This is another example of why companies need to have written security
policies.  Policies define, among other things, the organization's
interpretation of SOX. If SOX (or any other regulation/standard) does not
specifically mandate settings (and most don't, or only in a very few
instances), then as long as a system administrator has implemented the
organization's policies, the auditor has to argue with the policy owner.

I understand that many companies and system administrators assume --
incorrectly -- that sysadmins are responsible for defining policy. But
that's one of the main reasons for SOX.  SOX is an attempt to make the
rightful owners of policy legally responsible for policy (not to mention
its implementation). Corporate officers or management are ultimately
responsible for defining which employee roles are allowed to perform which
functions on which business assets for which purpose.  System
administrators are only responsible for ensuring those policies are
enforced on their systems.

For example, it is management's responsibility to declare that only
accounting department employees are allowed to use the HR salary database
using the payroll application in order to print payroll checks. It's the
system administrator's responsibility to implement appropriate security
mechanism in order to enforce this policy.

It follows that it is management's responsibility to define/declare data
retention periods, etc...

From a sysadmins point of view: Got Policy? Don't Got SOX issue...


Patrick Botz
Senior Technical Staff Member
IBM Lab Services, Rochester
Security Architecture & Consulting, i5/OS Security Architect
(507) 253-0917, T/L 553-0917
CTC Fax # 507-253-2070
email: botz@xxxxxxxxxx

For more information on CTC, visit our website at

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].