Report: Sarbanes-Oxley could threaten security

TalkBack 8 of 13:

Next »

« Previous

• Thread View
• Flat View

Problems ...

``I am sorry if you got the impression that I thought I was being 'profound'.''

i.e., you agree with me that your thinking process is shallow; Fact (1)

OK: Honesty is good;


``Lets not forget your statements/questions to which I was responding...they were so 'silly' sounding and utterly rediculous, that I thought those responses must be profound to whomever wrote them.''

i.e., you thought that my OP was ``'silly' sounding and utterly rediculous'' and THUS by answering in a way that is as less profound, as you considered my OP to be, would be a sufficient to refute my statements. Let's keep the facts from your statements:

Your answer was admittedly shallow and was meant to be this way; Fact (2)

And my counter-reply to (2) made this fact
stated more prominently.


You consider my OP to be ``'silly' sounding and utterly rediculous''; Fact (3)

The fact that X sounds Y
DOES NOT => that X is indeed Y,
since ``sounds like'' means that your casual
examination of the matter created the imression
in your mind that ``X is indeed Y'';
conversley, if actually ``X is indeed Y''
it should be easy to refute my points by using
a MORE serious line of reasoning. You opted,
however, to use an equally shallow (as per your
perception) argument. And the purpose of you
demonstrating shallowness in thinking? Just feel
like comming accross as silly? Then try at
least to be FUNNY. Silly + funny : good;
Silly + NOT funny : stupid;


``Now, having said that, you must know, in your infinite wisdom you seem to feel you have, that MOST companies, unfortunately, do not plan well for security threats and DO NOT have the PROPER, as you put it, infrastructure in place.''

Fact (4) : you understand that companies do not
have proper infrastructure.

FACT: SECURITY is a necessary propery of the
operations and it needs to be reflected in the
infrastructure and mechanism that are put in
place. This requirement WAS THERE LONG BEFORE
SOX mandated additional procedures and record
keeping.

My point, that you missed or simply sidestepped,
was that companies were NEGLECTING (most likey
for cost reasons) to implement security
mechanisms that would correspond to the security
requirements that ofcourse are independent of
SOX. They were ALREADY amiss in this respect and
AT FAULT. The problem is exacarbated in
companies which handle OTHER peoples' financial
and personal information. Recall the recent
scandalous pers. info leaking incidences.

The fact that SOX places ADDITIONAL burden on
the companies NOW, DOES NOT EXHONERATE them
from NOT putting the APPROPRIATE security
measures in place when they started operations.
Does it? How is SOX related to their NEGLIGENCE
in security if it predates SOX? It cannot then
be USED as an EXCUSE for NOT implementing it!


``This article is not referring to the 'Ideal situation' it is in reference to the real world...and in the real world, companies have piss-poor security organizations and weak to non-existent infrastratures. So, do REAL WORLD companies live day-to-day responding to the latest "Microsoft Security patch" or to the latest SASSER worm variation?

Yup, they sure do! ...or are you too young to remember the Mellisa Virus or the I Love You virus that took out almost all of the Fortune 500 companies email services?''

Fact (5): You are stating that the Fortune 500
companies are over-stretched by trying to keep
their MS Windwows infrastructure 'patched and
up-to-date';
As a matter of fact, and as I stated in my orig.
and subsequent postings, security problems STEM
from the fact that companies deploy their
operations on infrastructure that is
(a) INHERENTLY INSECURE, (b) requires
exhorbitandly high number of man-hours to
continuous maintain and
(c) is ALREADY EXPENSIVE as is, even if it still
lacks the proper security nechanisms.


``Ok, enough of that. Truth is, I know security (the way it should be) and I know security (the way it really is). I also know SOX and what it is requiring of companies (especially Fortune 50 banks like mine).''

From someone who gives answers that are permeated with shallow thinking, stating that ``Truth is, I know security (the way it should be) and I know security (the way it really is). '' requires a little more EFFORT to convince people that you indeed have these attributes and skills. Don't you think so? Your superriors should, at least.


``The REAL security problem is not that funds are being diverted....the problem is that SOX compliance issues are being handled in a non-secure way.''

So, it is not the SOX per se causing security problems, but the way that SOX is implemented. I can accept that.


``The SOX auditor asks, "Who has access to that folder?" or "Who has access to the data?".
In response most companies (unfortunately) don't re-evaluate the security model being used for that specific situation...they just slap a half-arsed solution in place to get that next check-mark on the auditor's report.''


So, overall from your last reply I gather the following facts:

Companies are not implementing SOX with the NECESSARY attendant security measures, but they try to put a facade of things meeting the SOX requirements, while in the backstage operations are sloppy and insecure. And it seems that a more carefule implementation of SOX + security will cost the Fort. 500 Cos / Fort 50 Banks LESS.



And the above ONLY CORROBORATES with my contention that whoever says that ''SOX will end up causing security problems'' is trying to find an EXCUSE either not implement it thouroughly (and thus possibly abuse it and EVADE ACCOUNTABILITY) OR that they simply did not care about security BEFORE SOX.

So you do NOT disagree with my OP as nothing here refutes its points. And the remaining of your answer corroborates them.


Critique: we need to be careful when we retort with shallow and/or silly statements to other people's oppinions.

As I said before: you want to be silly then ALSO be FUNNY. Otherwise SILLY + NOT FUNNY = STUPID.


``Critique (CISSP, SCNP and Security+)'' I see... that's why you THINK you `know security'

Joking.

...

Posted by: michael_t   Posted on: 07/13/05 You are currently: a Guest | Members login | Terms of Use

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

SponsoredWhite Papers, Webcasts, and Downloads

• Invest in Smarter Collaboration - Early Benefits of Enterprise Social Software IBM Discover the true business value of enterprise social software plus hear about best practices from industry experts during this live interactive webcast. (Sponsored by IBM) Download Now
• Secure Copy Version 5.0.2 ScriptLogic Secure Copy? is a powerful, comprehensive migration solution that ... Download Now
• Scaling Out With Oracle RAC 10g on Dell Clusters Dell Oracle Database 10g is designed to enable enterprise grid computing, which ... Download Now