Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Does the Sarbanes-Oxley Act apply to Higher Ed too?

From: Mary Shaffer <mshaffer () CALPOLY EDU>
Date: Mon, 29 Sep 2003 11:35:03 -0700
This issue was raised at our campus and I was advised by our legal
counsel that our systemwide legal counsel and the National Association
of Colleges and Universities (NACUA) have concluded that higher
education institutions are not legally obligated to comply with the
provisions of the Sarbanes-Oxley Act of 2002. FYI, Mary

"David L. Wasley" wrote:


Well, IANAL (I am not a lawyer) but the Act begins with the statement:

"To protect investors by improving the accuracy and reliability of
corporate disclosures made pursuant to the securities laws, and for
other purposes."

I've interpreted that to mean "publicly traded corporations" which
would not apply to a state institution such as UC.  However, that
last little clause might augment the interpretation - i.e. to any
corporation that claims to be acting in the public interest or for
the public benefit.

In any case, we should be 'doing the right thing' regardless of what
a particular law requires.  I think executive level sign off on IT
security requirements and implementations makes a lot of sense.  I
think too often it's one of those 'won't fix the roof until the horse
has left the barn' sort of issues...

        David
-----
At 9:50 AM -0600 on 9/29/03, Clyde Hoadley wrote:


I know several institutions of Higher Education were taken off guard by
Gramm-Leach-Bliley.  Does the Sarbanes-Oxley Act apply to Higher Ed too?
If so, how?

  Title: Security and Sarbanes-Oxley
   Source:   SearchSecurity
   Date Written:  September 25, 2003
   Date Collected: September 26, 2003
The Sarbanes-Oxley Act, which was signed into law by President Bush on July
30, 2002 and will take effect in 2004 and 2005, was meant to deal with a
variety of corporate governance issues, making upper management accountable
for a company's actions. A by-product of the Act may be to involve senior
management in information security. Under the Act, CEOs and CFOs are mandated
to attest that their companies have proper "internal controls" in place.
Internal controls are widely interpreted to include adequate data and network
security, thereby forcing senior executives to sign off on IT security issues.
Security product vendors view the Act as an opportunity to sell their wares,
but no single product currently exists that guarantees compliance. In the long
term, the Act may help improve security, testing and awareness.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci929451,00.html



--
Clyde Hoadley
Security & Disaster Recovery Coordinator
Division of Information Technology
Metropolitan State College of Denver
hoadleyc () mscd edu
http://clem.mscd.edu/~hoadleyc/
(303) 556-5074

**********
Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.


--

 =======================================================================
From: Mary Shaffer
      Policy/Program Assurance - Office of the CIO
      Information Technology Services
      California Polytechnic State University
      San Luis Obispo, California 93407

      OFFICE: 14-113C             E-MAIL: mshaffer () calpoly edu
      PHONE:  805-756-5538        FAX:    805-756-2000
      IT POLICIES: http://www.calpoly.edu/computing/policy.html
 =======================================================================

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: