I think the problem is that the policy owner is seriously (and maybe
overly) concerned with the perceived ramifications of SOX, and has set
the policy higher than (actually) necessary. The amount of money and
effort being spent on this (that I can see) is mind blowing... 

We have security policies, but the main reason I put forward the inquiry
was to get exactly what I got - input, outside our box... 

Thank you. Keep it up! 


-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Patrick Botz
Sent: Thursday, August 24, 2006 2:00 AM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Journal Receiver Retention for SOX...


This is another example of why companies need to have written security
policies.  Policies define, among other things, the organization's
interpretation of SOX. If SOX (or any other regulation/standard) does
not specifically mandate settings (and most don't, or only in a very few
instances), then as long as a system administrator has implemented the
organization's policies, the auditor has to argue with the policy owner.

I understand that many companies and system administrators assume --
incorrectly -- that sysadmins are responsible for defining policy. But
that's one of the main reasons for SOX.  SOX is an attempt to make the
rightful owners of policy legally responsible for policy (not to mention
its implementation). Corporate officers or management are ultimately
responsible for defining which employee roles are allowed to perform
which functions on which business assets for which purpose.  System
administrators are only responsible for ensuring those policies are
enforced on their systems.

For example, it is management's responsibility to declare that only
accounting department employees are allowed to use the HR salary
database using the payroll application in order to print payroll checks.
It's the system administrator's responsibility to implement appropriate
security mechanism in order to enforce this policy.

It follows that it is management's responsibility to define/declare data
retention periods, etc...

From a sysadmins point of view: Got Policy? Don't Got SOX issue...


Patrick Botz
Senior Technical Staff Member
IBM Lab Services, Rochester
Security Architecture & Consulting, i5/OS Security Architect
(507) 253-0917, T/L 553-0917
CTC Fax # 507-253-2070
email: botz@xxxxxxxxxx

For more information on CTC, visit our website at

This is the Security Administration on the AS400 / iSeries (Security400)
mailing list To post a message email: Security400@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at

This thread ...

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].