802.1X Layer 2 Port based Authentication and SOX 403



  • I am a network consultant assisting a client in procuring new LAN and WAN equipment. A LAN/WAN manufacturer whom the client is considering stated the client should buy one style of networking equipment over another because, ‘Sarbanes/Oxley is now requesting that companies start moving towards Layer 2 port based authentication (802.1X).’ They also implied a large client of theirs had to replace their networking equipment to comply with SOX because of this issue.
    Could anyone comment on the manufacturer’s statement?



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • SOX requires that a company has effictive control over their financial statements and disclosures, as well as the related processes.
    This also has implications on the IT. You have to cover general IT controls and application controls. One of the general IT controls is e.g. deliver and support, which includes amongst others the manageing of data, operations and facilities. So if your IT isn’t capable of providing a stable and reliable infrastructure than you have to take some actions because that also has impact on your financial processes. This may includes the change of hardware.
    But saying that SOX requires a certain technical IT standard is, sorry to say, total bullshit.



  • Agree with holger, the manufacturer’s statement is bullshit.
    The nearest SOX gets to mandating any standard is on use of COSO for the overall control framework - and that is merely a strong suggestion rather than a requirement.



  • I am in total agreement with both Denis and Holger. In fact not only is it bullshit I think it is a totally unprofessional marketting ploy trying to promote products based on fear (unwarranted) of something folks still aren’t understanding. From that point alone I would avoid any vendor that would resort to such tactics like the plague.
    As I’ve said before in several other threads… The decision whether to adopt or implement one particular control technique or technology has to be an informed, risk aware BUSINESS decision. Its got to be reasonable and effective in your own specific circumstances.



  • Just wanted to say thanks to those who responded to my question. Although I felt I knew the correct answer, not being trained in SOX I felt I could not make any real comment on the manufacturer’s position. But with your feedback I can. And while I can’t be as blunt as some of your comments are (though I want to be) I look forward to telling them what you have said.
    Thanks again for your assistance.
    Scott Wise



  • I agree with everyone else in saying that anyone who states that such and such product or procedure is mandated by SOX is spouting complete BS.
    Scott - think of SOX as a set of guidelines that a business needs to abide by - it’s up to you to figure out how to implement the best practides that are appropriate for your organization.
    I highly recommend you do a google search on the SEC’s Title-17A4 regulation for brokerage firms and transfer agents. Although it is not SOX it does include a set of best practices that are good for organizations to start with.
    If you need anymore info, feel free to email me at keycomply_at_gmail.com


Log in to reply