What Does SOX Say About IT Authority? 1599



  • HI, does SOX cover information about IT authority regarding Technology Resources monitoring.
    My specific question is the following:
    If an IT want to check or inspect a user workstation, does he have to inform user? Should the IT do the inspection while the user is there? or could it be at any time and without even the user to be there?.
    Thank you



  • Sarbanes Oxley doesn’t specifically deal with technology resource monitoring. It encourages companies to follow best practices (COBIT) when dealing with Information Technology.
    Your question would be better answered by looking over your individual company’s policy on that matter.



  • Hi - As Jason shares SOX regulations are more about IT financial system controls. This is still a good security question and the following are some key points:

    1. As a starting point, all equipment is property of the company and they have a right to inspect it, as well as monitoring all access for security purposes.
    2. Be careful with respect to state laws, (e.g., California and other states have enhanced laws to protect employee privacy even using the business owners property).
    3. Also to avoid legal action by the employee, your policies should state that the company has the right to inspect or monitor all business resources. It’s beneficial to also have the employees sign an annual acknowledgement letter related to security and corporate policies as part of this process.
    4. As part of the security policy, it’s important to spell out potential areas where violations could result in disciplinary actions (e.g., extensive Internet surfing, inappropriate site visitations, improper use of email, using equipment for personal business purposes, etc).
    5. If you have a corporate legal department, I’d recommend touching base with them (and possibly HR or audit as applicable). I’d keep the name of the employee confidential just in case everything turns out okay.
      I think the answer is ‘yes’ regarding the overall right to inspect employee equipment. However, you also want to do this on an exceptional basis where there is probable cause, so that most employees have a reasonable expectation of privacy in the workplace.


  • Harry posts exactly the correct response for the situation described.
    However, this is nothing to do with what SOX requires. SOX requires very few specific things. Companies need to work out whats their risks are and determine what they believe to be the appropriate response.
    SOX requires judgment, there is not a banal set of rules to follow.



  • SOX requires judgment, there is not a banal set of rules to follow.
    While some may be looking for firm guidance (we all were in year 1), most now realize that we are fortunate that we did not get what we wished for.
    As Denis stated, almost eveything in SOX requires judgment based on an individual company’s risk profile.


Log in to reply