Re: Journal Receiver Retention for SOX...

[Patrick Botz <botz@xxxxxxxxxx>]

WARNING SOAPBOX

This is another example of why companies need to have written security
policies.  Policies define, among other things, the organization's
interpretation of SOX. If SOX (or any other regulation/standard) does not
specifically mandate settings (and most don't, or only in a very few
instances), then as long as a system administrator has implemented the
organization's policies, the auditor has to argue with the policy owner.

I understand that many companies and system administrators assume --
incorrectly -- that sysadmins are responsible for defining policy. But
that's one of the main reasons for SOX.  SOX is an attempt to make the
rightful owners of policy legally responsible for policy (not to mention
its implementation). Corporate officers or management are ultimately
responsible for defining which employee roles are allowed to perform which
functions on which business assets for which purpose.  System
administrators are only responsible for ensuring those policies are
enforced on their systems.

For example, it is management's responsibility to declare that only
accounting department employees are allowed to use the HR salary database
using the payroll application in order to print payroll checks. It's the
system administrator's responsibility to implement appropriate security
mechanism in order to enforce this policy.

It follows that it is management's responsibility to define/declare data
retention periods, etc...

> From a sysadmins point of view: Got Policy? Don't Got SOX issue...

END SOAPBOX

Patrick Botz
Senior Technical Staff Member
IBM Lab Services, Rochester
Security Architecture & Consulting, i5/OS Security Architect
(507) 253-0917, T/L 553-0917
CTC Fax # 507-253-2070
email: botz@xxxxxxxxxx

For more information on CTC, visit our website at
http://www.ibm.com/eserver/services
http://www.ibm.com/servers/eserver/services