[Nottingham] Sarbannes Oxley experiences

Alex Tibbles alex_tibbles at yahoo.co.uk
Fri Sep 9 07:47:55 BST 2005


--- Matt Bunter <matt.bunter at wanadoo.fr> wrote:

> Robert Postill wrote:
> 
> >Hi,
> >Ages ago an e-mail from Matt Bunter landed about
> this, as it happens
> >I've recently started a contract for a bank and
> have had to talk a deal
> >of Sarbanes Oxley with other folk while trying to
> get an LMS (Learning
> >Management System) up and running...I can't say too
> much as I'm under
> >NDA but some things I have noticed are:
> >* It seems that SOX compliance for a system is
> based on the following:
> >	+Auditing: nothing should happen without it being
> logged.
> >	+Encryption: No more telnet for you :)
> >	+Verification: You can't authenticate too many
> times...sigh.
> >  
> >
> I'm seeing pretty much the same sorts of things.
> 
> One of the biggest problems is the use of 'system'
> accounts for stuff 
> like Oracle, or batch jobs, or sys admins on
> servers.
Which aspect in particular do system accounts cause
problems for? Was is audit? Was it a matter of
painfully delegating all non-audit-admin-related
powers (eg. "turn off auditing") to a new role, which
was then used by the admins?

<snip>
> One of the areas that I see as un-workable is the
> separation of duties. 
> That is unless you clone people very quickly or
> start hiring. There is 
> also the request, accept, approve issue for change
> management. We are 
> having all sorts of fun with this at the moment -
> people starting to 
> play too much politics.
Oh dear!

> >*Training turns out to be a massive piece, you need
> to be able to prove
> >no-one is ignorant (hence the LMS).
> >
> I'm finding it difficult to understand how that is
> going to be measured.
Is not the measurable quantity that the organization
audited has made measurable efforts to ensure that all
appropriate individuals have watched the training
video (by recording when the do), passed the multiple
choice exam (by storing their pass-mark), etc?

> >  This turns out to be time consuming
> >and tricky, because of both the amount of training
> to be delivered and
> >the number of people you need to give it to (pretty
> much everyone).
> >*This is one of those areas where the big firms
> (PWC,CGEY, Accenture,
> >KPMG et al) are raking it in, frankly the stench of
> consultancy overload
> >hangs heavy in the air at most places (I'll hasten
> to add that I'm
> >possibly part of that stench) and I can't see it
> getting better for a
> >while yet.  It's likely that people will be taken
> to the cleaners for a
> >few years yet.
> >  
> >
> Plus ça change.
:)

Alex


		
___________________________________________________________ 
How much free photo storage do you get? Store your holiday 
snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com



More information about the Nottingham mailing list