Software compliance issue regarding SOX 465



  • I had a meeting with an IT director and he asked me ’ if a company employee is using his personal laptop and if the software applications on his lap top are pirated or have expired licenses, is the company liable under Sarbanes-Oxley sec. 404. I told him that if the employees connects to the company network with personal laptops the company is still liable for software compliance on those employee personal machines. Am I right?
    Richard



  • It is not a sox issue. It might be a legislative topic - depending on the software license and the local law.



  • Jeez, the misconceptions on SOx never cease to amaze me.
    I had a meeting with an IT director and he asked me ’ if a company employee is using his personal laptop and if the software applications on his lap top are pirated or have expired licenses, is the company liable under Sarbanes-Oxley sec. 404. I told him that if the employees connects to the company network with personal laptops the company is still liable for software compliance on those employee personal machines. Am I right?
    No liability under Sox.
    Possible liability under software theft legislation.
    Whether the company is liable really depends on a number of factors, such as:

    • why the individual is using a personal laptop at work
    • is he using the pirated software to carry out his job
    • is there any implicit compulsion by the company that cause him to do this.
      Of course, there is a wider issue that you’re nuts to allow employees to use their personal laptop on you network for oh so many reason 8O


  • Sorry, I disagree.

    if a company employee is using his personal laptop and if the software applications on his lap top are pirated
    Then we have no security at all. We connect unsecured systems to secure servers It is high riskWhat about audits and reports? Will auditor flag it high risk? Yes. Can we ignore it? No. May our CEO feel happy being responsible for establishing and maintaining an adequate internal control structure and procedures’
    Lets remember:
    In Section 404:
    Requires companies to establish an infrastructure to protect and preserve records and data from destruction, loss, unauthorized alteration, or other misuse.
    This infrastructure must ensure there is no room for unauthorized alteration of records vital to maintaining the integrity of the business processes.
    This involves establishing the necessary controls, engaging in risk assessment, implementing control activities, creating effective communication and information flows, and monitoring.
    Based on the U.S. Securities and Exchange Commission’s (SEC) rulings on IT internal controls (Release No. 8238 and No. 8128), internal controls must assure the secure, stable, and reliable performance of computer hardware, software, and IT personnel connected to financial systems.
    If we connect unsecured systems to critical servers we will have a lot of problems.
    You may say: It has nothing to do with Section 404 or Sox or financial reporting.
    But it has. Where is the secure infrastructure? Where are the necessary controls? It is easy from a pirated laptop to do some really bad things to the networkdon’t forget, you are inside, behind the firewall with the unsecured laptop. You must have only authorized software in every laptop connected to the network. Also, policies, hardening, business intelligence countermeasures, software checksums for trojanized versions detection… What about the results of the risk assessment, which (for sure) will flag the unsecured laptops high risk? Do we forget it?
    George Lekatis
    lekatis_at_lekatis.com



  • _at_George, you’re right - but don’t get carried away. The original question was regarding software licensing, and any liability does not arise out of SOx.
    Good on you for pointing out more explicitly what I was hinting at in my last line - but you would need more information before throwing the book at them 😉


Log in to reply