This is something we should *ALL* be aware off, not least those that think legal and world economic stuff is off topic.
We all have to face standards; or the most part those are dictated by industry groups and we can, if we choose, partake of those.
I’ve been involved in technical standards groups in the past.
We have also, recently, had to face a lot of ‘regulations’, that is requirements with legal backing. Its easy to say that those are all very regional, which is why they don’t (any longer) appear in the CBK.
Personally I think this is a weak argument. SOX may only have been ‘legal’ in the USA, but many companies in other countries trade in or have offices in the USA and need to be aware of US laws and regulations.
In addition, SOX has been the model for regulations in other countries (and some of those have corrected deficiencies).
Never the less the legal principle that is addressed in this article hold for many countries: while the politicians dither the people who have to deal with the details and actualities of making the legal system happen are getting on with it.
Free from the pressures of lobbyists, judges typically refrain from showing emotion or expressing opinions during court proceedings to appear impartial. During sentencings in criminal cases, they sometimes let their hair down about their feelings about the damage Wall Street firms or their executives did.
However, I don’t know it its the journalist or the judges that are being facetious:
In sentencing imprisoned con man Bernard Madoff June 29 to the maximum penalty of 150 years in prison, U.S. District Judge Denny Chin described Madoff’s crimes as “extraordinarily evil.”
“Evil” compared to what?
We’ve just this week had news of a man who kept a child imprisoned for 18 years, and a similar case in Germany not so long ago. We have various “honour” crimes in the Middle East as well as by religious groups and, yes, mainstream people in what are thought of as more enlightened nations. I won’t even touch on the atrocity of wars and concentration camps and mass murderers.
But if we are dealing with purely financial harm, then the people Madoff harmed where, for the most past, the more wealthy members of society. Compare this with the people who invested in Enron, or if you want a historic precedent look at those harmed by the Erie Railroad stock manipulation. Or the Tulip Bulb Bubble.
“Evil” compared to what?
But Madoff was a symbol. He was an individual we could focus on. The Risk Managers at the succession of banks and financial houses that played off the sub-prime loans with insufficient security that led to the recent economic collapse are too indistinct, too nebulous, to much part of the whole process.
And all to often, the lawmakers just end up ratifying what the judges are already doing. Or will if they have any sense.
But to us in the InfoSec business does it matter?
No, not really. In advising our principals and in developing policies and standards and guidelines we need to look at what the courts say every bit as much as government legislation. It seems an overwhelming task to add to the collection of overwhelming tasks we already have to
cope with, but someone has to do this, so why shouldn’t it be us? After all, who is better qualified?
 I have this feeling that people who have the ‘getup and go’ aren’t
compartmentalized. In most of the areas of technology and business,
the people I see doing things are also the ones who speak out.
 My favourite in this area s the notice from the board that backups
were not ‘in scope’ because they did not affect last quarter
reporting. Since SOX was intended ‘restore investor confidence in
the US Financial System’ after Enron and WorldCom I can’t imagine
why an investor would want to put his money into an organization
that didn’t perform backups of it key financial management IT
systems. This piece of jack-assery was corrected in the Canadian
 Look at the relative timing of the Enron disaster and the
DotComCrash and tell me which one caused the depression of the
 Someone pointed out that the ‘payout’ for the recovery of the crash
of 08/09 would have paid or the recovery of the failed DotCom’s back
in early 2000 – the crash wiped out a mere $5 trillion in market
value of technology companies from March 2000 to October 2002 and
would probably have created more real value in terms of productivity
rather than “bonuses”.