> > <rant> > The problem is that there is no accountability at the top for allowing > systems to be run in an insecure manner. It seems that neither Boards > of Directors nor C-level corporate officers understand that, these > days, a significant chunk of the risk that they need to manage arises > out of their use of IT systems. Either that, or there is no impetus to > *really* manage risk at any level. This is not rocket science. It is > risk management. Risk is not being managed top-down in any structured
The Sarbanes-Oxley act has also been called 'the Lawyers Full-Employment Act'. Big fines and jail time if a CFO signs 'zee paper' that says(or implies) amoung other things that no unauthorized 'acquisition' of financial assets (betty joe at the front desk can't read financial docs, memos, spread sheets, general ledger, journal entries, confidential information, etc) for public companies. HIPAA violations can no only result in jail time, but the individual company that is non-complaint can have Medicare payments withheld (as well as fines and jail time) GLBA (for financial institutions: that includes your stock broker and 2 man mom and pop mortgage company!) specifies fines and jail time as well. These fins and jail time will directly target the C/Board level, and only indirectly affect the security teams (they may lose their jobs when the company they work for goes bankrupt) Its only a matter of time before the lawyers finish up with big tobacco and move on to SARBOX/HIPAA and GLBA work. > > My $0.02. I'll see you that .02/c and raise you 5 million dollars (the Maximum fine under SARBOX) -- Michael Scheidell, CEO SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net Looking for a career in Internet security? http://www.secnap.net/employment/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html