Vinnie Mirchandani has been running an interesting series of articles on Sarbanes-Oxley and how much he hates it.  I agree.  HOWEVER, I think SOX is just a bad implementation of a good idea.  We need a replacement for IT, and here's why.

SOX is far too broad.  I think it works ok for finance, which is what it was originally intended for.  However, what the drafters DIDN'T intend (I think) is the unexpected reprecussions that it's had throughout the rest of the enterprise.  The language is so vague that SOX becomes whatever the consultant wants it to be.  I remember trying to implement SOX and it got to the point where we had to hire people to walk the floors looking for scraps of paper that need to be shredded, and had to make people sign in and out of certain parts of the building.  All well and good, I suppose, if you're handling extremely sensitive information, but this was most certainly not.  It was just customer-related, and the consultant interpreted that as meaning sensitive.

The biggest victim of SOX has been IT in my opinion.  There's really no reason for SOX to touch IT if IT is functioning properly.  If the IT department is functioning properly and has proper controls and guidance from the top, SOX would be a non-issue.  Customer data in the IT realm should be secure anyway.  If you're curious what kind of requirements SOX places on the IT department, you may want to check out the SOX-IT checklist I put together a while back based on my own experiences with SOX.

Now, here's where I'm a little torn.  It's just so darn easy to slap together an application these days that you can churn one out in a day and not worry about security.  I've begun thinking twice lately about using Web 2.0-style apps because I have absolutely no confidence that the data I put into them is secure.  Heck, I can't even get answers about whether my password is stored in hashed form instead of in plain text.  The post I wrote about Web 2.0 scalability touches on this a bit.

Obviously, some kind of formalized IT-centric certification or assurance is needed.  One that isn't a bastard child of a finance-focused directive.  I don't know who would come up with such a thing or audit the applications, but I do know that something along those lines is going to be a necessity if the Software as a Service industry is ever planning to creep into the enterprise.  I know I wouldn't trust MY company's data to some Joe Schmoe who just wrote a wiki yesterday unless I had some assurance that it was safe.

I can imagine that some kind of baseline security check could be done over the Web using an automated program.  A basic encryption/password hash/cookie check application could give you some approximation of how secure an application is and how well it's written, however it wouldn't have the ability to peek up the application's skirt to analyze the back end.  (What a dirty sounding metaphor :P)  I'm not sure how that piece should be handled, anyone else have any ideas?