Joe Rosato on 26 Oct 2014 14:52:18 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Spark Core (corrected)

Was involved a while back with compliance with Sarbanes–Oxley Act (SOX).

Here is a summary for those who forgot. 

a. There were many corporate accounting scandals. High level guys made a lot of money by cheating.
b. The supposed spirit of the law was: top management must individually certify the accuracy of financial information. In addition, penalties for fraudulent financial activity are much more severe.
c. The law passed and tech guys around the USA spend all their time making sure financial systems are more secure with long list of security fixes and recommendations.

Read that a couple of times. Then read this:

a. King takes his extra share of the booty.
b. People complain about the the loss of revenue and how it affected the castle.
c. King assigns many of his men to protect the booty from being stolen.

Joe Rosato

On Sun, Oct 26, 2014 at 2:49 PM, Rich Freeman <> wrote:
On Sun, Oct 26, 2014 at 2:27 PM, Keith C. Perry
<> wrote:
> Good point there Rich.  I would add that the health IT / medical IT space is
> more conscious as well.  One of things I had to do as result of HIPAA
> regulations was to write security statements.
> ...
> I can't say I've ever been asked to verify.

That's the rub.  Speaking as somebody who works in the health IT
industry I've seen lots of statements on RFPs asking companies to
certify that their software encrypts data/etc, but rarely any real
follow-up/verification.  If they say it is encrypted, then it must be.
Maybe somebody will look in the database and note that a field isn't
human-readable, but they won't ask questions like "if I can't read it,
how can the software, and what are the implications of how it does it"
(hint, if you didn't have to install an HSM, that encrypted data is
only as secure as the drive the key is sitting on).  Companies love to
have documents that say things like "your digital signature is not
repudiable" without realizing what that actually means (hint, saying
it or agreeing to it doesn't make it so).

> I call that "the buck stop there" syndrome  :)

Getting back to your earlier email, I think this is a BIG driver for

You can say with a straight face that you don't hire illegal aliens or
commit fraud, while getting many of the cost benefits of doing those
sorts of things because you hand off your work without looking too
closely at those you hand it off to.  Of course, you do insist that
they sign a contract saying that they're completely above-board.

Outsourcing overseas often is more of the same, except that even the
laws are often more lax letting you get away with still more...

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --