|
> I'm curious to know, if anyone has deciphered the > Law as it applies to IT, Yes, large piles of lawyers and auditors have :( > and does anyone have an > itemized list, (probably by application level), as > to exactly what is required?. Not likely - at least in the form that you have described it. Among the difficulties are the fact that no-one outside of your company can hand you an itemized list of concerns that addresses all of your exposures. The obvious reason why is that no one outside of your company has a clear idea of what the heck your IT systems do (and if you're like a lot of other companies, maybe nobody inside the company has a clear idea either). However, the approach most are taking to SOX is to adopt an IT auditing framework such as COSO, or ISO17799, or COBIT (COBIT seams to be the leading standard here in the U.S.), and then demonstrate to your external auditors that you are adhering to an industry standard framework. The auditors cannot say for certain that you are then secure, but they can attest that proper controls are in place to prevent tampering and fraud. That is the stated goal of SOX (See section 404). And when you break down section 404, it essentially says that: "management will establish and maintain an adequate internal control structure and procedures for financial reporting; and obtain from an external auditor an assessment of the effectiveness of the internal control structure and procedures" (I paraphrased just a bit). This means that: 1. The CEO has to get the auditor to give him/her a letter that says that you have procedures and controls in place. 2. The auditor will only cough up that letter if you can convince the auditor that you are minding the store. 3. The easiest/fastest way to convince the auditor that you are minding the store is to demonstrate that you are following an industry standard security framework (such as COBIT). Otherwise the auditor is going to have to inspect each and everyone of your local procedures. > The law is so broad in it's implication, that it's > not difficult for some software companies to read into > this, > and convince their clients that 'their' solution is > what is needed.$$$$$$ I know of lots of companies (my own included) that offer software solutions that assist in SOX compliance. But the requirements are so far reaching, I know of no company that can guarantee SOX compliance all by themselves. -- John Earl | Chief Technology Officer The PowerTech Group 19426 68th Ave. S Seattle, WA 98032 (253) 872-7788 ext. 302 john.earl@xxxxxxxxxxxxx www.powertech.com This email message and any attachments are intended only for the use of the intended recipients and may contain information that is privileged and confidential. If you are not the intended recipient, any dissemination, distribution, or copying is strictly prohibited. If you received this email message in error, please immediately notify the sender by replying to this email message, or by telephone, and delete the message from your email system. --
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
