× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



I have to echo John's interpretation - Auditors are simply the
interpreters of SOX (especially section 404) and their interpretation is
subject to debate.

If an Auditor "tells you" that something must be just so, understand
that their interpretation is subject to debate.  If they say you must
hold on to data for 7 years (as a title company this could be
legitimate), you have to respond to their request.  But you don't
necessarily have to tow the line.

If I were you, I would simply do the preliminary design of a system that
could store and hold 7 years of audit journal data.  You will have to be
able to restore it to your systems (which would argue for saving the
receivers with storage free'd rather than deleting the old receivers),
process a typical request, and produce the reports in a readable
fashion.  Don't try and do it on the cheap, because if you say that you
will be able to do it, you can expect people to hold you to that
commitment.   Just lay out the costs, time, resources, and other
requirements and then let the business leaders make a judgment on what
this level of SOX compliance is worth to them.

jte




--
John Earl | Chief Technology Officer
The PowerTech Group
19426 68th Ave. S
Seattle, WA 98032
(253) 872-7788 ext. 302
john.earl@xxxxxxxxxxxxx
www.powertech.com 
Celebrating our 10th Anniversary Year!
 

 
This email message and any attachments are intended only for the use of
the intended recipients and may contain information that is privileged
and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message, or by telephone, and delete
the message from your email system.
--
-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of
Jones, John (US)
Sent: Wednesday, August 23, 2006 7:01 AM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Journal Receiver Retention for
SOX...

Well, I'm our IT Security guy and the iSeries admin.
However, we're
large enough that we have a project manager who does SOX &
other
compliance basically full-time.  I work with her a lot on
these issues
and get to sit in on the audit reviews.

If you have a few minutes, go read SOX section 404.  This
is what's
driving all the IT work yet you'll find IT is barely
mentioned.  Almost
everything is left to interpretation.


John A. Jones, CISSP
Americas Information Security Officer
Jones Lang LaSalle, Inc.
V: +1-630-455-2787 F: +1-312-601-1782
john.jones@xxxxxxxxxx

-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Dan
Sent: Wednesday, August 23, 2006 7:52 AM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Journal Receiver Retention for
SOX...

On 8/23/06, Turnidge, Dave
<DTurnidge@xxxxxxxxxxxxxxxxxxxx> wrote:

Thank you Dan. I've gotten messages kicked out of other
sites, so
guess I'm getting gun-shy...


Uh, well, given the responses you've gotten here, I think
*I* was the
one who got "told" (implicitly) on this thread!  ;-)

Maybe the people who "do" SOX as part of their jobs can
confirm.  Does
the responsibility for the IT part of SOX always/usually
fall on the IT
security admin?

- Dan
_______________________________________________
This is the Security Administration on the AS400 / iSeries
(Security400)
mailing list To post a message email:
Security400@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx Before posting,
please take a
moment to review the archives at
http://archive.midrange.com/security400.


This email is for the use of the intended recipient(s)
only.  If you have received this email in error, please
notify the sender immediately and then delete it.  If you
are not the intended recipient, you must not keep, use,
disclose, copy or distribute this email without the
author's prior permission.  We have taken precautions to
minimize the risk of transmitting software viruses, but we
advise you to carry out your own virus checks on any
attachment to this message.  We cannot accept liability
for any loss or damage caused by software viruses.  The
information contained in this communication may be
confidential and may be subject to the attorney-client
privilege. If you are the intended recipient and you do
not wish to receive similar electronic messages from us in
future then please respond to the sender to this effect.

_______________________________________________
This is the Security Administration on the AS400 / iSeries
(Security400) mailing list
To post a message email: Security400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the
archives
at http://archive.midrange.com/security400.




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.