Comments: Sarbanes-Oxley - what the insiders already know

One thing that a lot of people miss about Sarbanes-Oxley is its actual applicability in the "field" of it security, particularly bits like section 404, is that it's _extremely_ fuzzily-defined as to how it affects infosec--its concept of "controls" is so broadly laid out that every consultancy in sight is using it as the generic catch-all for companies worried about compliance.

As it's not (to my knowledge) been court-tested yet in specific IT-related instances (and won't be for a while, most management I know are so worried about it) I've seen projects aimed at almost ridiculously granular control of IT components just to make sure the law is followed, without really bothering to look into the whys of what's being done (viz. things like archiving of company internal IM text, etc.)

- -John

Posted by John M S at September 6, 2004 12:54 PM

Since the passage of Sarbanes-Oxley I have had the pleasure of talking at some length with the CFOs of two public companies about the impact of compliance. In both cases they lamented that the new law caused CEOs and other senior management to be engaged to such a degree as to substantially remove them from their normal duties in running the corporations. If my sampling is indicative of Sarbanes-Oxley's effects then it may become one of the hidden reasons for a slow, but evnetual, decline in U.S. productivity that until now has been hidden by falling wages from outsourcing.

steve

Posted by Steve S at September 6, 2004 12:56 PM 
MT::App::Comments=HASH(0x5621203bc4d8) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.