Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Courts Government Security News

Do We Need a Sarbanes-Oxley for The Internet? 54

An anonymous reader asks: "Since 2002, corporate executives have been held accountable through the Sarbanes-Oxley Act (SOX) for their own internal IT security (with heavy fines and even prison terms when SOX isn't complied with) despite the fact that this level of accountability doesn't exist for some critical elements of the internet. Is it high time for industry to collaborate on a stringent security doctrine to hold organizations accountable for operating, providing and commercializing Internet service, in effect a Sarbanes-Oxley Act for the Internet?"
This discussion has been archived. No new comments can be posted.

Do We Need a Sarbanes-Oxley for The Internet?

Comments Filter:
  • Short answer (Score:5, Insightful)

    by truthsearch ( 249536 ) on Monday April 25, 2005 @11:31AM (#12337663) Homepage Journal
    NO!

    I spent 10 years in IT of the financial industry. The day SOX got passed everything went downhill. The problem is that it's more about accountability that actually doing things right. Now I can't blame the law for that. The law makes lots of sense. But the way companies handle it adds 100 times the overhead and even more technical problems. Entire systems are built so there's a "signiture" of approval and record of every little thing. People are so busy making others accountable (basically flowing both uphill and downhill) and no one takes accountability for their own actions and quality of work goes way down. What happens in the company is whatever intrisic trust there was between coworkers disappears. All the company wants and needs is the paper trail. Cost of the service goes up while quality goes down.

    So while we want some accountability, and IT version of SOX is not the way to go. There are other good reasons, but this is one I'm personally experienced with. It's among the reasons I left the financial industry 2 months ago.
    • The way I see it, SOX is meant to ensure that companies don't screw each other over; or maybe screw shareholders over.

      Somehow, I doubt that a SOX for the Internet would ever make companies accountable to end users.
      • Re:Short answer (Score:5, Insightful)

        by truthsearch ( 249536 ) on Monday April 25, 2005 @12:11PM (#12338161) Homepage Journal
        The idea was to hold the right employees accountable when regulations or laws are broken within a company. It's a response to Enron and WorldCom.

        The problem with doing this with the internet is its built-in distribution of responsibilities across many companies. If I get a virus do we audit my ISP, the company that built the routers, the telecom company that owns the wiring, the source's ISP, the developer of the virus (who's rarely found), the developer of the OS, server admins?

        Within one company it's relatively easy to trace responsibility. Over the internet there would be many debates, very costly audits, and rarely prosecutions.
        • It's a response to Enron...

          If it doesn't stop GWB from giving Kenney Boy a pardon, it is a meaningless response to Enron.
        • OK, if the accounting is too expensive, then maybe that part can be reduced or modified?

          But, for blog's sake keep the whistleblower protections.

          Thanks to S/O, a public company can no longer fire you simply for disclosing their illicit activities (note that a non-public company still can do so, although AFAIK this has not been tested in court yet). Otherwise Enrons and Worldcoms will happen all over again because people will be afraid to speak out, fully expecting that their employer with their army of

    • Re:Short answer (Score:1, Insightful)

      by Anonymous Coward
      The problem is that it's more about accountability that actually doing things right.

      The most eloquently stated description of SOX that I've come across yet!I would posit that this is a result of another observation you made:

      People are so busy making others accountable (basically flowing both uphill and downhill) and no one takes accountability for their own actions and quality of work goes way down

      No one can afford to be singly accountable for the work we do in corporate IT. If I unintentionally intr
    • NO!

      You misspelled "GOOD GOD NO!"

    • Re:Short answer (Score:3, Insightful)

      by SuperBanana ( 662181 )
      The problem is that it's more about accountability that actually doing things right.

      I worked for a company that had to follow Sarbanes-Oxley.

      We were required to force password changes every month or two.

      Except Mac users (at least half the company) didn't get a warning their password was about to be disabled, nor could they actually change their password, because Outlook and Microsoft's appletalk server don't allow you to change an active directory password.

      So every month or two, for two days, the ph

      • Boo hoo, wah wah, we had to enforce good security policies, and we had crappy software that wasn't up to the task, and it made our job HARD.

        That's why they passed the law; because without it, some people don't want to do their jobs, and data gets pilfered because nobody has any consequences.

