12

I'm hoping this question will be appropriate for this site. The ServerFault people didn't think it applied to system administrators. Certainly I think it can be answered from a security perspective, if nothing else.

Ever since the passage of Sarbanes-Oxley (SOX), IT departments around the US have used "SOX compliance" as an extremely broad reason for implementing all sorts of policies.

The thing is, as I understand it, there's not one-single mention of IT in the SOX act.

I've had IT departments tell me they are unable to ship a replacement laptop to my home address because it's not permitted by SOX. I've been told I'm unable to have root access on a Unix server because of SOX. I've been told a company was unable to use git or mysql because of SOX and had to use ClearCase and Oracle instead.

Has anyone experienced this? More importantly, does anyone have any definitive information on the restrictions which SOX would impose? I know it requires truthful, accurate and timely financial reporting and certification by corporate executives, but beyond some tight controls of the financial systems, I fail to see why it should apply to general servers, code repositories or user laptops.

What are reasonable SOX policies?

Any thoughts appreciated.

wadesworld
  • 223
  • 2
  • 5
  • If you ever want documents from a medial person or office, they will use HIPAA as a similar boogeyman. I once had some people tell me they couldn't give me my records due to HIPAA compliance. Sounds like it's a generic boogeyman used by the lazy or ill-informed to say no in such a way that you can't protest or force them to do their job. Even proving your point to such a person will not get them to comply or bend on the issue. – YetAnotherRandomUser Sep 03 '18 at 13:40

2 Answers2

9

See Does (J-)SOX Forbid the Use of Open Source Software?. Excerpt from my answer there:

Fact is that throwing extra unnecessary requirements onto yourself and claiming they're regulatory doesn't earn you any brownie points, it just costs you more.

Overstatement of the bounds of SOX is common and wrong. Now, it may somehow be the case that your code is material to the company's annual financial statement and they don't want to add another system to the realm of audit, but that's probably not the case.

SOX means that root on the machine which houses the company's financials is closely guarded, but it generally doesn't have any connection to most people's workstationns. The reason that there is so much madness surrounding SOX is because the law doesn't spell it out. The SEC provides "guidance", but interpretation has been pretty scattered.

SEC guidance from 2007 is a good pointer and reminder that if what you're talking about doesn't relate to the internal controls over financial reporting, it's not relevant to SOX. Thus, changing passwords every 90 days can fall under SOX (e.g., accountants authenticate to the ledger system using domain accounts), but shipping a replacement laptop to home as opposed to having you come in and take it off your desk doesn't matter.

Further, the SEC encourages companies to review controls based on risk

The Interpretive Guidance reiterates the Commission’s position that management should bring its own experience and informed judgment to bear in order to design an evaluation process that meets the needs of its company and that provides a reasonable basis for its annual assessment of whether ICFR is effective. This allows management sufficient and appropriate flexibility to design such an evaluation process. Smaller public companies, which generally have less complex internal control systems than larger public companies, can use this guidance to scale and tailor their evaluation methods and procedures to fit their own facts and circumstances. We encourage smaller public companies to take advantage of the flexibility and scalability to conduct an evaluation of ICFR that is both efficient and effective at identifying material weaknesses.

Thus, think about the impact your application could have on the company's financial reporting. Not financial growth, profit, or anything else -- just the reporting. If it's not related (an easy test is "does it ever deal with dollars and cents?"), then somebody is leading somebody else astray. Perhaps you can point this out to them, or perhaps somebody is lying because it makes it easier for them to tell you want they want to say and there's nothing they can do about it.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • Thanks Jeff for the details on interpretive guidance and clear answer. – wadesworld Dec 19 '11 at 15:13
  • +1 Possibly related: HIPPA suffers from the same fear, uncertainty, and doubt; because the law is vaguely written at best and most people do not actually know the law very well (or at all). – Chris S Dec 19 '11 at 15:56
  • "The Interpretive Guidance reiterates the Commission’s position that management should bring its own experience and informed judgment to bear in order to design an evaluation process that meets the needs of its company and that provides a reasonable basis for its annual assessment of whether ICFR is effective." ---- Management tells the auditors what is in/out of SOX scope not the other way around. Too many auditors want to come into an organization and tell management what is in SOX scope. – jl01 Dec 19 '11 at 19:45
4

The core message to Section 404 of the Sarbanes-Oxley Act is:

Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures.

The registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.

As all SEC registered companies (and almost all companies worldwide) rely on IT for their financials, you can see why servers, networks and IT are essential.

You are correct in that interpretation of certain SOx requirements can be variable, but some controls, such as only allowing privileged access to systems (ie root access) to those administrators who require it, make sense in many environments.

The problem companies have is that the requirement comes from the regulator who can effectively stop the company trading if requirements aren't complied with, so unless the company has an experienced team with enough time/resource to go in depth on requirements they may just place blanket rules just in case.

I'm hoping this question will be appropriate for this site. The ServerFault people didn't think it applied to system administrators. Certainly I think it can be answered from a security perspective, if nothing else.

Ever since the passage of Sarbanes-Oxley (SOX), IT departments around the US have used "SOX compliance" as an extremely broad reason for implementing all sorts of policies.

The thing is, as I understand it, there's not one-single mention of IT in the SOX act.

Specifically to address your points:

  • No shipping a replacement laptop to your home address - this helps avoid theft in transit, shipping to the wrong address, or fraud (from you saying you never received it etc.)
  • Root access on a Unix server - strong segregation of duties protects companies from fraud
  • The git/mysql issue I can't really pin on a SOx requirement. It seems more likely that the policy on applications in that company required a certain level of support.

Typical policies in Fortune 100 companies that cover SOx are much longer than we could add in here. I have helped organisations with upwards of 80 policies, each one having over 20 pages that have elements of SOx related controls throughout. You can get generic ones from a number of places online, but to get value from them you need to tailor them to your company's specific needs.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 1
    To me, the fact that a company could require 80 policies of more than 20 pages each is proof positive the companies are going WAY overboard. – wadesworld Dec 19 '11 at 15:16