SarBox Lawsuit Could Rewrite IT Compliance Rules 124
dasButcher notes that the Supreme Court will hear arguments next week brought by a Nevada accounting firm that asserts the oversight board for the Sarbanes-Oxley Act is unconstitutional. If the plaintiffs are successful, it could force Congress to rewrite or abandon the law used by many companies to validate tech investments for security and compliance. "Many auditing firms have used [Sarbanes-Oxley Section] 404 as a lever for imposing stringent security technology requirements on publicly traded companies regulated by SOX and their business partners. SOX security compliance has proven effective for vendors and solution providers, as it forces regulated enterprises to spend billions of dollars on technology that, many times, doesn’t prevent security incidents but does make them compliant with the law."
SarBox is always the excuse (Score:3, Insightful)
Re:Budgest re-adjustment... (Score:3, Insightful)
SOX is choking our companies, kill it. (Score:5, Insightful)
I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, or indeed for rational process to take place in the daily operation of IT.
SOX was meant to prevent another ENRON, but those things will happen regardless of rules - look at the collapse of organizations like FannieMae, well after SOX was in place. Instead we are harming all large businesses just to prevent a one-off case that we are not really preventing anyway!
Kill SOX and let companies get back to what they do best, instead of spending a lot of time simply deciding what compliance means and using the rules to build (even more) fiefdoms within giant companies.
Re:SOX is choking our companies, kill it. (Score:3, Insightful)
Re:SOX is choking our companies, kill it. (Score:4, Insightful)
Huh? Do you even have a clue what caused the collapse of Enron vs. what caused the collapse of Fannie Mae?
To use the mandatory car analogy, your argument is something like:
I put winter tires on my car, but then I was t-boned at an intersection when I ran a red light. See, winter tires don't help prevent accidents!
The two scenarios were completely different. Most of what SOX requires for IT should fall under good IT practice anyways. It basically requires controls to be implemented on financial systems in order to prevent fraudulent changes to financial data.
Now I realize people at some corporations have used SOX as a big bat to force in their own pet IT projects. Or as a way of preventing any IT changes that they don't agree with, but that isn't the fault of SOX.
If people are building personal fiefdom's within corporations, they'll do so with or without some legislation to use as an excuse.
Re:SOX is choking our companies, kill it. (Score:3, Insightful)
Huh? Do you even have a clue what caused the collapse of Enron vs. what caused the collapse of Fannie Mae?
It's a loose analogy to be sure, but think about it - in both cases shareholders (or stakeholders if you like in the case of FM) were lied to about financial stability. Fannie Mae claimed there were "no issues" just months before the collapse, while hiding the true extent they were in peril with the huge number of sub-prime loans they were carrying.
If you think about it there are way more parallels than it seems at first glance. They were manipulating the output of supposed financial stability, in the end the OUTPUT is what matters here.
It basically requires controls to be implemented on financial systems in order to prevent fraudulent changes to financial data.
But in requiring this, it also mandates the companies be audited. Which means the companies performing the audit dictate what practices you follow to pass the audit. Which means that instead of rational processes meant to actually prevent fraudulent changes to financial data, you are making the changes required simply to pass the audit - just like many schools "teach to the test" when the only metric is standardized tests meant to measure school performance.
Instead we should have devastating fines or other punishment for companies that are found to have problems preventing fraudulent changes to data, so that companies could build in meaningful safeguards around ACTUAL financial data (with the ROI being the prevention of said fines so security groups could get funding), as opposed to safeguarding anything that smells like financial data to auditors (with the auditors of course paid more the more systems they have to audit). Let auditors audit crooks, not the innocent. Then we could also document the real bypasses to processes instead of having them but having to pretend they do not exist because auditors and high-level execs Cannot Know.
Re:SOX is choking our companies, kill it. (Score:3, Insightful)
I think you don't understand segregation of duties. It doesn't mean having a separate IT group, it means splitting duties between more than one person. For example, the person coding the change and the person implementing the change would be two separate people. Testing should also be separated out from the person who implemented the change.
This does wonders for the midnight-cowboy coder who sticks in changes at 2 am and doesn't tell anyone or bother to test.
In the case of a true emergency change, they can be done and documented after the fact (but should still be documented).
Its not that hard and really has little to do with SOX and more to do with running a class operation.
Re:Rule #1 of government.... (Score:2, Insightful)
I don't know. Unions have brought us a couple nice things here in the US until recently:
8 hour workdays.
5 hour work weeks.
Our 8 year old kids out of the coal mines.
Worker's comp for injuries.
Unemployment.
Labor laws.
Banning of blacklists.
Minimum wage.
Vacation leave.
Sick leave.
Liability.
Basic safety.
With all the bellyaching about unions, I think people would love it if they would have to work 12-16 hour days, 7 days a week with their kids doing 12 hour days right by them. Of course, if anyone complained about it, they would be flagged in a database, and guarenteed to never have a job again, just like a felon. Get sick? Work, or have unlimited time off when fired for missing a single day. Also, I guess people don't mind working all this for $100 a month, which is what would be paid without the min wage laws.
No, unions may not be perfect, but the workaday life would be a lot different and a lot worse. But they are the same people who brought you the weekend.
Re:SOX is choking our companies, kill it. (Score:4, Insightful)
So you're the developer who doesn't think about logging, security or any other kind of operational issue when you develop? Sounds like your company has you in the right box.
Who do you work for? (Score:3, Insightful)
I want to know so I can never do business which such a shoddy shop. My company has strict SOD and we enforce it through tooling. We have three groups: Development, Test, Operations. I'm on development side so I check builds and docs into the source code control system. Test pulls it out, applies it to the test environment, runs tests. Test then passes the code and documentation to operations who updates any configuration parameters that differ between test and production systems and installs it with the rest of us standing by on a chat in case anything goes wrong.
Re:not found (Score:3, Insightful)
I came to see the 404 jokes.
I was not disappointed.
Re:Rule #1 of government.... (Score:3, Insightful)
They are a hindrance in the 21st century USA.
Re:SOX is choking our companies, kill it. (Score:3, Insightful)
It sounds like you're a dumbass who doesn't give a shit about your clients' data if you think you don't need authentication and logging for a web app. You're about the only type of idiot SOX actually protects us from. If IT guys didn't need to SOX to tell dumbasses like you to fuck off, we wouldn't be stuck with SOX in the first place.
I hope you don't do work for any systems that hold my data, that's all I'm saying.
Re:sox isn't all about IT. (Score:3, Insightful)
On the other hand, I worked in an office where a small team (three people) of server admins pulled a 10MB cable from a core infrastructure device and swapped it with a 100MB cable, with a similar attitude and the ensuing routing loop of some sort brought down an entire Fortune 100 company, costing an estimated $25 million in downtime and creating a late-night fire drill of pretty epic proportions as consultants and network admins scurried around their respective offices in 15 different cities trying to figure out why their packets were all cratering while about two dozen server admins were busy rebooting their systems, not knowing it was a network issue.
In the process, several network admins at different properties were busy trying to create custom routes to bypass the issue, which caused months of intermittent network issues once the original link was restored properly.
Overall, $1200 to check out the issues before hand would have seemed like a real cheap alternative, even if it was only a 1% fix.