SarBox Lawsuit Could Rewrite IT Compliance Rules 124
dasButcher notes that the Supreme Court will hear arguments next week brought by a Nevada accounting firm that asserts the oversight board for the Sarbanes-Oxley Act is unconstitutional. If the plaintiffs are successful, it could force Congress to rewrite or abandon the law used by many companies to validate tech investments for security and compliance. "Many auditing firms have used [Sarbanes-Oxley Section] 404 as a lever for imposing stringent security technology requirements on publicly traded companies regulated by SOX and their business partners. SOX security compliance has proven effective for vendors and solution providers, as it forces regulated enterprises to spend billions of dollars on technology that, many times, doesn’t prevent security incidents but does make them compliant with the law."
not found (Score:5, Funny)
Re: (Score:3, Funny)
I tried to look up this 404 thing, but I couldn't find it anywhere.
That's funny I found it all over the web. But I couldn't find anything else...
Re:not found (Score:5, Funny)
Re: (Score:3, Interesting)
I found it 5 years ago - and it pays pretty good too!
Re: (Score:3, Insightful)
I came to see the 404 jokes.
I was not disappointed.
Budgest re-adjustment... (Score:2)
Well at least now they'll spend all that money on making sure things are actually secure!
Re: (Score:3, Insightful)
I Know! (Score:5, Funny)
That seems like a wholly reasonable request, not too burdensome, and should improve security.
Re: (Score:1)
You heard the man, noone use the Internet until this is done.
Re: (Score:2)
Re:I Know! (Score:4, Funny)
You heard the man, noone use the Internet until this is done.
I don't see why the Noones [wikipedia.org] weren't allowed to use the internet before, or why they'll have to stop when this is over, but it's nice that you're willing to let them use it a little bit, I guess.
Or perhaps you meant "no one"?
Re: (Score:1)
Is it okay if sometimes the program doesn't do anything useful with the input?
Re:I Know! (Score:4, Funny)
Slashdot is already patented, isn't it?
Re: (Score:2)
Re: (Score:1)
Re: (Score:3, Interesting)
Not if the fines scale in relation to the amount of information that was lost, and compensatory damages are included requiring payment of the estimated damages for each individual person's data loss (not an average spread to everyone). Of course the individual data evaluations must be done by a firm chosen by the courts, and paid in full by company that lost the data.
It's pretty easy to structure the law such that almost any company will be bankrupted by failing to secure data. That would also be silly, b
Re: (Score:3, Interesting)
One visible example is banking
My banking site decided that 2 factor auth meant that I had to type my info into a flash widget that analyses the typing style - I sort of doubt this is even half a factor. The CC sites I use demand I have 2 passwords - 1.1 factor auth. Basically, I'm saying that it's crap.
Re: (Score:3, Interesting)
Exactly.
Really, two factor authentication only offers meager protection from a subset of attacks, yet I can tell you that implimenting it at each company was probably a $50k project, or, for the less efficient companies, a $200k project.
ROI for Sar-Box is shit. We've got a hell of a lot more expenses for a teeny bit more security.
Re: (Score:2, Offtopic)
You do know that Red Alastor anagrams to "Retard Also", right?
It also anagrams to "Trades Oral".
Re: (Score:1)
Yeah? Well your name anagrams to Fed Relay! Oh, wait...*runs*
Re:Budgest re-adjustment... (Score:4, Funny)
And you get "Flame Wrong Orgy", which, strangely, doesn't seem all that unusual on Slashdot.
Re: (Score:2)
That sounds so logical and reasonable. Too bad that fact prevents it from being included in a law.
Re: (Score:2)
Probably because nobody really wants that. The point of most polices is ultimately to ensure that there is no responsibility for acts of GOD. Bad stuff is always going to happen. You can have good policies in place and generally do a good job of administration and still get hacked; its possible. Someone you thought you could trust could walk away with sensitive data.
I think most people agree that if you can show that you did your due diligence and complied with a good solid set of requirements and someth
Re: (Score:2)
Or they'll be able to invest that money somewhere else and become a better business. The things SOX 'protects' against are 1) outdated and 2) remotely plausible which doesn't actually protect anything. So business will still not protect anything however they won't have to invest in lawyers and consultants to implement rules that only bother the sysadmins and general productivity.
Re: (Score:2)
"Well at least now they'll spend all that money on making sure things are actually secure!"
Why, oh why!!!???
No sir: they'll spend all that money on making sure they earn even *more* money. What else?
SarBox is always the excuse (Score:3, Insightful)
Re: (Score:1)
How about rewriting the law so that every request to my IT department does result in "This functionality would break SarBox compliance", regardless of how related to SarBox the request actually is?
T,FTFY
Re:SarBox is always the excuse (Score:4, Informative)
How about rewriting the structure of the management as they clearly do not understand what 404 is all about?
404 doesn't tell you to do anything. It only ask you to show that you have internal controls and that they are deemed sufficient for a company of the type/size you're working for, and that you actually is following your controls. The auditors only task (related to 404) is to check that you do what you are saying and make a judgment on their observations.
Re:SarBox is always the excuse (Score:4, Informative)
404 doesn't tell you to do anything. It only ask you to show that you have internal controls and that they are deemed sufficient for a company of the type/size you're working for, and that you actually is following your controls.
That's the rub, and that's why this guy is suing. He owned a small accounting firm because, no matter what he did, the SarBox auditor's board determined what he was doing wasn't good enough, and the only changes they would accept would prevent him from turning a profit.
The SarBox board killed a legitimate business that was operating in good-faith compliance.
That's far, far too much power for a bunch of nameless beureaucrats.
Re: (Score:2)
He owned a small accounting firm that went out of business, damnit.
Preview is my friend.
Re: (Score:3, Informative)
The sad fact is, it probably WOULD break SarBox compliance, it's frickin retarded.
Just about everything a company does relates to SarBox either directly or indirectly, so often an IT department will become terrified to make the smallest change to avoid inadvertantly breaking compliance, or making a change while staying compliance will require more money than the change is worth.
I.e. if you request a change to save $2000 a month in productivity losses, but maintaining the change will cost $4000 a month, it d
Re: (Score:2)
http://it.slashdot.org/comments.pl?sid=1462988&cid=30289812 [slashdot.org]
Rule #1 of government.... (Score:2, Informative)
The primary purpose of every law passed has the creating 1 or more jobs, whether they are productive jobs or not.
Re: (Score:2)
Wow, thanks for that keen insight into government! Maybe next you can give us a one-line treatise on the irrelevance of unions.
Re:Rule #1 of government.... (Score:4, Informative)
I'll field that one:
Unions are irrelevant.
Re: (Score:1)
Re: (Score:2, Insightful)
I don't know. Unions have brought us a couple nice things here in the US until recently:
8 hour workdays.
5 hour work weeks.
Our 8 year old kids out of the coal mines.
Worker's comp for injuries.
Unemployment.
Labor laws.
Banning of blacklists.
Minimum wage.
Vacation leave.
Sick leave.
Liability.
Basic safety.
With all the bellyaching about unions, I think people would love it if they would have to work 12-16 hour days, 7 days a week with their kids doing 12 hour days right by them. Of course, if anyone complained abo
Re: (Score:2)
Really? So you work a single 8-hour shift every second week that spans from Saturday night to Sunday morning? How odd.
Re: (Score:3, Insightful)
They are a hindrance in the 21st century USA.
Re: (Score:2)
Hmmm.
That's a toughy. So many to choose a couple from...
I guess Vacation Leave and 5 hour work weeks?
Re: (Score:2)
Re: (Score:2)
"I'll field that one: Unions are irrelevant."
Now, I was going to respond thusly -- If that's true, then:
(a) Why do about half of Americans approve of labor unions?
http://www.gallup.com/poll/122744/Labor-Unions-Sharp-Slide-Public-Support.aspx#1 [gallup.com]
(b) Why is there a multi-billion dollar union-busting legal industry?
http://www.inthesetimes.com/article/3326/unionbusting_confidential/ [inthesetimes.com]
But then I realized that the line "the union is irrelevant" is actually a quote from one of the union-busting lawyers in the article
Re: (Score:3, Funny)
This is Slashdot I'm reading right?
Re: (Score:1, Funny)
Re: (Score:2)
Wrong.
The primary function of government is to pretend to fail.
That way they get more money and power to correct the failure. If the purpose was to "fail" then it is no longer a failure and should be considered an accomplishment.
Anytime you hear "failure of..." anything involved with government replace it with accomplishment.
SarBox? (Score:5, Informative)
I've seen SOX, but never SarBox. If you're going to CamelCase, do it right: SarbOx.
Re: (Score:2)
Agree. Don't make up your own abbreviation when there is already a standard one.
Re: (Score:2)
No no no, you have it all wrong. You didn't need to go through all that effort, and all that detail.
All I meant was that I wanted to monitor a Unix box using Sar [wikipedia.org].
That should have been easy, and I guess it's my fault for not being clear. But look at all this paperwork you generated... wow you guys sure did work hard didn't you. Sorry for the misunderstanding...
Re: (Score:2)
Re: (Score:2)
But I like SarBox...
Re: (Score:2)
That may be so, but the only hit on Google's front page with that spelling is this story.
SOX is choking our companies, kill it. (Score:5, Insightful)
I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, or indeed for rational process to take place in the daily operation of IT.
SOX was meant to prevent another ENRON, but those things will happen regardless of rules - look at the collapse of organizations like FannieMae, well after SOX was in place. Instead we are harming all large businesses just to prevent a one-off case that we are not really preventing anyway!
Kill SOX and let companies get back to what they do best, instead of spending a lot of time simply deciding what compliance means and using the rules to build (even more) fiefdoms within giant companies.
Re: (Score:3, Insightful)
Re:SOX is choking our companies, kill it. (Score:4, Interesting)
You can usually make the case for MOST government regulations of businesses. Laws aren't for the lawful, but for the unlawful. Wherever the line is drawn, there will always be people who skirt around at that edge.
If laws and regulations move too far away from the edge, the laws themselves become the end of, not the means of, compliance. Everyone becomes a lawbreaker, and there is no room for discretion.
You can see this in all the zero tolerance laws in place. Zero tolerance laws do not stop anything, and just make more people criminals, like little boys coming to kindergarten with a camping fork, knife, spoon gadget getting expelled because he brought a knife to school. Zero Tolerance! No excuses! He Broke the LAW!!!!
I've written on this before. I call it the "There ought to be a law" syndrome. Everytime someone says "there ought to be a law", someone needs to ask a simple question "WHY?". WHY is it that the existing laws aren't applicable? How will this new law break the necessary shades of gray around the edges? Asshats live there, we all agree. Changing this isn't going to change the asshats.
Sometimes the only thing that will change the asshats is a good old fashion asswhooping.
Re: (Score:2)
Also look at HealthSouth, which never would have been found out if it weren't for SOX.
I think we need to keep it around, but a better breed of companies need to come around to take the pain out of it.
Re:SOX is choking our companies, kill it. (Score:4, Insightful)
Huh? Do you even have a clue what caused the collapse of Enron vs. what caused the collapse of Fannie Mae?
To use the mandatory car analogy, your argument is something like:
I put winter tires on my car, but then I was t-boned at an intersection when I ran a red light. See, winter tires don't help prevent accidents!
The two scenarios were completely different. Most of what SOX requires for IT should fall under good IT practice anyways. It basically requires controls to be implemented on financial systems in order to prevent fraudulent changes to financial data.
Now I realize people at some corporations have used SOX as a big bat to force in their own pet IT projects. Or as a way of preventing any IT changes that they don't agree with, but that isn't the fault of SOX.
If people are building personal fiefdom's within corporations, they'll do so with or without some legislation to use as an excuse.
Re: (Score:3, Insightful)
Huh? Do you even have a clue what caused the collapse of Enron vs. what caused the collapse of Fannie Mae?
It's a loose analogy to be sure, but think about it - in both cases shareholders (or stakeholders if you like in the case of FM) were lied to about financial stability. Fannie Mae claimed there were "no issues" just months before the collapse, while hiding the true extent they were in peril with the huge number of sub-prime loans they were carrying.
If you think about it there are way more parallels th
Re: (Score:2)
Instead we should have devastating fines or other punishment for companies that are found to have problems preventing fraudulent changes to data, so that companies could build in meaningful safeguards around ACTUAL financial data (with the ROI being the prevention of said fines so security groups could get funding), as opposed to safeguarding anything that smells like financial data to auditors (with the auditors of course paid more the more systems they have to audit). Let auditors audit crooks, not the innocent. Then we could also document the real bypasses to processes instead of having them but having to pretend they do not exist because auditors and high-level execs Cannot Know.
Most of the IT portion of SOX is based around having meaningful tools to have an effective security policy to tell people what they can and cannot do, as well as means to detect when those rules are violated. It is the latter portion that seems to often cause the most grief. You cannot know where the problems exist unless you provide for an accountability trail to ensure that people manipulating financial impacting data are tracked.
Re:SOX is choking our companies, kill it. (Score:5, Interesting)
Yeah, but you need to look at the bright side of SOX for us (educated security geeks). When someone wants to do something really dumb like put a web app into production with no logging and no security, you can just tell them to fuck off, because of SOX. Also, if you're a security consultant with half a brain and know how to setup auditing on *nix related systems you can make a lot of money consulting.
SOX is worth it just for being able to tell a stupid developer that he can't do something that puts the security of my systems in jeopardy.
Re: (Score:2)
Re:SOX is choking our companies, kill it. (Score:4, Insightful)
So you're the developer who doesn't think about logging, security or any other kind of operational issue when you develop? Sounds like your company has you in the right box.
Re: (Score:2)
Unelss the webapp is developed for a financial system using SOX here does not really work at all.
Re: (Score:3, Insightful)
It sounds like you're a dumbass who doesn't give a shit about your clients' data if you think you don't need authentication and logging for a web app. You're about the only type of idiot SOX actually protects us from. If IT guys didn't need to SOX to tell dumbasses like you to fuck off, we wouldn't be stuck with SOX in the first place.
I hope you don't do work for any systems that hold my data, that's all I'm saying.
Re: (Score:2)
Re:SOX is choking our companies, kill it. (Score:5, Interesting)
>I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, >or indeed for rational process to take place in the daily operation of IT.
Absolutely agree. Although the smart companies are now just giving SOX lip service and ignoring it pretty much entirely. The company I work for now, has all kinds of memos issued saying they support SOX, hotlines, etc but it doesn’t impact real work.
When SOX hit, the company I worked at, the Accounting dept came out with the required SOX doc and it was non negotiable. They had worked with an auditor that knew nothing of IT and it showed. I had to attend a week long class on how to fill out the dozens of new SOX forms (all manual paper forms) that were to be kept in notebooks!
I was told that ALL CHANGES had to go on the CEO change calendar and that we would become very familiar with the assistant that scheduled the CEO change meetings. All changes had to have the 10 pounds of forms and 10+ signatures before you could implement. There also had to be “separation of duty” which meant if you were making the change, someone else had to implement it I said “great, your gonna hire another IT group – one to implement and another to install and test”. Of course, they never did this and this “separation of duty” was never followed.
It was COMPLETE AND TOTAL NONSENSE designed by people who had no clue what they were doing or what the real world was like. Yeah, I need to put a hotfix on a server to fix a problem – I’m gonna wait 2-3 months to get on the CEO change calendar and have a meeting with the CEO But trying to talk to the accounting morons was useless – they insisted every change had to follow their written in stone procedure
After a few weeks of complaining, the process was “refined” by having Small, Medium and Large changes and Large changes were only the changes had to go thru the above process. The difference being the number of “elements” in the change – but “element” wasn’t defined by the accounting/auditing people. The solution became that all IT changes were SMALL since there was only 1 datacenter so 1 element changing!
The fact is that SOX was doomed to fail because you can’t impose rigorous rules on US companies if foreign companies don’t have to follow the same rules – it is a Global world out there and adding huge overhead to your domestic companies just mean more outsourcing and more domestic bankruptcies as they can’t compete with slimmer/trimmer overseas companies.
Re: (Score:3, Insightful)
I think you don't understand segregation of duties. It doesn't mean having a separate IT group, it means splitting duties between more than one person. For example, the person coding the change and the person implementing the change would be two separate people. Testing should also be separated out from the person who implemented the change.
This does wonders for the midnight-cowboy coder who sticks in changes at 2 am and doesn't tell anyone or bother to test.
In the case of a true emergency change, they c
Re: (Score:2)
I understand it completely and it doesn't happen in the real world in real IT depts. First, we aren't coding anything - we are implementing PTFS, hotfixes, new software releases, etc. And every place I've worked, the guy that gets the fix, tests it and implements it himself. There is no Change Control group for the sysadmins/sysprogs.
To do that you would need to have 2 separate groups - one that downloads, installs and tests on test servers and another that just implements changes into production.
Who do you work for? (Score:3, Insightful)
I want to know so I can never do business which such a shoddy shop. My company has strict SOD and we enforce it through tooling. We have three groups: Development, Test, Operations. I'm on development side so I check builds and docs into the source code control system. Test pulls it out, applies it to the test environment, runs tests. Test then passes the code and documentation to operations who updates any configuration parameters that differ between test and production systems and installs it with th
Re: (Score:2)
>Development, Test, Operations. I'm on development >side so I check builds and docs into the source >code control system.
Sounds like your an application dude and not a sysadmin/sysprog. You get source from Vendors and log that into your "source code control system"? Microsoft gives you the source to Windows so you can log the changes Microsoft makes to Windows? Who maintains this "source code control system" and who implements changes into that? Another source code control system to manage the
Re: (Score:2)
What about operations where 3 people is overkill?
Didn't think about that one eh?
There is no reason one person can't do all of it, from developement to operations, if he follows best practices in each case. Anything more than a one-man shop should always have another person checking the work at each stage, but that does not make separation of duties necessary. It also very rarely makes sense in an IT support environment, but often the rules are made to apply to the support guys anyway.
The easiest way to pr
Re: (Score:2)
I sure hope you don't work at NASA or a nuclear power plant.
Re: (Score:2)
The fact is that SOX was doomed to fail because you can’t impose rigorous rules on US companies if foreign companies don’t have to follow the same rules – it is a Global world out there and adding huge overhead to your domestic companies just mean more outsourcing and more domestic bankruptcies as they can’t compete with slimmer/trimmer overseas companies.
This is also known as 'race to the bottom.' It happens with corporate governance as well as taxes and wages.
Re: (Score:2)
Sounds to me like somebody in your company has a micro-management fetish. BTDTGTTS. You have my sympathy!
Re:SOX is choking our companies, kill it. (Score:4, Informative)
I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, or indeed for rational process to take place in the daily operation of IT.
It's doing no such thing. People may be using it as an excuse to build an empire or do stupid things, but that's not the fault of SOX. I worked for a *VERY* large financial company (the overall IT budget, across all branches, businesses, etc, was measured in the *billions* of dollars), and not once were we stopped from doing anything because of SOX. Not once was it even an issue, either.
Put the blame where it belongs, on stupid people. Then fire them.
You can only lead on so many topics (Score:2)
I've worked in companies where SOX was used to make processes more stringent and intelligent. And I work in a company where SOX has allowed the accounting/finance department to dictate all manner of corporate and IT policy.
Yes it is POSSIBLE to have rational adherence to SOX. But that seems far rather the exception than the rule.
In order to survive SOX, companies need keen leadership -- one that will prevent the sort of "SOX run amok" mentality and provide solid guidance to the company as a whole.
The probl
Re: (Score:1)
Step back and think about the big picture, do we really want brilliant leaders across the nation focused simply on regulatory compliance? What a waste of human potential!
Hi, you've met reality right? 99% of what goes on in this world is a waste of human potential.
Including this post!
Re: (Score:2)
I'm not sure, but I don't think you qualify as one of the brilliant leaders across the nation that the GP was talking about.
Re: (Score:2)
Actually, what is needed is a clueful audit response department. This department would be able to classify systems as SOX impacted or not depending on if they process data that is relevant to SOX. Then, you make sure you have a reasonably effective security policy and follow it.
It seems a lot of companies have a problem with writing a security policy that is reasonably effective. Many firms I've seen seem to do the "wink system", where they write a ridiculous policy that is impossible to follow in realit
Silver Lining. (Score:5, Interesting)
I inherited a bunch of apps that had atrocious logging practices. They were inter-twined and when a problem arose, it was very difficult to PD. Management didn't care to spend money adding some log statements, it was good enough. SOX forced us to place logging statements at system boundries. This wasn't a complete logging overhaul but it really did help with future PD.
Re: (Score:2)
Re: (Score:2)
PD PD Good for you Good for me! (Score:2)
Problem Determination?
Re: (Score:2)
Ahh, that really clears it up.
I thought it meant "Penguin Dynamite".
Yeah, it didn't make much sense to me either.
Still, it should have been Troubleshoot instead of "problem determination". Why use big words when a diminutive word will suffice?
Re: (Score:2)
It's the term favored by my organization, so I use it often and it has become habit.
And PD is shorter than Troubleshoot anyway. Who doesn't know PD means Problem Determination? Given the context of the post it seemed pretty obvious.
Can the Supreme Court efficiently rule here? (Score:1)
As a disclaimer I have to say I have worked for Financials IT for quite a while and SOX was quite literally the bane of our existence for over 3 years. Whether SOX is a true measure of compliance is still an open question on my mind
The implication here is that if the Justices do rule in favor of Beckstead, what does
1U ? (Score:2)
Are you using 1U just as an example or are there really rules somewhere about using only 1U's, and not 4U ?
Stephan
Re: (Score:1)
Re: (Score:2)
Are you using 1U just as an example or are there really rules somewhere about using only 1U's, and not 4U ?
I know right... this is Slashdot; we stick to car analogies 'round here thankyouverymuch
Re: (Score:2)
The implication here is that if the Justices do rule in favor of Beckstead, what does that say about other government organizations that "audit" citizen's affairs?
If you had read the full article you might also have noticed that the crux of the argument is that the PCOAB is set up as an independent organization independent of the executive or legislative branches. So, if the ruling goes for Beckstead nothing happens to most other "auditing" agencies. I can't think of any off the top of my head that have been granted some manner of legal authority and are not subject to some manner of appointment process by congress or the executive branch (although some of them argua
sox isn't all about IT. (Score:2, Informative)
For example... per SOX, business documents and financial reports must be kept for 7 years. If you're documents and records just happen to be in digital format
Re: (Score:1)
For example, we are slowly phasing out an old mainframe system that used to "do it all" for the organization. To support each new sub-system we must create interfaces into and out of the mainframe to access legacy functions it may still retain.
If I make a change to one of the compartmentalized systems (say... th
Re: (Score:2)
"I have a feeling that a lot of those problems are caused by management, your company's lawyers, or auditors that don't understand what you're doing, rather than the law itself."
Don't understand or don't *want* to understand? As the old Latin motto goes, 'Qui prodes?' who is benefited by all that papertrail? Those managers and lawyers that get empowered by the very paper mess they create, I say.
Re: (Score:3, Insightful)
On the other hand, I worked in an office where a small team (three people) of server admins pulled a 10MB cable from a core infrastructure device and swapped it with a 100MB cable, with a similar attitude and the ensuing routing loop of some sort brought down an entire Fortune 100 company, costing an estimated $25 million in downtime and creating a late-night fire drill of pretty epic proportions as consultants and network admins scurried around their respective offices in 15 different cities trying to figu
It's not a kind of box (Score:2)
Nitpicky, I know, but the title of the Slashdot article (not the underlying article) uses "SarBox", as if it were some brand name for a kind of box.
It's the "Sarbanes-Oxley" Act, sometimes "Sarbox" or "SARBOX" (for those who feel compelled to treat every new word they don't know as an initialism) but "SarBox" is right out.
"SOx" or "SOX" are much more common.
SarBox? (Score:2)
Who refers to Sarbanes Oxley asn SarBox? I've only ever heard of it as "SOX." I can't imagine why the "b" would be stressed, anyway.
I know this is the internet, but we really shouldn't just go around inventing acronyms for headlines.
Re: (Score:2)
Who the hell cares about Oxley? Of course it should be SarBanes-oxley.
Pfffft.
SOX and IT is Poorly Understood (Score:2, Informative)
I am a SOX IT auditor, so here are a few thoughts. Yes, I'm posting as an Anonymous Coward because I don't want my name tied to this in case someone from my firm sees this.
1. SOX is not about information security and security events. It's about determining if sufficient controls are present to prevent or detect material misstatement in the financial statements. For example, you have crappy network security. A hacker breaks in and steals customer information. While very damaging, there is no impact on
Re: (Score:2)
Re: (Score:2)
I think you meant Amendment 10 [usconstitution.net].
There is no Article 10 of the US Constitution, it only has 8 articles - you referenced section 10 of Article 1, which lays out the restrictions on the States.
Since it's short and sweet, here's the 10th Amendment to the Constitution of the United States of America:
The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.
The federal government has somehow managed to get around this to a large degree by citing inter-state commerce (which the constitution states is the purview of the Feds). SOX would fall under that as well, and actual
Re: (Score:2)
Pretty much.
I didn't mean Article 10 of the Articles of Confederation.