If it were me, I would just show them my company's written security policy
that states we only keep log/journal files for X number of years.  As long
as you have implemented that, their beef is with the owners of the policy,
not the person that implements it (i.e. you).

And I'm sure your company has a written security policy and that it does
address data retention. Right?    :-)

Patrick Botz
Senior Technical Staff Member
IBM Lab Services, Rochester
Security Architecture & Consulting, i5/OS Security Architect
(507) 253-0917, T/L 553-0917
CTC Fax # 507-253-2070
email: botz@xxxxxxxxxx

For more information on CTC, visit our website at

security400-bounces@xxxxxxxxxxxx wrote on 08/23/2006 01:16:02 PM:

I have to echo John's interpretation - Auditors are simply the
interpreters of SOX (especially section 404) and their interpretation is
subject to debate.

If an Auditor "tells you" that something must be just so, understand
that their interpretation is subject to debate.  If they say you must
hold on to data for 7 years (as a title company this could be
legitimate), you have to respond to their request.  But you don't
necessarily have to tow the line.

If I were you, I would simply do the preliminary design of a system that
could store and hold 7 years of audit journal data.  You will have to be
able to restore it to your systems (which would argue for saving the
receivers with storage free'd rather than deleting the old receivers),
process a typical request, and produce the reports in a readable
fashion.  Don't try and do it on the cheap, because if you say that you
will be able to do it, you can expect people to hold you to that
commitment.   Just lay out the costs, time, resources, and other
requirements and then let the business leaders make a judgment on what
this level of SOX compliance is worth to them.


John Earl | Chief Technology Officer
The PowerTech Group
19426 68th Ave. S
Seattle, WA 98032
(253) 872-7788 ext. 302
Celebrating our 10th Anniversary Year!

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].