Back in the old days, I recall a finance type person saying something like: The
Gold Standard is that it should take collusion between two or more people to
defraud the company.
If we apply that to IT, then shouldn't pswds for privileged userids that can
access/change financial data be long enough that TWO sysprogs can each be given
half a pswd so they both have to be present to make a change?
Les
Alan Altmark wrote:
On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel <tehue...@gmail.com>
wrote:
Does it really matter? SOX is just another way congress has come up with
to
destroy the American economy, and in fact the American way of life.
When you read the law, you find that SOX is "simply" a way to hold
executives responsible for the financial statements issued by their
companies. Assuming no ill intent (no comments, please!), that means
trustworthy data. That flows downhill, as all such things must, until we
start talking about access controls and audit mechanisms for financial
data. That is, knowing who has the means and the opportunity to access
the data, and knowing who has actually done so. (I leave it to others to
talk about motive.) Who, what, where, when.
Unfortunately, IT security industry consultants have mangled this laudable
concept into a paranoia-inducing behemoth that has people screaming in
terror as it rampages across the country, flogging every sysadmin in its
path. Why? Because financial status is inferred from many other data
sources and no one wants to spend the time it takes to follow all the data
flows. Result: Secure Everything.
With HIPAA and PCI running alongside, the "Secure Everything" policy looks
even more reasonable to CEOs, CIOs, CFOs, and their lawyers.
Alan Altmark
z/VM and Linux on System z Consultant
IBM System Lab Services and Training
ibm.com/systems/services/labservices
office: 607.429.3323
alan_altm...@us.ibm.com
IBM Endicott