        It was a pain in the ass here, too; but it finally allowed those of us who wanted to do things right to get them shoved through the "security Luddites" who wanted to be able to telnet into boxes as root instead of SSHi
        • I see you havent actually implemented real SOX compliance yet. You see, sudo ain't good enough. No solution that allows actual root privilige escalation is good enough. You need complete separation of duties with immutable audit trails and unchangable logs. Technically you'll have to use something like Etrust, selinux, secure solaris, etc. The kinds of solutions that tend to royally mess up your applications and make your job a three person job. One who grants you priviliges, one with the privilige to execu
          • I define "right" as "the auditors say I did it right, and we all get a bonus". You may feel free to define it as "this is impossible to comply with so I won't even try". Be sure to let us know what company you work for, though, so we can all sell short.
            • That's your CEO's problem, as he'll be the one attesting to the reliability of the company finances when any sysadmin can modify data without being accountable. He's the one who'll be facing jail time when the books get cooked.
    • The problem is that it's more about accountability that actually doing things right. Now I can't blame the law for that. The law makes lots of sense. But the way companies handle it adds 100 times the overhead and even more technical problems. Entire systems are built so there's a "signiture" of approval and record of every little thing. People are so busy making others accountable (basically flowing both uphill and downhill) and no one takes accountability for their own actions and quality of work goes wa

    • A certain company I worked for created massive bureaucratic procedures that didn't increase security and all.

      The problem with a law like SOX is that the theory is to introduce new procedures to improve security and accountability, the practice is to introduce new procedures to comply with the law and fend off lawsuits.

      I suddenly had a ton of useless paperwork and busywork to do and I heard "Sarbaines-Oxley" about 20 times a day, to no improvement in security or accountability.

      In addition, in full accorda
  • Typical Crap (Score:5, Insightful)

    by bsdbigot ( 186157 ) on Monday April 25, 2005 @11:33AM (#12337692) Journal

    Yes, obviously the answer to EVERY problem about the Internet is more laws on the books. The scary thing is, with things like SOX, we spend more money and time on bureaucracy than fostering an environment which would preclude the need for SOX in the first place. Instead of criminalizing bad conduct, why doesn't the government try to encourage could conduct by, say, granting tax relief for companies that are fully SOX compliant instead of prosecuting executives that fail to make this happen. That would encourage good behavior far better than turning people off to being in business in the first place.

    Think about it - let's say you're Bill Gates or Scott McNealy; would you really want to be in a position where failure to do your job correctly would result in jail time? SOX is stupid for exactly this reason.

    Now, translate that to the internet. You are a webmaster, and because you didn't install NT4SP26 on your IIS farm, you could face 20 years in jail. Utter bullshit. Let's kill this idea before it gets any momentum!

    • I'm too lazy. What does that function in your sig output?
    • Re:Typical Crap (Score:3, Insightful)

      by jbolden ( 176878 )
      All SOX requires is that when you make statements in sworn legal documents, intend for broad public consumption, you can make a reasonable argument as to why you believe those statements are true. That's not exactly asking for the sun and the moon.

      25 years ago we had far less IT but SOX wasn't needed because we didn't have a culture of corruption in the United States.
  • by Futurepower(R) ( 558542 ) on Monday April 25, 2005 @11:36AM (#12337738) Homepage

    This kind of law requires a huge amount of wisdom to write and implement. The U.S. government just does not have that ability at present. Instead, the government is being sold to whomever will pay the most: Unprecedented Corruption: A guide to conflict of interest in the U.S. government [futurepower.org].

    • Want a recent example of the corruption in the U.S. government? Here's one from Ed Foster: Crime and Punishment, and Copyright [gripe2ed.com].

      In the U.S. government of today, anyone can get anything they want if they have money.

      Quotes:

      "After all, the music and movie industry moguls who spend so much time and money getting Congress to do their bidding are not without sins of their own. Just as an example, last month Time Warner -- a corporation with a foot in both industries -- agreed to pay [sec.gov] a $300 million fine to
  • SOX (Score:3, Informative)

    by BrookHarty ( 9119 ) on Monday April 25, 2005 @11:37AM (#12337740) Journal
    SOX is a lie to make the public feel safe. You can still move money around from departments and expenses. The accountants make money on SOX, and you get a false "Warm and Fuzzy" feeling that the CEO/CFO wont take out personal loans. But golden parachutes still exist, and sign and profit bonus's, and a zillon other ways to get the Excecutives some money.

    And the article is full of fluff, the companies he listed are already under SOX control, except offshore gambling.

    Not great detail, but a quick over at wikipedia.
    http://en.wikipedia.org/wiki/Sarbanes-Oxley [wikipedia.org]
  • NO (Score:1, Insightful)

    by Anonymous Coward
    No, we don't need ANY further regulation for the net! Net issues need to be handled by the net community and by technology. All others should keep their big fucking noses out of net business!
    • The problem is, they said that about big business, until Enron and friends collapsed. By then it was too late.

