[ntp:questions] Sarbanes Oxeley : Impact on NTP
Brad Knowles
brad at stop.mail-abuse.org
Thu Sep 1 08:23:37 UTC 2005
At 11:42 AM +0530 2005-09-01, Kommuri, Srikanth (STSD) wrote:
> Can Anyone tell me whether NTP can be made compliant to Sarbanes-Oxeley
> Act ( In terms of Internal Control in Financial Companies using NTP ).
> Does NTP require any changes/addition of features in terms of security
> for Sarbanes-Oxeley Act compliance.
The problem is that SOX is a lot like ISO 9001 -- what do you say
you do, and then how do you prove that you do it that way?
Ask 1000 different Big Four consultant/auditors, and you'll get
at least 1000 different answers for what it means to be "SOX
compliant".
> Any pointers to ROLE of NTP in Sarbanes-Oxeley Act will greatly be
> appreciated.
With regards to NTP, various different organizations have done
audits of the code and the algorithms, including NASA, the US
Department of Defense, the IETF Security Task Force, etc....
However, so far as I know, no one has done an audit of the NTP
algorithms and software specifically with regards to SOX compliance.
There are some vendors of NTP-related software that claim to have
audited code and additional software that continually re-audits the
time available from the servers, but you're left holding a black box
whose source code you cannot verify, and all you can do is take their
word for it.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the questions
mailing list