[ntp:questions] Sarbanes Oxeley : Impact on NTP

Brad Knowles brad at stop.mail-abuse.org
Thu Sep 1 08:23:37 UTC 2005


At 11:42 AM +0530 2005-09-01, Kommuri, Srikanth (STSD) wrote:

>  Can Anyone tell me whether NTP can be made compliant to Sarbanes-Oxeley
>  Act ( In terms of Internal Control in Financial Companies using NTP ).
>  Does NTP require any changes/addition of features in terms of security
>  for Sarbanes-Oxeley Act compliance.

	The problem is that SOX is a lot like ISO 9001 -- what do you say 
you do, and then how do you prove that you do it that way?

	Ask 1000 different Big Four consultant/auditors, and you'll get 
at least 1000 different answers for what it means to be "SOX 
compliant".

>  Any pointers to ROLE of NTP in Sarbanes-Oxeley Act will greatly be
>  appreciated.

	With regards to NTP, various different organizations have done 
audits of the code and the algorithms, including NASA, the US 
Department of Defense, the IETF Security Task Force, etc.... 
However, so far as I know, no one has done an audit of the NTP 
algorithms and software specifically with regards to SOX compliance.

	There are some vendors of NTP-related software that claim to have 
audited code and additional software that continually re-audits the 
time available from the servers, but you're left holding a black box 
whose source code you cannot verify, and all you can do is take their 
word for it.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the questions mailing list