      The Internet is in a dangerously similar position: it's so free at present that even normal laws agreed in almost all jurisdictions effectively don't apply, and the results range from irritations like spam e-mails, through disruption from viruses, to serious harm via phishing, electronic fraud, and several more "up-and-coming" crimes.

      The major problem with the Internet is the fact that you can d

  • SOX is a farce that is more about show than substance. It's generated zillions of billable hours for program mangers to create lots of project plans, but it is still up to the company to decide to actually do anything concrete.
  • by Elwood P Dowd ( 16933 ) <judgmentalist@gmail.com> on Monday April 25, 2005 @11:47AM (#12337861) Journal
    Are you talking about regulating ISPs differently? Corporate IT departments? Home computer software? All of the above? What are you talking about regulating? What is the problem that you would like to solve?

    "Sarbanes-Oxley Act for the Internet" is meaningless. How would that be significantly different from a Sarbanes-Oxley Act for your dumb face?
  • As a CEO you can't start a project called "Let's get secure!" and expect to be immune to all threats.

    Security isn't a one time spending.

    You can't spend 2 times the amount of X Dollars and expext to be 2 times more secure than spending only X Dollars!

    Security is a process.
    Security is a process.
    Security is a process.
    Security is a process.
    Security is a process.
    Security is a process.


    You have to rethink everthing everytime.
    Security nees a steady budget.
  • by 4of12 ( 97621 ) on Monday April 25, 2005 @11:50AM (#12337895) Homepage Journal

    I would advocate minimum possible regulations, particularly ingredients that require rigorous identification, government screening to prevent "slander of the state", etc.

    Delegate control and punishment measures down throught the DNS hierarchy - if you run an open relay that spews, then it's up to your provider to discipline you - or face worse consequences upstream as his provider gets angry about the flood.

  • Jesus Christ for the love of god (whichever one)...NO!...run away from SOX, its just blame deferral, endless policy creation (and not even the few needed good ones), its endless "clarifying meetings", its getting ITIL'd, its an endless stream of crap, like getting burried under a mountain of wet blankets.

    You and your colleuges get suffocated in crap, stuff that you where hired to do because, well, you know what you are doing...oh no, you must get approval to shit....

    RUN AWAY!!!!
  • It's inevitable... the government will demand for accountability of all actions on the internet. Run with me on this argument before you call me chicken little, and you will see the slippery slope that we're treading upon. Already the internet has entered case law and precedent has been set in many situations. Congress has also made some laws over actions on the net, and they plan to do more. It's only a matter of time until the whole thing gets regulated.

    And what does this imply? Well, for starters it'll require something like a SOX regulation; while it won't demand packet sniffing per se, it will demand that source and destination ip addresses, MAC addresses, and ports be logged, so that people who release viruses/trojans/spyware/spam et. al. can be held accountable. Then anyone running a "web service" may be required to take logs of activites (to be used in investigations of fraud or terrorist activities), so that authorities may request these materials upon subponea.

    And even then it won't be enough to stop identity theft, copyright infringement, and other criminal activities on the net. That when Congress will come to the "realization" that programming is what makes everything on the net possible, and finally demand that programmers be held accountable for their code. That will be the death-knell of amateur computer science, for you won't be permitted to write a program and run it on an internet-enabled computer without having to take responsibility for that program's actions, limiting one's recreational programing to toy computers and sandboxes. It will progress to the point where it will be "impossible" for a programmer to take responsibility for writing something on the internet, because he/she cannot afford the insurance that he/she will have to take out to cover the insurance necessary to protect themselves from programming lawsuits when a program they authored is used to perform evil actions.

    Obviously some people will have to be allowed to program on the net everyday, to patch programs that users find bugs in or black-hats find exploits in. The only way for these programmers to obtain programming insurance is to partake in several programming certification classes in order to obtain a license to program. Maybe I'm being paranoid, but this seems to be the logical extension of the government's desire to determine accountability for all activities towards the internet.

  • which stands for "freedom of thought, freedom of expression, and freedom of information on the Internet", i say, this is a very stupid idea.
  • by rnxrx ( 813533 ) on Monday April 25, 2005 @04:14PM (#12340839)
    SOX deals with accountability within US corporations. It doesn't speak to the operations of companies outside the US. Attempts by particular countries to legislate the Internet have historically been ineffectual at best. This would be no exception.
    • > SOX deals with accountability within US
      > corporations. It doesn't speak to the operations
      > of companies outside the US.

      Not true - it also speaks to the operations of non-US companies who have dealings with US companies. Worldwide, that includes pretty much all companies beyond a certain size.

      Loads of companies here in Australia are heading down the SOX path.
  • you want to really break 'the internet' once and for all.

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...