Using SOX to devalue computing

It's absurd, it's counter-productive, and it's getting out of hand.
Written by Paul Murphy, Contributor
It's long been possible to use a Sun box in place of a mainframe: running traditional CICS style jobs faster and at a much lower cost. Sun, in fact, has a whole bunch of people dedicated to selling this kind of thing.

But there's a problem: the data processing certainties that lead people to buy and use the mainframe are antithetical to the user centric nature of Unix. This doesn't mean you can't use Solaris to do data processing; you can, but it's a bad idea. More precisely, if you change your core toolset from a data processing focus to a computing focus, changing the box is the trivial part of the process - and changing the box without changing your thinking gets you a snake directing a mongoose: it may work for a while but sooner or later one will destroy the other.

Unfortunately, however, this is what I'm seeing SOX compliance auditors do: forcing data processing controls and thinking on computing environments and, in that process, destroying the same corporate value they're supposed to be protecting.

In a pure Unix scenario, for example, you do not have a service level agreement because the users are fundamentally in charge, and they'd be imposing a constraining agreement between themselves and themselves not to hurt themselves. As I usually put it, the SLA is a peace treaty between Data Processing and users in a long running war over resources - and in the Unix world that war hasn't happened: meaning that the peace treaty introduces conflicts that weren't there before.

The SOX legislation doesn't actually mandate any of this stuff: the problem is that the only adequate controls the auditors understand are the controls that evolved in data processing. Thus the the CoBit Standard has worldwide acceptance in data processing and there's nothing remotely like it for computing.

As a result I'm seeing clients who know perfectly well how to run trustworthy computing environments being presured to do stupid and counterproductive things. Many, for example, are being told to restrict key systems employees capable of contributing value in a half dozen functional areas to only one of those areas -leaving them bored and idle most of the time while forcing IT to hire people with lower skills and less commitment to do the other jobs.

It's absurd, it's counter-productive, and it's getting out of hand.

Editorial standards