O-S and outlook scheduling 2545

  • I am new here, and something that I was just told by my IT guy caused me to do the search that found this site.
    Normal people and companies use outlook express (and other programs) to schedule meetings. At my last job, we would find the name of a conference room and add it as a resource. In this way, we can schedule people and conference rooms in one easy step.
    I changed companies, and the new IT boss says that because of S-O, he cannot create the accounts for the conference room. He gave me some mumbo jumbo about how all accounts have to be assigned to someone to (blah blah blah). I used that because I am too new on the job to ask him 47 times WTF he is talking about. I did ask him 46 times, and he still did not make it clear. According to this guy, having a conference room as a resource would require passwords changing every 90 days, some account for it that has to be maintained, (blah blah blah).
    Is this serious?

  • He’s serious - but wrong.
    SOX really should not impact this at all. That’s just an excuse for not trying hard enough to make access work. We use Outlook and have all of our conference rooms accessible.
    Security for those room IDs should be set that they would have no access to financial systems anyway. If that is done, then there is zero risk and those IDs could be set to not require password refreshes.

  • We have the same as kymike, all conference rooms are bookable in Outlook, there is no SOX issue with this. It is even close to being in scope :roll:

  • I agree with Denis and Kymike as this belongs in our ‘SOX hall of shame’ 😞
    Unfortunately, SOX guidelines can be nebulus and subject to interpretation. It has to cover a wide range of company industries, IT environments, and financial situations. Companies then take these guidelines and in adopt special controls for SOX in a self-regulatory manner. All controls are supposed to center on Financial controls for IT systems and related processes.
    However, folks can implement almost any control in the ‘name of SOX’ even outside the boundary lines of financial controls. Most often it’s through misinterpretation, but sometimes folks even implement a ‘pet program’ that they have always wanted.
    I believe the IT manager is sincere, as the conference room accounts must be owned and contain appropriate controls. Yet as shared above, there are ways of doing this in SOX compliant companies without jeapordy to any IT or financial controls.

Log in to reply