What's your company doing to meet the SOX requirements for IT?

oozenoz · April 7th, 2006, 10:48 AM

I admit I haven't actually READ the entire act, and I'm all for change control and pre-testing to avoid TUB services ('turned up broken' for those who never worked for a telco...) but my company's management is putting change control procedures in place that are so restrictive and totalitarian it's literally preventing work from getting done...

One example: I have to get special dispensation to NOT have to write a change control and have it approved by management any time I'm going to change the hours of operation on one of our ACD queues...

martinyoung · April 7th, 2006, 04:58 PM

The problem is that these rules are being written by people that are Business Adminstration graduates not telecom people. On paper it looks like a good idea and it does not bother them because they don't have to come in at midnight to do the work. These rules usually get their start because someone, somewhere, broke something in making a change.

I used to work for an Avaya Business Partner that does work for a very large retail store that I won't name, but it starts with "W". That company will not allow you to plug in a station circuit pack until after 9PM. I had a job to convert an Avaya single port network cabinet to a two port network cabinet. It was a simple job but I had to write up a detailed description of everything I was going to do including every command verbatim. This needed to be approved by "W" and once it was approved, I could not deviate from the script. I had to start after 9PM and if for any reason I could not finish (even if it was their fault), I had to remove everything that I installed including carriers, cables, wall field, fiber patch cords. Everything.

Rules are being written for the sake of having a rule. I don't think it will get better in the time I still have to work. At least the company I work for now is reasonably intelligent about this.

oozenoz · April 8th, 2006, 07:36 PM

I blame it on people too cowardly to take responsibility for and admit to their mistakes, and lawyers who make money by finding ways to lay it on everyone but the guilty party.

I see nothing wrong with having a gameplan for any sort of change - whether it involves installing a new station or cutting over an entire system. Understanding what is required prior to starting, knowing what all must be tested successfully to know it's completed, and having a solution for backing it out if you must increases the odds that any job will go smoothly. It's all part of the project planning and engineering of the work. I admit, only allowing the installation of a hot-swappable card after 9 PM is a bit over the top, but there IS a possibility something could go wrong even with something so seemingly simple... Been there, done that.

SOX auditors (on their initial review) gave our company a failing score in the area of IT change control and our management reacted in a very predictible way - overkill. And while we may not like it, it's not going to go away for any of us who work in a company large enough to fall under SOX compliance rules.

Sooooo, with that in mind, how are companies dealing with this new level of imposed bureaucracy as it relates to MAC work?

martinyoung · April 8th, 2006, 08:53 PM

Since our major customer at the company site I work at is the US Navy, we follow their rules.

Most MACs are entered into Remedy and must be approved by local management, the exceptions are name changes and feature changes. Adds and moves must be approved, the main reason for this is so facilities management knows what cubes and offices are occupied or vacant.

The same rules apply to adding or moving computers. The only time the rules get more strict is if you are doing something that will affect the Ethernet setup in any way. Adding IP trunking which adds QoS and VLANs, for example. The DoD maintenance window opens at 9PM local time and closes at 6AM.

This kind of change must be entered into Remedy and approved by corporate mangement. All the details of what is being done and why, they aren't interested how.

The company's main concern is if something happened to the Call Center and this caused them to miss their SLAs, thus causing them to lose $$$$ in payments. Plus having to explain to the Navy why something happened.

All of these are reasonable concerns.

oozenoz · April 10th, 2006, 09:26 AM

Not only reasonable, but I would say rational in terms of the level of detail. Leave it to the government to have their own set of rules - scary that theirs make sense - and tell the rest of us who aren't working on government sites or contracts to use a different set...

martinyoung · April 10th, 2006, 10:28 AM

What is going to make life interesting here is the DoD mandate to convert all government Ethernet to IPv6 in a year or two. Avaya will not support that until CM4 and I do not believe this support will be extended to G3r's and Intuitys. I know a bunch of them that will need to be upgraded. Somebody is going to spend a lot of money.:devil:

oozenoz · April 10th, 2006, 12:12 PM

Great - more of my tax dollars at work!

