SarBox Lawsuit Could Rewrite IT Compliance Rules 124
dasButcher notes that the Supreme Court will hear arguments next week brought by a Nevada accounting firm that asserts the oversight board for the Sarbanes-Oxley Act is unconstitutional. If the plaintiffs are successful, it could force Congress to rewrite or abandon the law used by many companies to validate tech investments for security and compliance. "Many auditing firms have used [Sarbanes-Oxley Section] 404 as a lever for imposing stringent security technology requirements on publicly traded companies regulated by SOX and their business partners. SOX security compliance has proven effective for vendors and solution providers, as it forces regulated enterprises to spend billions of dollars on technology that, many times, doesn’t prevent security incidents but does make them compliant with the law."
Silver Lining. (Score:5, Interesting)
I inherited a bunch of apps that had atrocious logging practices. They were inter-twined and when a problem arose, it was very difficult to PD. Management didn't care to spend money adding some log statements, it was good enough. SOX forced us to place logging statements at system boundries. This wasn't a complete logging overhaul but it really did help with future PD.
Re:SOX is choking our companies, kill it. (Score:4, Interesting)
You can usually make the case for MOST government regulations of businesses. Laws aren't for the lawful, but for the unlawful. Wherever the line is drawn, there will always be people who skirt around at that edge.
If laws and regulations move too far away from the edge, the laws themselves become the end of, not the means of, compliance. Everyone becomes a lawbreaker, and there is no room for discretion.
You can see this in all the zero tolerance laws in place. Zero tolerance laws do not stop anything, and just make more people criminals, like little boys coming to kindergarten with a camping fork, knife, spoon gadget getting expelled because he brought a knife to school. Zero Tolerance! No excuses! He Broke the LAW!!!!
I've written on this before. I call it the "There ought to be a law" syndrome. Everytime someone says "there ought to be a law", someone needs to ask a simple question "WHY?". WHY is it that the existing laws aren't applicable? How will this new law break the necessary shades of gray around the edges? Asshats live there, we all agree. Changing this isn't going to change the asshats.
Sometimes the only thing that will change the asshats is a good old fashion asswhooping.
Re:Budgest re-adjustment... (Score:3, Interesting)
Not if the fines scale in relation to the amount of information that was lost, and compensatory damages are included requiring payment of the estimated damages for each individual person's data loss (not an average spread to everyone). Of course the individual data evaluations must be done by a firm chosen by the courts, and paid in full by company that lost the data.
It's pretty easy to structure the law such that almost any company will be bankrupted by failing to secure data. That would also be silly, because no company can guarantee that no data will ever be stolen, so if you place the requirements too heavily on the fact that the data went missing, and disregard the amount of effort the company put into keeping the data safe, you could be destroying companies that do not desearve to be destroyed.
Generally, the best way to handle these things is to keep the language of the law vague enough that it can be decided on a case by case basis - i.e. the company did their best to protect their data, and so should recieve little or no punishment.
SarBox is the worst possible solution - it mandates security measures that are ineffective (because in the real world, the mandated measures were obsolete after a few months time) that are expensive to impliment and yield little or no added security.
One visible example is banking - you now have an image tied to your account login to prevent phishing. However, most people don't pay too much attention to it, and wouldn't care if it were different. Or, they'll use it that one time, it doesn't work like it is supposed to (because it's actually at a phishing site), they try again later and now it works (because it is now actualy at the bank website). Since it works, it must have just been some minor hiccup, and all is right with the world. Right? No, they just got their account access stolen, and if a person is smart they'll slowly siphon the money off instead of withdrawing large chunks of cash.
It's also easy to harass someone now, because of the strict regulations if you manage to find someone's account (or at a big bank, just randomly choose numbers) but can't access it, just plug a bunch of gibberish in a few times and they don't have access to their own money. That can be devastating, and it's untraceable if the harasser is using a public terminal.
SarBox aught to have been more vague, and focused on the good faith effort to secure a client's data. People get into trouble when they aren't handling data using the industry's best practices that way, for if the institution never bothered to check what the latest best practices were, they obviously weren't too interested in data security.
Setting it up that way, instead of with complex rules and regulations, give it the flexibility to adapt and apply to each situation, and there is no risk of it ever going obsolete, unlike the current SarBox law.
Re:Budgest re-adjustment... (Score:3, Interesting)
One visible example is banking
My banking site decided that 2 factor auth meant that I had to type my info into a flash widget that analyses the typing style - I sort of doubt this is even half a factor. The CC sites I use demand I have 2 passwords - 1.1 factor auth. Basically, I'm saying that it's crap.
Re:SOX is choking our companies, kill it. (Score:5, Interesting)
Yeah, but you need to look at the bright side of SOX for us (educated security geeks). When someone wants to do something really dumb like put a web app into production with no logging and no security, you can just tell them to fuck off, because of SOX. Also, if you're a security consultant with half a brain and know how to setup auditing on *nix related systems you can make a lot of money consulting.
SOX is worth it just for being able to tell a stupid developer that he can't do something that puts the security of my systems in jeopardy.
Re:SOX is choking our companies, kill it. (Score:5, Interesting)
>I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, >or indeed for rational process to take place in the daily operation of IT.
Absolutely agree. Although the smart companies are now just giving SOX lip service and ignoring it pretty much entirely. The company I work for now, has all kinds of memos issued saying they support SOX, hotlines, etc but it doesn’t impact real work.
When SOX hit, the company I worked at, the Accounting dept came out with the required SOX doc and it was non negotiable. They had worked with an auditor that knew nothing of IT and it showed. I had to attend a week long class on how to fill out the dozens of new SOX forms (all manual paper forms) that were to be kept in notebooks!
I was told that ALL CHANGES had to go on the CEO change calendar and that we would become very familiar with the assistant that scheduled the CEO change meetings. All changes had to have the 10 pounds of forms and 10+ signatures before you could implement. There also had to be “separation of duty” which meant if you were making the change, someone else had to implement it I said “great, your gonna hire another IT group – one to implement and another to install and test”. Of course, they never did this and this “separation of duty” was never followed.
It was COMPLETE AND TOTAL NONSENSE designed by people who had no clue what they were doing or what the real world was like. Yeah, I need to put a hotfix on a server to fix a problem – I’m gonna wait 2-3 months to get on the CEO change calendar and have a meeting with the CEO But trying to talk to the accounting morons was useless – they insisted every change had to follow their written in stone procedure
After a few weeks of complaining, the process was “refined” by having Small, Medium and Large changes and Large changes were only the changes had to go thru the above process. The difference being the number of “elements” in the change – but “element” wasn’t defined by the accounting/auditing people. The solution became that all IT changes were SMALL since there was only 1 datacenter so 1 element changing!
The fact is that SOX was doomed to fail because you can’t impose rigorous rules on US companies if foreign companies don’t have to follow the same rules – it is a Global world out there and adding huge overhead to your domestic companies just mean more outsourcing and more domestic bankruptcies as they can’t compete with slimmer/trimmer overseas companies.
Re:not found (Score:3, Interesting)
I found it 5 years ago - and it pays pretty good too!
Re:Budgest re-adjustment... (Score:3, Interesting)
Exactly.
Really, two factor authentication only offers meager protection from a subset of attacks, yet I can tell you that implimenting it at each company was probably a $50k project, or, for the less efficient companies, a $200k project.
ROI for Sar-Box is shit. We've got a hell of a lot more expenses for a teeny bit more security.