(no subject)

[mightyj.livejournal.com]

Forgive me Boss-Man for I have sinned.  I have transgressed against the Gods of SOX.  I, in my role of Local Sys Admin, did disable a user's account when they quit rather than wait for the authorities on high to issue a summons to the Desk of Help.  I, in my foolish pride, did put security of my local network above bureaucratic nonsense and therefore did disable said account 5 days earlier than it would have been had proper SOX protocols been followed.  Verily, Boss-Man, what is my penance for my transgressions?

Any of the rest of you have to put up with all this pain-in-the-SOX nonsense?

Comments

[jon787.livejournal.com]

WTF is SOX?

[compwizrd.livejournal.com]

Sarbannes-Oxley.

Now, beyond that, http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act

[jon787.livejournal.com]

Okay thats what I found while googling too, but I don't see how it fits in.

[mightyj.livejournal.com]

You have no idea how lucky you are that you don't know! It's the Sarbanes-Oxley Act of 2002 (http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act). Basically it's fallout from the Enron scandal. It holds the CEO's and CFO's of publicly held companies legally responsible for internal financial controls. We've had to document and establish processes controls for anything remotely related to financial data including tape backups, user accounts, file permissions, etc, yada, yada, ad nauseum.

[jon787.livejournal.com]

Oh, so its like ISO 9000 compliance?

[mightyj.livejournal.com]

Very much so. Only driven by financial considerations.

[compwizrd.livejournal.com]

I'm glad I live north of SOX and HIPAA, though neither would apply to us anyways.

[jecook]

I have not had to deal with SOX at all, but I've had to put up with HIPPA.

FOrtuately, the company I'm at now IIRC does not need to comply with either law, but instead has an entirely different set of rules to ply by which are almost as bad.

[gilmoure.livejournal.com]

I wear flip flops, no sox.

[flainn.livejournal.com]

Yup. Banking/finance sysadmins have to deal with some of the weirdest stuff out there. I have been for the last nine months.

[http://users.livejournal.com/shiara_/]

SOX has made a project/product-launch all that more enjoyable.

Truly.

I just open this form here.... print it out, and begin filling in all of the data, printing out documents and emails and other electronic documents to paper to paper clip, staple and attach to this form, and fill out more of the data, repeating the process, and when I'm done...

... store it in a box at Iron Mountain with other documents from this wonderful project/product launch where no-one will see all of my hard effort in documenting, and the box will be destroyed seven years from now, or whenever I deem its time on earth as mass to be final, whereby it will be destroyed through whatever means Iron Mountain uses to destroy. In destroying the box, I hope it will go through the scientific process and become heat, thereby creating greenhouse gasses and destroying the ozone.

Oh, nuts, I forgot to document in the SOX-doc when the box at Iron Mountain should be destroyed. Should I've?

[the-s-guy.livejournal.com]

Allow TPTB to define the process, and register a (written, not emailed) note through channels that this will result in much poorer security. Keep a copy of the written note, the people it was sent to and on which date.

Do not offer opinions in the note as to whether the company's security should be good or bad. Merely list the problems that the policy will cause. That way, when the crap hits the fan, you have your documentation saying that you noted the problem and reported it, but did not have the authority to fix it.

[redqueenmeg.livejournal.com]

Heh, everything I've seen calls it Sarbox.

I used to get users calling me all the time, "It says this computer has been locked by so and so and that YOU can unlock it!" "No, it doesn't, it says an administrator can, and I'm not that kind of administrator. Reboot the computer." "ARE YOU SURE?" "YES." "OH MY GOD, I WAS ABLE TO LOGIN!" heh.

[susano-otter.livejournal.com]

Yours is not a stable strategy.

SOX imposes harsh penalties for even the smallest infractions. Under SOX, what you did puts the future of the company in severe jeopardy, and puts the executives at risk of facing serious criminal charges.

Furthermore, by taking matters into your own hands, you obfuscated the jackassery that is SOX.

Had you let the SOX process run its course, and your network had been hax0r3d as a result, that could have been added to the List of Reasons Why SOX is Bad for the Economy and Whatnot.

Instead, you hid the true cost of SOX from the world, while simultaneously griefing your senior management, risking your own job security, and risking the job security of everybody else at the company (on account of SOX violations generally causing large fines, reduced consumer confidence in your company, and negative analyst reports about your company). Is that really what you had in mind?