It's startling how much misinformation is out there
I finally caught up this morning on an old trade publication, the first quarter newsletter from the Information Systems Special Interest Group of PMI.
In that newsletter there's an article by a consultant named David Kohrell, who is ostensibly trying to help technical project managers understand the complex regulatory environment, and emerging standards which affect their work. Sounds great, no?
However, he said that for a PM to address SOX, he needs to manage his projects effectively, understand budgetary impacts, and know how his projects are doing in comparison to others. What? What about tweaking methodologies to ensure appropriate approval and testing is performed? How about understanding access control, and determining the impacts of increased security on processes and systems? And most importantly, what about understanding the overall control environment, to recognize when my big project is going to compromise a critical control?
To add insult to injury, he then quotes this article:
Generally speaking, if it's an IT "best practice," it's usually good from a Sarbanes-Oxley perspective. There are a few exceptions to this rule, though; for example, some open source strategies, while seen as a best practice in the IT world, are arguably not in line with Sarbanes-Oxley requirements, as they contradict the key ideas within Sarbanes-Oxley that access to information should be purely on a "need to know" basis, and that processes should be controlled.
That's not the message we need to be giving to project managers. Open source could put my SOX compliance in jeopardy! It used to be commonly accepted that open source was inherently more secure than closed source, and that debate continues to rage. However, whether your source and processes are open or closed is ultimately irrelevant to SOX compliance.
SOX is concerned with procedural and technical control, to ensure accountability up the organizational chain. It's not that hard to comprehend, except when you are wading through the morass of misinformation.
posted by Jennifer Russell at 10:05 PM
2 Comments:
Maybe Microsoft is sliding that guy some cash under the table?
11:16 AM
Wow, I now have confirmed the seventh reader of that article. (Ok the other six were family :-)).
Not on the dole from Microsoft. I think you may have missed the context of this article which entitled SOX Nexus -- the call for PM's is to understand, embrace and prepare for multiple best practices and regulations (from GBLA to CobIT).
Good point on the open source slight. That was unintentional. I was weaving that quote in for another reason (broader role for PMs to think beyond narrow confines that SOX attaches itself two). We've actually based our corporate portal (tapuniversity) on an open source learning management system (moodle) with good success and change control.
David
8:28 AM
Post a Comment
<< Home