Sox _and_amp; EOL software 570



  • Hey everyone,
    I have an issue that I need some clarity and also documentation. Seems that the client I am working with now is running a Windows NT 4.0 Domain. The domain is used for authentication into the network as well as for controlling security within the network. The resources within the network require you to first log into the network to access them. These resources include the financial systems.
    Now the issue here is that as of Dec, 31 2004 Microsoft no longer supports Windows NT 4.0 nor does it create any security patches, hotfixes or service packs. These microsoft support items are the key patches that are downloaded in the event that there is a newly discovered breach in the NT 40 software and also the hotfixes address any issue with 3rd party software / hardware that is located on the server. Now the only servers that are running on Windows NT 4.0 are the Primary Domain Controller and Backup Domain Controller. These servers are the heart and soul of the network.
    With all the above said. What has been Big-4’s track record with the above issue of software being EOL. Would this be considered a Material Weakness or Significant Deficiency?
    My Opinion: If the Server dies due to a security breach or some unknown reason it will stop the entire network from functioning. Even if the administrators get it back and running you will get to a point where you cannot bring it back up due to a reoccuring error. The source code cannot be manipulated to repair any problems due to MS not allowing access to the Windows NT (or any) operating system code. You call MS and they are no longer supporting it and the only advise they have is to upgrade to Active Directory (windows 2000 server). The cost to upgrade will be VERY large.
    So what’s your opinion or experience with this situation.
    Also: The email server has the same issue. Exchange 5.5 is EOL.



  • As long as the system is working, and you have compensating controls to prevent or detect unauthorised access to the financial information (eg from a security breach through the OS) you may have neither significant deficiency nor mat weakness.
    However, consider effect of failure whereby you cannot restore the financial information. You need to evaluate the risk here. If low, it may be considered an acceptable risk.
    I think EOL issues might contribute to significant deficiency or material weakness when all gaps and issues are considered together, but on its own would not put you there.



  • Dear Sarboxian05,
    I see that you understand the risks. You have to inform your C level executives.
    Having identified the risk, due care must be exercised to mitigate the risks.
    Due care is the care that a reasonable person would exercise under the circumstances; the standard for determining legal duty.
    Neglect of due care is the care that a person would choose not to exercise under the circumstances; the standard for determining legal liability.
    Due diligence is the effort to avoid harm to another company or party. Means that you exercise due care month after month. You try to demonstrate due care.
    As an expert witness, I must be clear: You are in trouble.
    If you were on the witness stand in a court of law and I was the expert witness for the prosecution, you would not be able to persuade the court.
    Yes, I know how difficult is for companies to pay all these money for software. But, I believe that you have no choice.



  • I agree with you.
    The company should upgrade the entire infrastructure to a Windows 2k environment. And that is my official recommendation.
    I was wondering if there was anyone with the same issues and if there was any guidance from any of the Big 4 on EOL issues, escpecially when it comes to the network operating system.
    Yes the network is functioning. But if it ceases to function due to an error on the network operating system, then there would be a major problem because there is no support from the vendor if it determined that it is a source code issue. Which in turn effects the financial system because you need the network operating system to log into the financial system. The fact is the entire network is DOA.
    It was already mentioned and I am in the process of documenting the finding to upper management. Being that I am a consultant I can only show them the light. I can’t force them to turn it on. :idea: I just wanted to have some official documentation or at least a case that is similar to this to use as a reference.
    Any additional help would be greatly appreciated.



  • You need to document the risk and what your recommended remediation efforts are (upgrading) and pass them along to the management of the company. They may well decide to not do anything, but in the end, it is their decision to make. The 3rd party auditor will come through and evaluate all of the risks that your company has identified (including this one) and how it has chosen to deal with them. If the decision is to do nothing, the auditor will either agree or disagree. Most likely they will disagree at first, then capitulate after having some discussions with management about the costs involved.


Log in to reply