Question: SOX or Government Compliance to Security Forum?

[KuiXing-2005]

This is more of a question than anything, as this type of thing could fall under security in general and this could be more US centric than anything, which would not be fair to other countries represented.

Would a forum geared towards Government compliance (like SOX) to financials - but relates to security - a worthy cause? T

his could also relate to general compliance for companies that need to work with the government and have to comply with SOPs or their own created SOPs.

I am just thinking that with the width and breadth of the knowledge and experience here and the fact that all publicly traded companies in the US have to comply, a forum to address concerns or lessons learned might be helpful for others. As I type this, I am thinking that something like that may not be valid, however, I wanted to broker some discussion on the issue.

Thanks in advance for your feedback.

[zencoder]

As a subject that is near and dear (dripping sarcasm implied) to my heart, I'd still have to vote against creating a new forum. While this is a wide and active subject...it isn't necessarily so here on AO. I've seen mention of Legal discussion forums, database, Digital Rights Management, privacy, etc. I've come to learn one thing in my travails of this subject...the single biggest factor that will probably cause a forum to be created is the amount of activity ALREADY OCCURRING in a subject area.

HTRegz' Phishing and Scams forum is a perfect example. We've only posted a handful of new threads in it since it started a week or so ago, but by moving older active or dormant threads into it, it's fleshing out as a robust forum already.

I just don't think there's enough SOx, GLB, or HIPAA discussions yet...escpecially because a fair amount of members are NOT in the US.

Just my $0.02. Good suggestion...let's see where it goes.

[KuiXing-2005]

FYI - Just got out of some SOX Testing Training - boy was that fun. A-yeap, fun.

Anyway - found out that we cannot officially document anything we find out about SOX - well at least through 'written' means. I asked if I could report about lessons learned and stuff - like in AO. And... I got blasted by about 4 people - which after about the first five minutes, I started enjoying it and watching spittle fly. So - even if there were a forum on this subject I could not post to it - in fear of it being traced somehow back to us. Basically the issue is company confidentiality and what should or should not be published. Interesting to learn about the reasons and seeing poltics at work as it pertains to government compliance. Just wanted to pass that along.

Thanks much.

[MrLinus]

Rather curious that you can't talk about SOX in a generic sense. I can understand the concern about the business (avoids the potential of letting something out that shouldn't be out there -- particularly given recent events).

[Egaladeist]

Hi KuiXing,

At first glance I thought you were talking about this...

http://www.langdale.com.au/SOX/
SOX

but upon further investigation I realized you were really talking about this...

http://www.developer.com/java/ent/article.php/3320861

and...this...

http://www.insidesarbanesoxley.com/

Still don't get what's so hush-hush about it...there's alot of info available on it.

[KuiXing-2005]

Rather curious that you can't talk about SOX in a generic sense. I can understand the concern about the business (avoids the potential of letting something out that shouldn't be out there -- particularly given recent events).

Still don't get what's so hush-hush about it...there's alot of info available on it.

My apologies as I should have clarified. I can talk in a generic sense about SOX - just not anything about my company. As an internal auditor, that is now one of my responsibilities is to help test for SOX - yes it is fun - about as much fun as bamboo shoved underneath the fingernails. We have to test controls, review documentation, capture samples of inventory and test - usually 2-3 times the what people regularly test for in day-to-day operations - why? Because we are looking for failures - failures in anything financial related.

These failures can lead to a process or procedures to be non-effective (not ineffective as I am finding out - believe it or not - that word is not "PC" in SOX terms - at least me'ah). If a control is not effective after a certain amount of time and/or it is not or cannot be resolved - it must be reported. However - there are still many grey areas about what constitutes non-effective and under what circumstances. The part of the law most people are concerned with is Section 404 - Management Assessment of Internal Controls. Egaladeist's links also have a link to FindLaw - which has a copy of the Sarbanes-Oxley Act of 2002. Here is the direct link for those who love to read law docs - again the section I am referring to is 404:

http://news.findlaw.com/hdocs/docs/g...xley072302.pdf

Now the hush-hush, on the QT part comes in with what has or has not been "officially" declared non-effective as a control. If a control is still being reviewed, discussed or under action to become effective - it does not need to be known. Further - in dealing with external auditing firm's interpretation of the law it is stilll hard to know if everything is being done correctly in the first place. Certain things are obvious, but most are not at this stage. What is keeping me somewhat anxious is the fact that we have put in a lot of time, effort and money to resolve issues and make sure we are compliant with what the external audit firms believe is the correct intpretation of the law - and we could still all be wrong. Now I know this most likely will not happen, and even if it did, many companies would fall under "working with due diligence" and note it is now an ever-on-going process for companies.