SarBox Lawsuit Could Rewrite IT Compliance Rules

← Back to Stories (view on slashdot.org)

SarBox Lawsuit Could Rewrite IT Compliance Rules

Posted by kdawson on Tuesday December 1, 2009 @08:45AM from the sluice-gate-to-security-spending dept.

dasButcher notes that the Supreme Court will hear arguments next week brought by a Nevada accounting firm that asserts the oversight board for the Sarbanes-Oxley Act is unconstitutional. If the plaintiffs are successful, it could force Congress to rewrite or abandon the law used by many companies to validate tech investments for security and compliance. "Many auditing firms have used [Sarbanes-Oxley Section] 404 as a lever for imposing stringent security technology requirements on publicly traded companies regulated by SOX and their business partners. SOX security compliance has proven effective for vendors and solution providers, as it forces regulated enterprises to spend billions of dollars on technology that, many times, doesn’t prevent security incidents but does make them compliant with the law."

19 of 124 comments (clear)

Min score:

Reason:

Sort:

not found by Anonymous Coward · 2009-12-01 08:47 · Score: 5, Funny

I tried to look up this 404 thing, but I couldn't find it anywhere.
1. Re:not found by Rudeboy777 · 2009-12-01 09:14 · Score: 4, Funny
  
  SOX 404 - Usefulness not found
  
  --
  From hell's heart I fstab at /dev/hdc
2. Re:not found by sexconker · 2009-12-01 12:44 · Score: 3, Insightful
  
  I came to see the 404 jokes.
  I was not disappointed.
SarBox? by omnichad · 2009-12-01 08:59 · Score: 4, Informative

I've seen SOX, but never SarBox. If you're going to CamelCase, do it right: SarbOx.
Re:Rule #1 of government.... by gandhi_2 · 2009-12-01 09:03 · Score: 3, Informative

I'll field that one:
Unions are irrelevant.

--
THL phish sticks
SOX is choking our companies, kill it. by SuperKendall · 2009-12-01 09:06 · Score: 4, Insightful

I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, or indeed for rational process to take place in the daily operation of IT.
SOX was meant to prevent another ENRON, but those things will happen regardless of rules - look at the collapse of organizations like FannieMae, well after SOX was in place. Instead we are harming all large businesses just to prevent a one-off case that we are not really preventing anyway!
Kill SOX and let companies get back to what they do best, instead of spending a lot of time simply deciding what compliance means and using the rules to build (even more) fiefdoms within giant companies.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:SOX is choking our companies, kill it. by Archangel+Michael · 2009-12-01 09:26 · Score: 3, Interesting
  
  You can usually make the case for MOST government regulations of businesses. Laws aren't for the lawful, but for the unlawful. Wherever the line is drawn, there will always be people who skirt around at that edge.
  If laws and regulations move too far away from the edge, the laws themselves become the end of, not the means of, compliance. Everyone becomes a lawbreaker, and there is no room for discretion.
  You can see this in all the zero tolerance laws in place. Zero tolerance laws do not stop anything, and just make more people criminals, like little boys coming to kindergarten with a camping fork, knife, spoon gadget getting expelled because he brought a knife to school. Zero Tolerance! No excuses! He Broke the LAW!!!!
  I've written on this before. I call it the "There ought to be a law" syndrome. Everytime someone says "there ought to be a law", someone needs to ask a simple question "WHY?". WHY is it that the existing laws aren't applicable? How will this new law break the necessary shades of gray around the edges? Asshats live there, we all agree. Changing this isn't going to change the asshats.
  Sometimes the only thing that will change the asshats is a good old fashion asswhooping.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
2. Re:SOX is choking our companies, kill it. by Zalbik · 2009-12-01 09:46 · Score: 3, Insightful
  
  SOX was meant to prevent another ENRON, but those things will happen regardless of rules - look at the collapse of organizations like FannieMae, well after SOX was in place.
  Huh? Do you even have a clue what caused the collapse of Enron vs. what caused the collapse of Fannie Mae?
  To use the mandatory car analogy, your argument is something like:
  I put winter tires on my car, but then I was t-boned at an intersection when I ran a red light. See, winter tires don't help prevent accidents!
  The two scenarios were completely different. Most of what SOX requires for IT should fall under good IT practice anyways. It basically requires controls to be implemented on financial systems in order to prevent fraudulent changes to financial data.
  Now I realize people at some corporations have used SOX as a big bat to force in their own pet IT projects. Or as a way of preventing any IT changes that they don't agree with, but that isn't the fault of SOX.
  If people are building personal fiefdom's within corporations, they'll do so with or without some legislation to use as an excuse.
3. Re:SOX is choking our companies, kill it. by illumin8 · 2009-12-01 10:16 · Score: 4, Interesting
  
  I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, or indeed for rational process to take place in the daily operation of IT.
  Yeah, but you need to look at the bright side of SOX for us (educated security geeks). When someone wants to do something really dumb like put a web app into production with no logging and no security, you can just tell them to fuck off, because of SOX. Also, if you're a security consultant with half a brain and know how to setup auditing on *nix related systems you can make a lot of money consulting.
  SOX is worth it just for being able to tell a stupid developer that he can't do something that puts the security of my systems in jeopardy.
  
  --
  "When the president does it, that means it's not illegal." - Richard M. Nixon
4. Re:SOX is choking our companies, kill it. by pauls2272 · 2009-12-01 10:16 · Score: 4, Interesting
  
  >I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, >or indeed for rational process to take place in the daily operation of IT.
  Absolutely agree. Although the smart companies are now just giving SOX lip service and ignoring it pretty much entirely. The company I work for now, has all kinds of memos issued saying they support SOX, hotlines, etc but it doesn’t impact real work.
  When SOX hit, the company I worked at, the Accounting dept came out with the required SOX doc and it was non negotiable. They had worked with an auditor that knew nothing of IT and it showed. I had to attend a week long class on how to fill out the dozens of new SOX forms (all manual paper forms) that were to be kept in notebooks!
  I was told that ALL CHANGES had to go on the CEO change calendar and that we would become very familiar with the assistant that scheduled the CEO change meetings. All changes had to have the 10 pounds of forms and 10+ signatures before you could implement. There also had to be “separation of duty” which meant if you were making the change, someone else had to implement it I said “great, your gonna hire another IT group – one to implement and another to install and test”. Of course, they never did this and this “separation of duty” was never followed.
  It was COMPLETE AND TOTAL NONSENSE designed by people who had no clue what they were doing or what the real world was like. Yeah, I need to put a hotfix on a server to fix a problem – I’m gonna wait 2-3 months to get on the CEO change calendar and have a meeting with the CEO But trying to talk to the accounting morons was useless – they insisted every change had to follow their written in stone procedure
  After a few weeks of complaining, the process was “refined” by having Small, Medium and Large changes and Large changes were only the changes had to go thru the above process. The difference being the number of “elements” in the change – but “element” wasn’t defined by the accounting/auditing people. The solution became that all IT changes were SMALL since there was only 1 datacenter so 1 element changing!
  The fact is that SOX was doomed to fail because you can’t impose rigorous rules on US companies if foreign companies don’t have to follow the same rules – it is a Global world out there and adding huge overhead to your domestic companies just mean more outsourcing and more domestic bankruptcies as they can’t compete with slimmer/trimmer overseas companies.
5. Re:SOX is choking our companies, kill it. by dstar · 2009-12-01 11:26 · Score: 3, Informative
  
  I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, or indeed for rational process to take place in the daily operation of IT.
  It's doing no such thing. People may be using it as an excuse to build an empire or do stupid things, but that's not the fault of SOX. I worked for a *VERY* large financial company (the overall IT budget, across all branches, businesses, etc, was measured in the *billions* of dollars), and not once were we stopped from doing anything because of SOX. Not once was it even an issue, either.
  Put the blame where it belongs, on stupid people. Then fire them.
6. Re:SOX is choking our companies, kill it. by FatSean · 2009-12-01 11:40 · Score: 3, Insightful
  
  So you're the developer who doesn't think about logging, security or any other kind of operational issue when you develop? Sounds like your company has you in the right box.
  
  --
  Blar.
I Know! by fuzzyfuzzyfungus · 2009-12-01 09:08 · Score: 4, Funny

In order to ensure security against DOS attacks, I think it would be reasonable to mandate that all vendors be required to prove that their programs will halt in finite time, given an arbitrary input.

That seems like a wholly reasonable request, not too burdensome, and should improve security.
1. Re:I Know! by Bigjeff5 · 2009-12-01 09:27 · Score: 3, Funny
  
  You heard the man, noone use the Internet until this is done.
  I don't see why the Noones weren't allowed to use the internet before, or why they'll have to stop when this is over, but it's nice that you're willing to let them use it a little bit, I guess.
  Or perhaps you meant "no one"?
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
2. Re:I Know! by Obfuscant · 2009-12-01 10:06 · Score: 3, Funny
  
  Is it okay if sometimes the program doesn't do anything useful with the input?
  Slashdot is already patented, isn't it?
Silver Lining. by FatSean · 2009-12-01 09:10 · Score: 4, Interesting

I inherited a bunch of apps that had atrocious logging practices. They were inter-twined and when a problem arose, it was very difficult to PD. Management didn't care to spend money adding some log statements, it was good enough. SOX forced us to place logging statements at system boundries. This wasn't a complete logging overhaul but it really did help with future PD.

--
Blar.
Re:SarBox is always the excuse by IrquiM · 2009-12-01 10:48 · Score: 3, Informative

How about rewriting the structure of the management as they clearly do not understand what 404 is all about?
404 doesn't tell you to do anything. It only ask you to show that you have internal controls and that they are deemed sufficient for a company of the type/size you're working for, and that you actually is following your controls. The auditors only task (related to 404) is to check that you do what you are saying and make a judgment on their observations.

--
This is blinging
Re:Budgest re-adjustment... by c6gunner · 2009-12-01 10:48 · Score: 3, Funny

And you get "Flame Wrong Orgy", which, strangely, doesn't seem all that unusual on Slashdot.
Re:SarBox is always the excuse by Bigjeff5 · 2009-12-01 12:37 · Score: 3, Informative

404 doesn't tell you to do anything. It only ask you to show that you have internal controls and that they are deemed sufficient for a company of the type/size you're working for, and that you actually is following your controls.
That's the rub, and that's why this guy is suing. He owned a small accounting firm because, no matter what he did, the SarBox auditor's board determined what he was doing wasn't good enough, and the only changes they would accept would prevent him from turning a profit.
The SarBox board killed a legitimate business that was operating in good-faith compliance.
That's far, far too much power for a bunch of nameless beureaucrats.

--
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller