Hello guys, I’ve previously posted about how I’m the only guy in the room at work using Linux (11.3 64bit). They brought up a valid point that I had no come back on stating that “SOX auditors won’t pass your linux environment” I don’t know b/c I’ve never really went through one myself. So I ask my fellow community:
how would Open Source fair against the SOX auditor today?
Have any of YOU ever gone through sox with Open source?
Have any of you done it with Suse?
Is anyone using Open Source to support their infrastructure? How many in the US vs Europe? I hear Suse has a strong following in Europe.
I don’t know the size of your company, but most places are ruled by the I.T. guys before you would need to worry about any auditors. So I use openSUSE at work for graphics and for Web page creation. I do so in the background with a dual boot computer with an external USB hard drive. My internal drive is completely setup by the company book (except for that forced blank screen saver, how boring). My external drive has all of the openSUSE stuff I need to function. My boss knows what I do, but as long as I stay clear of I.T, I am always helpful with Windows users and keep on producing quality output, I have no problems. It is how I survive. You must find your own solution, however bumping heads against the establishment might not produce the outcome that you want. Consider using more finesse (being more clever) when using openSUSE.
I think your collegaues are iether ignorant or joking. The broad aims of Sarbanes Oxley are to: improve financial reporting, disclosure, and transparency; improve internal accounting controls; assure external auditor independence and reduce conflicts of interest; improve management of business records, requiring the retention / archiving of data, email, documents (whether paper of electronic) for not less than 5 years; etc. SOX can apply to businesses domiciled outside the US if they are subsidiaries of US companies; transact with US companies; are cross-listed on US and foreign stock exchanges; etc.
SOX is technology neutral. SOX auditors won’t care what OS (linux, Windows, etc) a company is using; whether software is open source or proprietary; etc. They are auditing for SOX compliance (eg, quality of accounting controls, data retention) and providing a company subject to SOX can demonstrate compliance, technology is (relatively) immaterial. I say ‘relatively’ because companies will obviously need, for example, robust data archiving strategies and technology.
Thanks for the reply, at my office WE are the I.T. guys. I work for a small MSP (Managed Service Provider) and we provide IT support for our customers. All of our customer base is Windows, execpt for a few server solutions which run Suse for sugarcrm and some other web applications.
My question is as such: Would a linux environment pass a SOX audit?
I think they’re just MS biggetts, I’m relatively new to IT as a job, but have been using Linux for about 4 years now. Thank you for your inputs, it’s really helping me justify some of my views in a pro Microsoft office
I’ve got about 1200 servers that provide infrastructure services (DNS, DHCP, etc) in our remote offices. The servers are currently running SLES10 but will be replaced with servers running openSuse 11.3 this summer. I’ve never been through an audit but I think we have enough documentation about our servers and their processes that we would survive. Good luck!
Normal, prudent IT controls and practice. COBIT is a good start. Google around for SOX IT complaince checklists, like this one. You can buy SOX IT compliance toolkits - SOX is a bit of a racket.
Out-sourcing vendors, like yours, have responsibilities, but if your clients aren’t explicitly instructing you to, for example, retain their data for at least five years, that’s ultimately their issue.
On Mon, 28 Feb 2011 01:36:02 +0000, danrche wrote:
> My question is as such: Would a linux environment pass a SOX audit?
I imagine SAP would be part of environments that would be subject to a
SOX audit, and SAP is supported on SLES (in fact, SAP sells a bundle
that’s exactly that). So sure, it would have to be able to pass a SOX
audit.
It’s not about the OS, it’s about the implementation. You can
implement Linux so it’s insecure just like a poorly managed Windows setup.
Similarly, it is possible to secure a Windows environment to the degree
that Linux can be (but IME, it takes a lot of work or removal of some key
pieces of hardware - after all, there was a release of Windows that was
C2 complaint - as long as it had no network connection and no devices
that supported removable media).
