First I want to sincerely thank Vance, Clif and Bill for kind words. Vance,
having you, my customer speak out like that makes it all worth while. :)
Naturally I do have some remarks about this stuff --I've been living and
breathing these issues for over a decade now and the SOX stuff specifically
in "full immersion mode" this past year! So I have some observations. Some
are technical, some might be "community". I apologize if I stray.
Using Remote VOCs is a great idea, I'm so glad they are available. The
thing is, that's just a 'way' to wrap a verb and you still have to write a
whole framework and application around it to determine who can under what
circumstances use the verb. So that's a great building block of the
solution. But the solution does still have to be built.
Controlling at the underneath level (with, say, UNIX permissions) is the
absolute best way to go on the live machine. Having a librarian and program
that has the authority to write. This is the most truly safeguarded way.
It is hard to set-up initially (which files can be protected, which ones
will cause a problem if they are protected), but is the tightest.
In either case, two things that happen on live at every IT shop that I've
ever come to know -- and this past year I must admit I was gratified to
learn that its not just us folks in the U2 world -- these two things are
"emergency" software fixes that have to happen on LIVE and 'data fixes'.
That last bit -- you can make the auditor shudder. Remember in Lion King
when the hyena says "Mufasa" and it makes the other hyena shudder and he
says "say it again!" yeah, like that. Say "data edits on live" and watch
in amusement as your auditors quake. Anyway, whether you're locking up at
the UNIX level or with the remote VOC entries or with peanut butter, you
have to have a way that allows these things to happen in such a fashion that
they will pass audit. I have devised such a fashion within PRC, of course,
and will be happy to elaborate but this e.mail is already going to be
unbearably long ...
I saw that someone else already responded to whether or not non-publicly
traded companies are required to file reports under SOX and while the answer
is no there are reasons why a company would want to consider a new level of
control -- perhaps not as far as what SOX requires (what does SOX require?
Now there's a topic) ... but at any rate:
* want to go public
* may want to be acquired by a public company
* may want to do business with a public company
* other governance initiatives (hipa, nrc, dod, etc.)
* competitive advantage
Now to this:
>Seeing this post made me wonder how other companies productivity has
>changed since SOX. We are going to have to hire people to do jobs that did
>not exist before. Programming changes that used to take less than a day
>usually cannot be done now in that time frame. In order to get the proper
>signoffs from the business, stuff sits and waits now. Our auditors are
>insisting that we have one person on the business side that makes sure all
>signoffs are done before anything goes into production.
This is a topic that fascinates me. Every week smaller traded companies are
'de-listing' and 'going dark' because of SOX. (Hmm, is that what we were
going for?) Then there's the ones that charged on and found that they had
grossly underestimated the requirement and the cost. There is a raging
debate about how much is too much and whether we have dealt the corporate
world a fatal blow. In my personal opinion we had to do what we've done.
I have a lot of opinions about billing and busy work and taking our eye off
the ball. And I have a lot of advice for how to achieve compliance and do
some good at the same time. Yes, you can. In the situation above I would
very much like to ask why is that stuff sitting and waiting? Because people
aren't doing their job? Is the signing off an onerous task? Could it be
made easier? I believe -- I really, truly believe that this whole can of
worms can be dealt with in sleek, sure measures with procedures that are
streamlined, efficient AND TRANSPARENT. It takes some work up front, but if
you're stalled out in a situation where progress has been hindered don't
stop there. Work it through. I have loads of specific advice on that --
and I'm sure so does Clif and many others of us who specialize and obsess on
these issues. But I've got one word for you: Cobit. If you haven't gotten
a grip on what Cobit is I really recommend that you do. It's a little like
reading Shakespeare -- might seem a little like mumbo-jumbo until you get
the hang of the language, the presentation. But then it just breaks down,
labels, clarifies, identifies, lists, prioritizes and organizes what may
have seemed before to be a nebulous mass.
Thanks for listening. Oh yeah, and "buy PRC". :)
Susan Joslyn
SJ+ Systems Associates, Inc.
Sjplus.com
PRC - Real software configuration management for U2.
-------
u2-users mailing list
[email protected]
To unsubscribe please visit http://listserver.u2ug.org/
