Keith C. Perry on 27 Oct 2014 10:49:43 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Spark Core (corrected)


Joe,

I remember those days very well. :D  Thankfully, I didn't have any direct responsibilities in that space.  SarBox tightens things up for financial services but we know they're always going to find a loophole to exploit.  STEM professionals are the cure, especially those who have exposure to the financial world or have transitioned to quant opportunities that came about as a result of the great recession.  On the security side of things, I haven't heard much feedback to the resistance of better security overall but I'm sure there is much resistance to the audit controls and internal policing caused by the regs.

That asks Rich's question a different way.  If someone says, "we keep your data safe and here's how", sure the client should want to verify what is being said but what about internal audits?  Where is the "inspector general" for these companies that has the autonomy to say, "yes, I've verified this" or "no, we're getting this wrong and it needs to be fixed".  Basically, IT personnel with executive level enforcement power.

That's probably a bit much for most organizations which is why "external IGs" (a.k.a. auditors, consultants, etc) are needed.  It would be a positive development to see more FOSS people get into those roles.

I'm not sure what you are trying to say in the second part...  Who are the "men" in this case that are being assigned by the "King" to protect his booty?


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Owner, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com


From: "rosatoj" <rosatoj@gmail.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Sunday, October 26, 2014 5:52:11 PM
Subject: Re: [PLUG] Spark Core (corrected)

Was involved a while back with compliance with Sarbanes–Oxley Act (SOX).
Here is a summary for those who forgot. 

a. There were many corporate accounting scandals. High level guys made a lot of money by cheating.
b. The supposed spirit of the law was: top management must individually certify the accuracy of financial information. In addition, penalties for fraudulent financial activity are much more severe.
c. The law passed and tech guys around the USA spend all their time making sure financial systems are more secure with long list of security fixes and recommendations.

Read that a couple of times. Then read this:

a. King takes his extra share of the booty.
b. People complain about the the loss of revenue and how it affected the castle.
c. King assigns many of his men to protect the booty from being stolen.



Joe Rosato



On Sun, Oct 26, 2014 at 2:49 PM, Rich Freeman <r-plug@thefreemanclan.net> wrote:
On Sun, Oct 26, 2014 at 2:27 PM, Keith C. Perry
<kperry@daotechnologies.com> wrote:
> Good point there Rich.  I would add that the health IT / medical IT space is
> more conscious as well.  One of things I had to do as result of HIPAA
> regulations was to write security statements.
> ...
> I can't say I've ever been asked to verify.

That's the rub.  Speaking as somebody who works in the health IT
industry I've seen lots of statements on RFPs asking companies to
certify that their software encrypts data/etc, but rarely any real
follow-up/verification.  If they say it is encrypted, then it must be.
Maybe somebody will look in the database and note that a field isn't
human-readable, but they won't ask questions like "if I can't read it,
how can the software, and what are the implications of how it does it"
(hint, if you didn't have to install an HSM, that encrypted data is
only as secure as the drive the key is sitting on).  Companies love to
have documents that say things like "your digital signature is not
repudiable" without realizing what that actually means (hint, saying
it or agreeing to it doesn't make it so).

>
> I call that "the buck stop there" syndrome  :)
>

Getting back to your earlier email, I think this is a BIG driver for
outsourcing.

You can say with a straight face that you don't hire illegal aliens or
commit fraud, while getting many of the cost benefits of doing those
sorts of things because you hand off your work without looking too
closely at those you hand it off to.  Of course, you do insist that
they sign a contract saying that they're completely above-board.

Outsourcing overseas often is more of the same, except that even the
laws are often more lax letting you get away with still more...

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug