SOX being crammed down my throat - help 1633

  • Admittedly, I don’t know much about SOX…and I’m not sure I really need to if it is really set up to regulate financial systems.
    I’m in Engineering see. 10 years ago when I set this network up on an NT structure the IT department was still using Windows 95 as their base. However, things have grown and times have changed. We’ve all gotten alot bigger.
    Years ago the T1 system came along and the IT folks wanted to take over the Engineering network in order for us to have net access and email. I said it wasn’t really needed. They insisted it was untill I proved them wrong by multihoming every machine in Engineering. This way we still authenticate to the Engineering server, but we can still talk to them on the T1 side of things.
    Now however, we’ve been bought up, and SOX is now the excuse to make us join yet again, and for me to give up control of my server and subnet. In fact I’m told last week they are going to lock down the computer room and I can’t even have a key. So either my server has to come out of the server room, or I can’t admin it. Doesn’t matter though cuz eventually we can’t get access without authenticing to them anyway.
    Is it really needed for us to join their network in order to comply with SOX? Is it really true that I can’t have a key in order to comply? I think it’s someone playing hardball cuz they didn’t win years ago…

  • Hi and welcome to the forums 🙂 YES – It’s true that folks are implementing tighter security ‘in the name of SOX’ as a means to enhance security controls, even for non-financial systems.
    To learn more about SOX IT standards, you might want to research SOX 404 standards. These represent best practices in IT security and controls. They are also somewhat nebulus and subject to interpretation.
    As SOX 404 compliancy standards prescribe that financial systems be properly protected, sometimes it is logical to include non-financial systems as part of the SOX related controls. This is often done under the guidelines of ‘protecting the weakest link’ (e.g., ensuring that the bad guys can’t breech a weak non-financial security control and impact financial systems).
    This may be why IT is trying to ‘reign in’ the server environment to a more stricter implementation of security and limit physical security controls?
    Maybe you guys can negotiate a good solution, where you’ll by turning over the server and controls, you’ll receive the good level of services you’re used to. In other words, let the IT guys manage the environment and setup SLA’s (Service Level Agreements), where they will meet your networking needs securely, with good performance, and the functionality needed.
    Good luck and hope things work out for you 🙂

Log in to reply