice anyways. It basically requires controls to be implemented on financial systems in order to prevent fraudulent changes to financial data.

Now I realize people at some corporations have used SOX as a big bat to force in their own pet IT projects. Or as a way of preventing any IT changes that they don't agree with, but that isn't the fault of SOX.

If people are building personal fiefdom's within corporations, they'll do so with or without some legislation to use as an excuse.

Re:SOX is choking our companies, kill it.

[SuperKendall]

Huh? Do you even have a clue what caused the collapse of Enron vs. what caused the collapse of Fannie Mae?

It's a loose analogy to be sure, but think about it - in both cases shareholders (or stakeholders if you like in the case of FM) were lied to about financial stability. Fannie Mae claimed there were "no issues" just months before the collapse, while hiding the true extent they were in peril with the huge number of sub-prime loans they were carrying.

If you think about it there are way more parallels than it seems at first glance. They were manipulating the output of supposed financial stability, in the end the OUTPUT is what matters here.

It basically requires controls to be implemented on financial systems in order to prevent fraudulent changes to financial data.

But in requiring this, it also mandates the companies be audited. Which means the companies performing the audit dictate what practices you follow to pass the audit. Which means that instead of rational processes meant to actually prevent fraudulent changes to financial data, you are making the changes required simply to pass the audit - just like many schools "teach to the test" when the only metric is standardized tests meant to measure school performance.

Instead we should have devastating fines or other punishment for companies that are found to have problems preventing fraudulent changes to data, so that companies could build in meaningful safeguards around ACTUAL financial data (with the ROI being the prevention of said fines so security groups could get funding), as opposed to safeguarding anything that smells like financial data to auditors (with the auditors of course paid more the more systems they have to audit). Let auditors audit crooks, not the innocent. Then we could also document the real bypasses to processes instead of having them but having to pretend they do not exist because auditors and high-level execs Cannot Know.

Re:SOX is choking our companies, kill it.

[hemp]

I think you don't understand segregation of duties. It doesn't mean having a separate IT group, it means splitting duties between more than one person. For example, the person coding the change and the person implementing the change would be two separate people. Testing should also be separated out from the person who implemented the change.

This does wonders for the midnight-cowboy coder who sticks in changes at 2 am and doesn't tell anyone or bother to test.

In the case of a true emergency change, they can be done and documented after the fact (but should still be documented).

Its not that hard and really has little to do with SOX and more to do with running a class operation.

Re:SOX is choking our companies, kill it.

[FatSean]

So you're the developer who doesn't think about logging, security or any other kind of operational issue when you develop? Sounds like your company has you in the right box.

Re:SOX is choking our companies, kill it.

[Bigjeff5]

It sounds like you're a dumbass who doesn't give a shit about your clients' data if you think you don't need authentication and logging for a web app. You're about the only type of idiot SOX actually protects us from. If IT guys didn't need to SOX to tell dumbasses like you to fuck off, we wouldn't be stuck with SOX in the first place.

I hope you don't do work for any systems that hold my data, that's all I'm saying.

Re:Rule #1 of government....

I don't know. Unions have brought us a couple nice things here in the US until recently:

8 hour workdays.
5 hour work weeks.
Our 8 year old kids out of the coal mines.
Worker's comp for injuries.
Unemployment.
Labor laws.
Banning of blacklists.
Minimum wage.
Vacation leave.
Sick leave.
Liability.
Basic safety.

With all the bellyaching about unions, I think people would love it if they would have to work 12-16 hour days, 7 days a week with their kids doing 12 hour days right by them. Of course, if anyone complained about it, they would be flagged in a database, and guarenteed to never have a job again, just like a felon. Get sick? Work, or have unlimited time off when fired for missing a single day. Also, I guess people don't mind working all this for $100 a month, which is what would be paid without the min wage laws.

No, unions may not be perfect, but the workaday life would be a lot different and a lot worse. But they are the same people who brought you the weekend.

Who do you work for?

[FatSean]

I want to know so I can never do business which such a shoddy shop. My company has strict SOD and we enforce it through tooling. We have three groups: Development, Test, Operations. I'm on development side so I check builds and docs into the source code control system. Test pulls it out, applies it to the test environment, runs tests. Test then passes the code and documentation to operations who updates any configuration parameters that differ between test and production systems and installs it with the rest of us standing by on a chat in case anything goes wrong.

Re:not found

[sexconker]

I came to see the 404 jokes.
I was not disappointed.

Re:Rule #1 of government....

[cayenne8]

True, the unions served their function in the early days of their existance, but, they are an anachronism today, and serve more to hurt workers and business than they do good in this day.

They are a hindrance in the 21st century USA.

Re:sox isn't all about IT.

[StrategicIrony]

On the other hand, I worked in an office where a small team (three people) of server admins pulled a 10MB cable from a core infrastructure device and swapped it with a 100MB cable, with a similar attitude and the ensuing routing loop of some sort brought down an entire Fortune 100 company, costing an estimated $25 million in downtime and creating a late-night fire drill of pretty epic proportions as consultants and network admins scurried around their respective offices in 15 different cities trying to figure out why their packets were all cratering while about two dozen server admins were busy rebooting their systems, not knowing it was a network issue.

In the process, several network admins at different properties were busy trying to create custom routes to bypass the issue, which caused months of intermittent network issues once the original link was restored properly.

Overall, $1200 to check out the issues before hand would have seemed like a real cheap alternative, even if it was only a 1% fix.