SOX

Sarbanes-Oxley is turning out to be a really troublesome new layer of red tape. I was chatting with the network admin at our company and found out some of the complexities of trying to comply with Sarbanes-Oxley. Our IT staff is pretty small so many of the team members wear a lot of different hats. For example, the network admin also manages our company backups.

So the network admin was in a meeting with a SOX auditor about the various backup methods and procedures. The auditor was probably used to dealing with huge corporations where there is an employee that presses the button to start backups. Another employee to watch the backups. Another employee to move the backup medium from the backup devices to the backup vaults. You get the idea. But we only have one guy. Remember, if it has anything to do with backups, the network admin's your man.

The network admin tells me the auditor made all sorts of suggestions to the proceedures. One was that if there is any sort of problem with the backups a form should be filled out by the person reporting it and notes should be made as to when and how the problem was fixed.

Ah! So let's see how the steps of this recommended scenario would go:

1. The network admin puts the backup tapes in the drives.
2. The scheduled backup job runs and fails.
3. The backup software sends a "backup failed" email to the network admin.
4. He fills out a Backup Failure Form.
5. He hands this form to himself so he can troubleshoot.
6. The network admin now has the authority to track down the problem.
7. He fixes the problem.
8. He updates the form with the problem's cause and solution.
9. He hands this form back to himself.
10. He prints the "backup failed" email and files it with the Backup Failure Form.
    

Wow. But what if the backup job did not fail? Let's see:

1. The network admin puts the backup tapes in the drives.
2. The scheduled backup job runs and completes successfully.
3. The backup software sends a "backup success" email to the network admin.
4. He fills out a Backup Completion Form.
5. He prints the "backup success" email and files it with the Backup Completion Form.
   

Wow again.

If that wasn't enough, I'm told there are 12 different backup jobs and these processes would need to be done for each of them. Not to mention the fact that instead of just keeping a file on the network with all of the backup job notification emails, as many as 24 pieces of paper per day will need to be stored in a file cabinet somewhere. So much for the paperless society.

The most dangerous thing you will ever hear a human being say: "I'm from the government and I'm here to help."