• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Sarbanes Oxley Act (SOX) - What it means for IT?

 
Ranch Hand
Posts: 418
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am not sure if i should post this topic in this forum. But i want to know general view, opinions , experiance of ppl while implementing solution for SOX compliance.

Just a little background of SOX: It is Created by US Congress in the wake of corporate scandals like Enron in 2001 and 2002.it is an attempts to tighten controls over corporate financial reporting and transparency.

I am basically interested in implementing security solutions for SOX compliance. Section 404 of this act deals with internal controls, which essentially requires organizations to provide following facilities -
1. User Identification, authorization and access
2. User control of user accounts
3. Central identification and access rights/permissions management
4. Violation and security activity report

Various identity managements products are available in market that provide SOX cmpliance. E.g. Sun Identity Server, Netegrity SiteMinder, Oblix Netpoint etc.

Has anybody used these products for providing SOX compliance to an organizations? What are your general experiance, problems , issues etc? Please share your view....
 
Ranch Hand
Posts: 1759
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Rashmi Tambe:

I am basically interested in implementing security solutions for SOX compliance.



Yeah, I think you are in the right forum. Try the Security forum but they probably try and keep away from corrupt accountants.
[ January 11, 2005: Message edited by: Helen Thomas ]
 
Ranch Hand
Posts: 305
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It means you will really really come to hate audits!



We already did this and once its over... lets put it this way... its never over. It becomes part of the process. Learn to like paperwork. Piles and piles of it.
 
Rashmi Tambe
Ranch Hand
Posts: 418
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Helen Thomas:


Yeah, I think you are in the right forum. Try the Security forum but they probably try and keep away from corrupt accountants.

[ January 11, 2005: Message edited by: Helen Thomas ]




I thought of trying security forum...but then i want to know general views , opiniion, experiance of ppl while implementing SOX. So its not just related to security solution...

anyways...
 
blacksmith
Posts: 1332
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I haven't worked on it - but my wife's job has been 50% SOX for the last six months at least.

At her place of work, it involves a big bunch of bureaucratic rules that tend to make getting work done more difficult without, in my opinion and her opinion, making things any safer.

For example, she's no longer allowed to log on to the production servers. That means that when there's a production problem, she can't troubleshoot it directly. Unfortunately, the people in operations aren't trained for this kind of thing - when she wrote procedures for handling some common issues, their manager noticed that the procedured involved their logging in to Unix machines and said, "they can't do that - they'll mess something up. It's too dangerous." So she gets to walk them through the troubleshooting, on a phone, getting them to do exactly what she would have done. Meanwhile if someone wanted to insert fraudulent data, they would just join the operations group instead of the programming group, and the only thing that might give them away is that they actually know how to log on without help.

Of course the auditors come in and say everyone has to have a different password for every different machine, and they have to change every couple months, and they have to be letter/number combinations that are difficult to remember. So instead of one person having the passwords, everyone's going to write them on post-it notes on their computer and anyone who wants to commit fraud will be able to do it from other peoples' accounts instead of their own.

The fact is, the fraud that cost investors billions of dollars at Enron and Worldcom wasn't done by programmers, or even hackers, breaking into computers - it was done by a relatively small number of medium to high level executives. Vigorous prosecution of the people who actually committed large dollar amounts of fraud (as opposed to the people who make good political targets because they are newsworthy for one reason or another) is what will help. Then again, Sarbanes-Oxley doesn't actually mandate any of this idiocy that's making my wife's life miserable; that's coming from auditors trying to justify their overinflated fees.
 
Ranch Hand
Posts: 1071
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The company I work for is in the middle of an audit for the SOX thing. My personal opinion is that is completely flipping ridiculous and will solve practically no problems. It will only make business more expensive, which is what most regulations do.

We have to have one group build an app, ok, no problem. A second group QA the app, ok, still not a problem and generally good practice. But then a third group has to support it once it goes to production, that is where things get interesting. I'm glad I'm building and not supporting. I couldn't imagine having a 'finished' app land on my desk, being used for production, and now when a problem shows up I have to try and navigate through all this new code to find the solution when the people that wrote it could track down the bug in under an hour.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic