erm...ok...

Story: Top tech security risks and cash-sappersTotal Replies: 16
Author Content
techiem2

May 30, 2008
6:41 AM EDT
Quoting:Unsupported software: The survey found 10 percent of servers in one financial institution were running unsupported Solaris and Linux software. If these systems fail data recovery could prove costly and difficult. These systems would also fail to stand up to scrutiny from Sarbanes-Oxley regulations.


So he's saying that Data recovery is cheap and easy on servers running "supported" software (whatever that means)?

I'm not familiar with the regulations mentioned, so I can't comment on that.
dinotrac

May 30, 2008
7:47 AM EDT
Sarbanes-Oxley is the latest Chicken Little hammer.

It "requires" whatever your company's SOX compliance team can convince you it requires. "Over-reach" is a term that has no meaning when dealing with SOX specialists, consultants, and/or auditors.

The Sarbanes-Oxley Act itself is one of the few concrete things to come out of whole Enron/Worldcomm/etc fiasco. It requires the top officers of public corporations to to certify that they have put internal controls in place to ensure that material information about the company's operation gets divulged to stockholders. It also requires that those internal controls be subjected to an external audit.

From what I can see, more than anything, SOX is a concerted effort to ensure that American companies have no productivity advantage over anybody else in the world, including members of that newly discovered tribe of primitives along in the Amazon forests.



gus3

May 30, 2008
8:09 AM EDT
Not having access to the original report, I can't vouch for its contents.

That said, I think the ZDNet Asia article sounds like a PR release from the report's authors, to stir up interest in the report. They've thrown out a bunch of vague ideas that most MCSE's and SANS subscribers could come up with, given a summary description of each "problem," and then moved on, knowing they've created one more fleck of FUD.

I'm not impressed.
tuxchick

May 30, 2008
10:22 AM EDT
Same tone, tactics, and motivation as that "OSS costs god-fearin' hardworkin' perpiatary software companies sixty kabillion dollars!" report. That was a good one.
jhansonxi

May 30, 2008
12:56 PM EDT
According to their web site (if this is the same company) they are in the IT management and risk-assessment business so this is nothing more than sales propaganda. Marketing departments create this garbage all the time. If they hadn't put "Solaris" and "Linux" in the summary it wouldn't have gotten any readers outside their own sales department and partners. They put these key words in to gain traffic from search engines. Names like "Linux" and "Solaris" are globally more unique and get more attention in their market. "Windows" is a generic term which picks up a lot of building supply stores. This survey has nothing to do with the real world so ignore it. http://bdna.com/solutions/
jdixon

May 30, 2008
1:39 PM EDT
Since when is Solaris "unsupported"?
gus3

May 30, 2008
6:56 PM EDT
Quoting:they are in the IT management and risk-assessment business so this is nothing more than sales propaganda.
Gartner, warmed over.
moopst

May 30, 2008
7:37 PM EDT
@jdixon

Where I work we're going from Solaris 8 to 10 and Oracle 9 to 10 to stay with supported versions. If we don't get to Oracle 10 by some date we will have to pay $60,000 / month.

That said, supported code from a company whose name rhymes with SteapleSoft at random times throws an error saying "Pure virtual function called". The support offered was "Send us your core dumps and crank up the debugging" followed by "Um, we're not going to fix it." Nice.
GDStewart

May 30, 2008
8:07 PM EDT
Given who in the company SOX is intended for, I don't really see how that would affect productivity. It is a perfect example of a massively overwritten new law written because the existing laws were not enforced,. usually in a zeal to deregulate a (sarcasm) severely put-upon multi-multi-billion dollar industry (/sarcasm). In defense of the lawmakers however it should be noted that no law has ever been written (overly or otherwise) that a sufficiently motivated corporate lawyer or law firm could not punch a hole big enough for an entire industry meltdown through it. Especially when LOTS more money, and therefore motivation is involved.
dinotrac

May 30, 2008
9:20 PM EDT
> I don't really see how that would affect productivity

Then you aren't paying attention.

Aside from the costs associated with direct compliance -- auditors, etc -- you have the side effects. For instance, I'm at a place right now where we practically had to unleash the Hounds of Hell to get MySQL on a Linux box to help us with a project.

Funny thing is, MySQL is one of the company's approved tools, just not for us.
jdixon

May 31, 2008
5:11 AM EDT
> I don't really see how that would affect productivity.

You want a better example? To comply with Sarbanes-Oxley, the higher ups at the company I work for have decided that anytime a computer changes hands, the hard drive must be wiped to DOD specs and the machine re-imaged with the company approved image before it can be transferred.

OK, well and good. Except when the person giving up the computer is transferring to another job and the person receiving it is taking over their job. In that case, the relevant data on the computer (essentially all of it) must be saved, the hard drive wiped, the machine re-imaged, all specialized applications which aren't in the image reloaded, and the data copied back to the computer. Which essentially recreates the computer in its original state.

On average, it probably takes about 4 hours or so to load a machine with the relevant applications and data and an hour to remove and reinstall the machine. I've seen it take anywhere from 2 hours to 16. I usually wipe the hard drive overnight (8-12 hours). Worst case, the computer is located at a remote site which is a 3 hour drive from my office. Best case it's in my building. So, it can take anywhere from so I have to make two trips. So, it can take anywhere from a couple of hours to almost 4 days to do this.

That's wasted time. All you should have to do is move the relevant data to a temporary location on the hard drive, wipe the user profile and any personal data they have, create the new user profile, and move the data back. Which would take a couple of hours and can be completed remotely. But Sarbanes-Oxley rules.
dinotrac

May 31, 2008
7:12 AM EDT
jdixon --

I like that one. Similar situation in my current assignment. Took me 2 weeks to get a working telephone, too!!!!
GDStewart

May 31, 2008
3:34 PM EDT
Yes I am paying attention. Here is the overview from wikipedia:

Sarbanes-Oxley contains 11 titles that describe specific mandates and requirements for financial reporting. Each title consists of several sections, summarized below.

* 1) Public Company Accounting Oversight Board (PCAOB)

Title I consists of nine sections and establishes the Public Company Accounting Oversight Board , to provide independent oversight of public accounting firms providing audit services ("auditors"). It also creates a central oversight board tasked with registering auditors, defining the specific processes and procedures for compliance audits, inspecting and policing conduct and quality control, and enforcing compliance with the specific mandates of SOX.

* 2) Auditor Independence

Title II consists of nine sections, establishes standards for external auditor independence, to limit conflicts of interest. It also addresses new auditor approval requirements, audit partner rotation policy, conflict of interest issues and auditor reporting requirements. Section 201 of this title restricts auditing companies from doing other kinds of business apart from auditing with the same clients.

* 3) Corporate Responsibility

Title III consists of eight sections and mandates that senior executives take individual responsibility for the accuracy and completeness of corporate financial reports. It defines the interaction of external auditors and corporate audit committees, and specifies the responsibility of corporate officers for the accuracy and validity of corporate financial reports. It enumerates specific limits on the behaviors of corporate officers and describes specific forfeitures of benefits and civil penalties for non-compliance. For example, Section 302 implies that the company board (Chief Executive Officer, Chief Financial Officer) should certify and approve the integrity of their company financial reports quarterly in order to establish accountability.

* 4) Enhanced Financial Disclosures

Title IV consists of nine sections. It describes enhanced reporting requirements for financial transactions, including off-balance-sheet transactions, pro-forma figures and stock transactions of corporate officers. It requires internal controls for assuring the accuracy of financial reports and disclosures, and mandates both audits and reports on those controls. It also requires timely reporting of material changes in financial condition and specific enhanced reviews by the SEC or its agents of corporate reports.

* 5) Analyst Conflicts of Interest

Title V consists of only one section, which includes measures designed to help restore investor confidence in the reporting of securities analysts. It defines the codes of conduct for securities analysts and requires disclosure of knowable conflicts of interest.

* 6) Commission Resources and Authority

Title VI consists of four sections and defines practices to restore investor confidence in securities analysts. It also defines the SEC’s authority to censure or bar securities professionals from practice and defines conditions under which a person can be barred from practicing as a broker, adviser or dealer.

* 7) Studies and Reports

Title VII consists of five sections and are concerned with conducting research for enforcing actions against violations by the SEC registrants (companies) and auditors. Studies and reports include the effects of consolidation of public accounting firms, the role of credit rating agencies in the operation of securities markets, securities violations and enforcement actions, and whether investment banks assisted Enron, Global Crossing and others to manipulate earnings and obfuscate true financial conditions.

* 8) Corporate and Criminal Fraud Accountability

Title VIII consists of seven sections and it also referred to as the “Corporate and Criminal Fraud Act of 2002”. It describes specific criminal penalties for fraud by manipulation, destruction or alteration of financial records or other interference with investigations, while providing certain protections for whistle-blowers.

* 9) White Collar Crime Penalty Enhancement

Title IX consists of two sections. This section is also called the “White Collar Crime Penalty Enhancement Act of 2002.” This section increases the criminal penalties associated with white-collar crimes and conspiracies. It recommends stronger sentencing guidelines and specifically adds failure to certify corporate financial reports as a criminal offense.

* 10) Corporate Tax Returns

Title X consists of one section. Section 1001 states that the Chief Executive Officer should sign the company tax return.

* 11) Corporate Fraud Accountability

Title XI consists of seven sections. Section 1101 recommends a name for this title as “Corporate Fraud Accountability Act of 2002”. It identifies corporate fraud and records tampering as criminal offenses and joins those offenses to specific penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC to temporarily freeze large or unusual payments.

[edit] History & context: events contributing to the adoption of SOX The neutrality of this section is disputed. Please see the discussion on the talk page.(December 2007) Please do not remove this message until the dispute is resolved.

A variety of complex factors created the conditions and culture in which a series of large corporate frauds occurred between 2000-2002. The spectacular, highly-publicized frauds at Enron (see Enron scandal), WorldCom, and Tyco exposed significant problems with conflicts of interest and incentive compensation practices. These frauds and others resulted in over U.S. $500 billion in market value declines. The analysis of their complex and contentious root causes contributed to the passage of SOX in 2002. Specific contributing factors and events included:[2]

* Boardroom failures: Boards of Directors, specifically Audit Committees, are charged with establishing oversight mechanisms for financial reporting in U.S. corporations on the behalf of investors. These scandals identified Board members who either did not exercise their responsibilities or did not have the expertise to understand the complexities of the businesses. In many cases, Audit Committee members were not truly independent of management.

* Auditor conflicts of interest: Prior to SOX, auditing firms, the primary financial "watchdogs" for investors, also performed significant non-audit or consulting work for the companies they audited. Many of these consulting agreements were far more lucrative than the auditing engagement. This presented at least the appearance of a conflict of interest. For example, challenging the company's accounting approach might damage a client relationship, conceivably placing a significant consulting arrangement at risk.

* Securities industry conflicts of interest: The roles of securities analysts, who make buy and sell recommendations on company stocks and bonds, and investment bankers, who help provide companies loans or handle mergers and acquisitions, provide opportunities for conflicts. Similar to the auditor conflict, issuing a buy or sell recommendation on a stock while providing lucrative investment banking services creates at least the appearance of a conflict of interest.

* Banking practices: Lending to a firm sends signals to investors regarding the firm's risk. In the case of Enron, several major banks provided large loans to the company without understanding, or while ignoring, the risks of the company. Investors of these banks and their clients were hurt by such bad loans, resulting in large settlement payments by the banks. Others interpreted the willingness of banks to lend money to the company as an indication of its health and integrity, and were led to invest in Enron as a result. These investors were hurt as well.

* Internet bubble: Investors had been stung in 2000 by the sharp declines in technology stocks and to a lesser extent, by declines in the overall market. Certain mutual fund managers were alleged to have advocated the purchasing of particular technology stocks, while quietly selling them. The losses sustained also helped create a general anger among investors.

* Executive compensation: Stock option and bonus practices, combined with volatility in stock prices for even small earnings "misses," resulted in pressures to manage earnings.[3] Stock options were not treated as compensation expense by companies, encouraging this form of compensation. With a large stock-based bonus at risk, managers were pressured to meet their targets.

Financial accounting, and holding corporate officers responsible for it. Nothing about what approved computer applications can and can't be run. Nothing about getting telephones. Nothing about DOD wiping and re-installing all software every time an employee leaves. The legislation is aimed directly at corporate officers. Not employees. The only thing that I can see that may have bearing on any of what either of you describe is under the white collar crime, but the overview description doesn't seem to support that.
jdixon

May 31, 2008
4:41 PM EDT
> The legislation is aimed directly at corporate officers. Not employees.

The officers also have to certify that procedures are in place to meet certain requirements. One of those requirement for my company is that privileged information not pass from one part of the company to another. That's why they have the rule about wiping the hard drive before the computer changes hands. They have no way of being certain that there isn't information on the drive the person receiving the computer shouldn't see. So they institute a blanket policy and require everyone to follow it.
dinotrac

May 31, 2008
5:31 PM EDT
> Here is the overview from wikipedia:

Too bad I don't work in Wikipedialand instead of the real world.

The problem is that putting your name on the dotted line makes criminal prosecution a possibility, therefore...folks get a little nervous about compliance. Easiest way to comply is simply to make a list of "this is good" and forbid anything not on the list.

That's also the easiest way to kill productivity and creativity in the ranks. That's probably the intent, now that I think about. Lots of muckety-mucks think they are the source of all goodness and that employees just follow orders.

At any rate, SOX sux.
Bob_Robertson

Jun 01, 2008
6:54 AM EDT
> The problem is that putting your name on the dotted line makes criminal prosecution a possibility,...

Which was one of SarbOx's _selling_ points, politically. There was a huge advertising campaign first about how companies were failing but the execs were not "held accountable". But since the prosecution is now tied to government enforcement rather than stockholder civil action, the politicians now get to selectively enforce. Watch those campaign contributions flow!

I see it as just another symptom of the collapsing American empire.

As you might imagine, the economists over at Mises.org have choice words for/about SarbOx:

"Sarbanes-Oxley, of course, was just a small step along the yellow brick road that will lead to total rule over private industry..." http://blog.mises.org/archives/007280.asp

"Sarbanes-Oxley regulation leads to overseas listings or even incorporation." http://mises.org/story/2320

"The PCAOB (Public Company Accounting Oversight Board) is a corporation created by the Sarbanes-Oxley Act of 2002" http://blog.mises.org/archives/007372.asp

"Bob Greifeld, the President and CEO of Nasdaq, was once a great critic of Sarbanes-Oxley (SOX), citing the anti-competitive drag..." http://blog.mises.org/archives/006481.asp

"The Business Roundtable, with 160 of the largest U.S. companies, says its members paid $10 million each on Sarbanes-Oxley (SOX) compliance in 2004." http://blog.mises.org/archives/003418.asp

jdixon

Jun 01, 2008
8:47 AM EDT
> ...just a small step along the yellow brick road that will lead to total rule over private industry.

And there's a word for public control of supposedly private assets. It's called fascism. :(

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!