Hi Tracy :)
Actually, there have been penalties for this type of stuff for years...
SOX is just adding more... and complementing the fines in HIPAA...
For anyone who wants to know... the 'Prudent Man Test' is what will
decide if the a person/company pays fines and/or goes to jail... If the
person/company has taken the steps and/or measures that a prudent "man"
would consider to be expected and normal to take... there shouldn't be
fines and/or jail time...
The concept is a good one... if I have a deadbolt lock and a lock in the
door handle of all the exterior doors of my house... but never lock them...
that would not be considered the steps a 'prudent man' would take to
protect a house... I would be found guilty ... same with our data... if we
don't take the steps to safeguard it with respect to what a prudent man
would expect us to ... then we be in trouble when something happens...
A certain company I was once associated with... had a exterior facing
door in the computer center... that they would not lock... and sometimes
they would even prop the door open... but very few people saw anything
wrong with the behavior... even tho' nobody was in the data center to
protect it... This would violate the prudent man test and put any and all
personnel in the chain of command in risk of being fined and/or jailed...
but not the staff... the staff only does what it is allowed/told to do...
if there was a written policy to keep the door closed and locked at all
times... then the staff could be held responsible.
There is a lot more details but this is the 1,750 meter view :)
Art "back to reviewing policy statements " Bahrs
=======================================================
Art Bahrs, CISSP Information Security The Regence Group
(503) 553-1425 FAX (503) 553-1453
|---------+-------------------------------->
| | "Johnson, Tracy" |
| | <Tracy.Johnson@msiusa|
| | .com> |
| | Sent by: "HP-3000 |
| | Systems Discussion" |
| | <[log in to unmask]
| | DU> |
| | |
| | |
| | 08/17/2004 09:10 AM |
| | Please respond to |
| | "Johnson, Tracy" |
| | |
| | |-------------------||
| | | [ ] Secure E-mail ||
| | |-------------------||
|---------+-------------------------------->
>--------------------------------------------------------------------------------------------------------------------------|
| |
| To: [log in to unmask] |
| cc: |
| Subject: [HP3000-L] Will Sarbanes-Oxley Change Corporate Politics? |
>--------------------------------------------------------------------------------------------------------------------------|
In addition to mandated logging, ...
Since Sarbanes-Oxley mandates criminal penalties for CEO's and CFO's, I
foresee U.S. corporate boards electing (en-masse,) new officers within the
next fiscal year to be company figureheads (and fall-guys.)
Beware of headhunters offering unusually high positions...
BT
Tracy Johnson
MSI Schaevitz Sensors
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
=============================================================================
IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.
=============================================================================
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