April 7th, 2006, 10:48 AM	#1 (permalink)
oozenoz PBXtech PLATINUM 300+ posts Join Date: Feb 2006 Posts: 350	What's your company doing to meet the SOX requirements for IT? I admit I haven't actually READ the entire act, and I'm all for change control and pre-testing to avoid TUB services ('turned up broken' for those who never worked for a telco...) but my company's management is putting change control procedures in place that are so restrictive and totalitarian it's literally preventing work from getting done... One example: I have to get special dispensation to NOT have to write a change control and have it approved by management any time I'm going to change the hours of operation on one of our ACD queues... __________________ - calvin

April 7th, 2006, 04:58 PM	#2 (permalink)
martinyoung Moderator Join Date: Dec 2005 Posts: 1,435	Re: What's your company doing to meet the SOX requirements for IT? The problem is that these rules are being written by people that are Business Adminstration graduates not telecom people. On paper it looks like a good idea and it does not bother them because they don't have to come in at midnight to do the work. These rules usually get their start because someone, somewhere, broke something in making a change. I used to work for an Avaya Business Partner that does work for a very large retail store that I won't name, but it starts with "W". That company will not allow you to plug in a station circuit pack until after 9PM. I had a job to convert an Avaya single port network cabinet to a two port network cabinet. It was a simple job but I had to write up a detailed description of everything I was going to do including every command verbatim. This needed to be approved by "W" and once it was approved, I could not deviate from the script. I had to start after 9PM and if for any reason I could not finish (even if it was their fault), I had to remove everything that I installed including carriers, cables, wall field, fiber patch cords. Everything. Rules are being written for the sake of having a rule. I don't think it will get better in the time I still have to work. At least the company I work for now is reasonably intelligent about this. __________________ Marty Retired Avaya DSIC tech

April 8th, 2006, 07:36 PM	#3 (permalink)
oozenoz PBXtech PLATINUM 300+ posts Join Date: Feb 2006 Posts: 350	Re: What's your company doing to meet the SOX requirements for IT? I blame it on people too cowardly to take responsibility for and admit to their mistakes, and lawyers who make money by finding ways to lay it on everyone but the guilty party. I see nothing wrong with having a gameplan for any sort of change - whether it involves installing a new station or cutting over an entire system. Understanding what is required prior to starting, knowing what all must be tested successfully to know it's completed, and having a solution for backing it out if you must increases the odds that any job will go smoothly. It's all part of the project planning and engineering of the work. I admit, only allowing the installation of a hot-swappable card after 9 PM is a bit over the top, but there IS a possibility something could go wrong even with something so seemingly simple... Been there, done that. SOX auditors (on their initial review) gave our company a failing score in the area of IT change control and our management reacted in a very predictible way - overkill. And while we may not like it, it's not going to go away for any of us who work in a company large enough to fall under SOX compliance rules. Sooooo, with that in mind, how are companies dealing with this new level of imposed bureaucracy as it relates to MAC work? __________________ - calvin

April 8th, 2006, 08:53 PM	#4 (permalink)
martinyoung Moderator Join Date: Dec 2005 Posts: 1,435	Re: What's your company doing to meet the SOX requirements for IT? Since our major customer at the company site I work at is the US Navy, we follow their rules. Most MACs are entered into Remedy and must be approved by local management, the exceptions are name changes and feature changes. Adds and moves must be approved, the main reason for this is so facilities management knows what cubes and offices are occupied or vacant. The same rules apply to adding or moving computers. The only time the rules get more strict is if you are doing something that will affect the Ethernet setup in any way. Adding IP trunking which adds QoS and VLANs, for example. The DoD maintenance window opens at 9PM local time and closes at 6AM. This kind of change must be entered into Remedy and approved by corporate mangement. All the details of what is being done and why, they aren't interested how. The company's main concern is if something happened to the Call Center and this caused them to miss their SLAs, thus causing them to lose $$$$ in payments. Plus having to explain to the Navy why something happened. All of these are reasonable concerns. __________________ Marty Retired Avaya DSIC tech

April 10th, 2006, 09:26 AM	#5 (permalink)
oozenoz PBXtech PLATINUM 300+ posts Join Date: Feb 2006 Posts: 350	Re: What's your company doing to meet the SOX requirements for IT? Not only reasonable, but I would say rational in terms of the level of detail. Leave it to the government to have their own set of rules - scary that theirs make sense - and tell the rest of us who aren't working on government sites or contracts to use a different set... __________________ - calvin

Remove advertisements
PBXtech.info Advertisement	Sponsored links

April 10th, 2006, 10:28 AM	#6 (permalink)
martinyoung Moderator Join Date: Dec 2005 Posts: 1,435	Re: What's your company doing to meet the SOX requirements for IT? What is going to make life interesting here is the DoD mandate to convert all government Ethernet to IPv6 in a year or two. Avaya will not support that until CM4 and I do not believe this support will be extended to G3r's and Intuitys. I know a bunch of them that will need to be upgraded. Somebody is going to spend a lot of money.:devil: __________________ Marty Retired Avaya DSIC tech

April 10th, 2006, 12:12 PM	#7 (permalink)
oozenoz PBXtech PLATINUM 300+ posts Join Date: Feb 2006 Posts: 350	Re: What's your company doing to meet the SOX requirements for IT? Great - more of my tax dollars at work! __________________ - calvin

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode