UPDATE: So Which Screensaver Will We Pick?
Fortunately, through testing and a tad more research, I was able to find a way to implement the new screen saver lockout policy with a lil less pain on the users? end.
Initially, research showed that if the None option was selected for a screen saver, the policy would not push down properly. Through our own testing, we discovered this was not the case (it is possible the reason this did not work for other companies is because they did not enable the screen saver portion of the policy, but I?m not positive about that).
The settings will be defined as follows:
*Screen saver timeout is enabled
*Password protect is enabled
*Screen saver is enabled
We first tested the policy with a specific screen saver file to run when the PC has been inactive for 15 minutes. This worked, but again, forced us to choose a screen saver for the user. With the new settings, if the option of None is selected in the screen saver tab, the PC will simply lock itself without displaying a screen saver at all. Also, if a user has a specific screen saver they would rather use, that option is now available to them. The ability to change the password protect or timeout increment options of the policy are not available to the users, thus we fulfill our SOX compliancy on this particular task.
Once The Powers That Be send out the email informing the users of this new policy, which should be within the week, it will be interesting to see the reactions that come across the Help Desk. Hopefully, it will be worded in a way so most users understand the difference between logoff and lockout, which password to use and understand we IT Folk should not be held personally responsible for governmental rules and regulations. Yeah, I know dear reader, maybe I?m asking for too much, but one can dream.
Comments
This is *totally* doing to kick off the "why does PD have to comply with SOX?" debate.
We don't like being locked out of machines.
Posted by: steve | December 1, 2004 12:22 PM
Unfortunatley this is the law now. If you don't like it, write to your state congressman and voice your disgust. I am sure they will get crackin' on rewriting it for you.
Posted by: The Farmboy | December 1, 2004 1:00 PM
"Initially, research showed that if the None option was selected for a screen saver, the policy would not push down properly. Through our own testing, we discovered this was not the case (it is possible the reason this did not work for other companies is because they did not enable the screen saver portion of the policy, but I?m not positive about that). "
This could be why:
http://support.microsoft.com/?kbid=811460
Posted by: a | December 1, 2004 3:51 PM
Yeah, I ran into an article with similar points during my research...
For those of you not interested in reading the KB Article, it basically states pre-SP1 XP PCs are not taking to the policy.
Fortunatly XP SP1 has the fix built in and all our XP PCs are on are SP1 or greater.
Thanks for the MS source, a. ;)
Posted by: Princess | December 1, 2004 4:10 PM
Are there really no exemptions to SOX? Imagine a hospital IT department complying with SOX forcing computer workstations with displays of remote monitoring screens for heart attack victims in a nearby recovery room going into a screen saver which locks them out.
Posted by: Exemptions Must Apply Somewhere | December 8, 2004 1:43 PM
Yes, there are exemptions to SOX policies, thankfully?.
For instance, in my environment, we can move PD to a new mail server, a separate network and various other things that are too complicated for my brain to grasp, thus making a distinction between PD and Corporate. From what the auditors have passed down to us, as long as they share the same space in common (mail server\network storage), the compliancy rules must apply to both. Here's the fucking rub?not only would that cost more money then we should have to spend, but the time involved is also quite great.
It's very hard to have an auditor come in, tear apart everything you do and try to force you to either a) buy new products they are so highly recommending to comply or b) spend more money that could be used elsewhere for a much more effective and just cause.
Keep in mind, SOX rules, regulations and loop holes are being learned as I (and my co-workers) are going along. Each section gets more and more vague, confusing and downright surreal as the paragraphs melt into one another.
Frankly, I will be very happy when this is finished as it has become a huge annoyance and seems so utterly pointless. The mass amount of ridiculous documentation, policy pushing and reporting has we IT Folk dog ass tired.
Posted by: Princess | December 8, 2004 3:43 PM
SOX applies to public companies. -- To my knowledge, hospitals are not publically owned. What complicates things is the method for seeking SOX certification. Most companies work with accredited auditors and consultants to ensure they have checked all the right boxes. Most of the law concerns reporting and the types of trade that are allowed within a company. This trickles down to IT departments in the forms of information logging, archiving and security. And that's where the SOX consultants get into things like 'what screensaver you need'. It's a criteria for certifying a public company network as secure. You may recognize such names as: Ernst & Young, PricewaterhouseCoopers, KPMG and Deloitte and Touche. (Hey? Where's Andersen? -- Oh yeah, those are the feckless little mouthbreathers that got us into this mess in the first place.)
Anyway. A successful filing from one (or more) of these consulting companies is priceless for us. They test our compliance (as they've interpreted it, and evaluated our business) and search for weaknesses. When they're happy they sign off. When they sign off our shareholders are happy. Everybody's happy.
Or something.
(Now where are my flying toasters, Princess!?)
Posted by: Bingo | December 14, 2004 2:33 PM