On Tue, 14 Dec 2004 15:47:06 -0500, Joseph Showl <[log in to unmask]> wrote: >I have just been informed by our IS dept that according to the SOX act >that all future passwords have to be of six character long with one of >the character being numeric. I just read in a post yesterday that the >SOX act isn't that specific concerning passwords. while perusing my various technical magazines over Christmas I came across the following editorial comment in Information Security magazine that I think is a perfect answer for your IS dept. <snip> SOX doesn't require that an enterprise have firewalls, traffic monitors, access controls or auditing tools. It simply requires that adequate processes and controls are in place to ensure data integrity and the ability to demonstrate compliance. <snip> <snip> SOX isn't a law about good security, it's about good business practice. It codifies what every enterprise should have been doing all along for security: establishing procedures and following them. When you do that, security stops being purely security and becomes risk management. <snip> http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss526_art1082,00.htm l http://shrinkster.com/2zs PeterK List archives at http://lists.ufl.edu/archives/recmgmt-l.html Contact [log in to unmask] for assistance