On Tue, Sep 21, 2010 at 10:22 AM, Jim Holmgren <[email protected]> wrote: > SOX does not say "Thou shalt keep all email for X days/months/years". > It says "Thou shalt have a retention policy and shall abide by it".
Yah. The list of things which Sarb-Ox actually mandates (as far as IT is concerned) is actually quite short. My favorite is passwords. People claim Sarb-Ox to justify any number of inane password policies. Sarb-Ox does not address passwords *at all*. It doesn't even say you have to use them. If you're attempting to comply with a regulation, it behooves you to be familiar with the regulation. I find auditors routinely claim something is in the regulation, when in fact it's just their personal preference. Our QA guys says they get that all the time with ISO-9000/AS-9100, too. I'm told there are actually only about a dozen things ISO-9000 says you "must" do. It says "should" a whole hell of a lot, but the difference between "must" and "should" is the difference between lightning and the lightning bug[1]. -- Ben [1] To paraphrase Mark Twain. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
