OT PKI / Certificate services

Ok this is a question for someone who is a US corporate guru. In a public
traded company how do you satisfy the SEC rules regard email and file
security. It sounds like that no one in the IT department for the
organization is even allowed to have recovery agent authority because we
might be able to read or see something that may lead us to purchase or sell
stock. This puts the IT department in a bad situation as we a responsible
for the backup and recovery of all data, however if a VP looses his
certificate we can not recover his data. Does anyone here have experience
with these type of policy decisions? I am looking to find out if a
Certifcate server implementation can satisfy the SEC rules and what tuning
to group policy, recover agents and key backups may need to be done.

Thanks

Rick

nerd32768
Wed Jun 23 11:27:22 CDT 2004

"Rick" <Rick@na.com> wrote in message
news:%23neRxoTWEHA.3740@TK2MSFTNGP12.phx.gbl...
>
> Ok this is a question for someone who is a US corporate guru. In a public
> traded company how do you satisfy the SEC rules regard email and file
> security. It sounds like that no one in the IT department for the
> organization is even allowed to have recovery agent authority because we
> might be able to read or see something that may lead us to purchase or
sell
> stock. This puts the IT department in a bad situation as we a responsible
> for the backup and recovery of all data, however if a VP looses his
> certificate we can not recover his data. Does anyone here have experience
> with these type of policy decisions? I am looking to find out if a
> Certifcate server implementation can satisfy the SEC rules and what tuning
> to group policy, recover agents and key backups may need to be done.
>
> Thanks
>
> Rick
>

You probably get an acceptable answer in
"microsoft.public.win2000.security", because nobody here seems to like to
answer valid Microsoft questions

anonymous
Wed Jun 23 11:30:55 CDT 2004

shut up rick, no one cares
>-----Original Message-----
>
>Ok this is a question for someone who is a US corporate
guru. In a public
>traded company how do you satisfy the SEC rules regard
email and file
>security. It sounds like that no one in the IT department
for the
>organization is even allowed to have recovery agent
authority because we
>might be able to read or see something that may lead us
to purchase or sell
>stock. This puts the IT department in a bad situation as
we a responsible
>for the backup and recovery of all data, however if a VP
looses his
>certificate we can not recover his data. Does anyone here
have experience
>with these type of policy decisions? I am looking to find
out if a
>Certifcate server implementation can satisfy the SEC
rules and what tuning
>to group policy, recover agents and key backups may need
to be done.
>
>Thanks
>
>Rick
>
>
>.
>

fygar
Wed Jun 23 11:41:11 CDT 2004

On Wed, 23 Jun 2004 11:55:10 -0400, "Rick" <Rick@na.com> wrote:

>
>Ok this is a question for someone who is a US corporate guru. In a public
>traded company how do you satisfy the SEC rules regard email and file
>security. It sounds like that no one in the IT department for the
>organization is even allowed to have recovery agent authority because we
>might be able to read or see something that may lead us to purchase or sell
>stock. This puts the IT department in a bad situation as we a responsible
>for the backup and recovery of all data, however if a VP looses his
>certificate we can not recover his data. Does anyone here have experience
>with these type of policy decisions? I am looking to find out if a
>Certifcate server implementation can satisfy the SEC rules and what tuning
>to group policy, recover agents and key backups may need to be done.
>
>Thanks
>
>Rick
>

Which of, and do you have a link to, the SEC rules you are talking
about? I've not interpreted anything I've read dealing with SOX that
leads to your delimma.


...butch

JaR
Wed Jun 23 11:48:23 CDT 2004

nerd32768 wrote:

> "Rick" <Rick@na.com> wrote in message
> news:%23neRxoTWEHA.3740@TK2MSFTNGP12.phx.gbl...
>
>>Ok this is a question for someone who is a US corporate guru. In a public
>>traded company how do you satisfy the SEC rules regard email and file
>>security. It sounds like that no one in the IT department for the
>>organization is even allowed to have recovery agent authority because we
>>might be able to read or see something that may lead us to purchase or
>
> sell
>
>>stock. This puts the IT department in a bad situation as we a responsible
>>for the backup and recovery of all data, however if a VP looses his
>>certificate we can not recover his data. Does anyone here have experience
>>with these type of policy decisions? I am looking to find out if a
>>Certifcate server implementation can satisfy the SEC rules and what tuning
>>to group policy, recover agents and key backups may need to be done.
>>
>>Thanks
>>
>>Rick
>>
>
>
> You probably get an acceptable answer in
> "microsoft.public.win2000.security", because nobody here seems to like to
> answer valid Microsoft questions
>
>
bugger off, puppy.

To try to answer the question, however.

There is no regulation prohibiting anyone in a corporate environment
from having knowledge that could influence a stock purchase or sale. It
is, however, illegal to use that knowledge to gain an unfair advantage
when trading in stocks or securities. An executive, for example, will
have advance knowledge of an impending bankruptcy, but to use that
knowledge to sell stock before it tanks is illegal.

JaR

Rick
Wed Jun 23 12:07:11 CDT 2004

Thanks Jar. My question would be what policy would you have to put in place
to cover and SEC audit of you network practices? Does anyone have a policy
about using corporate data for financial gain?

Rick

"JaR" <plentespam@nospamsofthome.net> wrote in message
news:%23KFhlHUWEHA.212@TK2MSFTNGP12.phx.gbl...
> nerd32768 wrote:
>
> > "Rick" <Rick@na.com> wrote in message
> > news:%23neRxoTWEHA.3740@TK2MSFTNGP12.phx.gbl...
> >
> >>Ok this is a question for someone who is a US corporate guru. In a
public
> >>traded company how do you satisfy the SEC rules regard email and file
> >>security. It sounds like that no one in the IT department for the
> >>organization is even allowed to have recovery agent authority because we
> >>might be able to read or see something that may lead us to purchase or
> >
> > sell
> >
> >>stock. This puts the IT department in a bad situation as we a
responsible
> >>for the backup and recovery of all data, however if a VP looses his
> >>certificate we can not recover his data. Does anyone here have
experience
> >>with these type of policy decisions? I am looking to find out if a
> >>Certifcate server implementation can satisfy the SEC rules and what
tuning
> >>to group policy, recover agents and key backups may need to be done.
> >>
> >>Thanks
> >>
> >>Rick
> >>
> >
> >
> > You probably get an acceptable answer in
> > "microsoft.public.win2000.security", because nobody here seems to like
to
> > answer valid Microsoft questions
> >
> >
> bugger off, puppy.
>
> To try to answer the question, however.
>
> There is no regulation prohibiting anyone in a corporate environment
> from having knowledge that could influence a stock purchase or sale. It
> is, however, illegal to use that knowledge to gain an unfair advantage
> when trading in stocks or securities. An executive, for example, will
> have advance knowledge of an impending bankruptcy, but to use that
> knowledge to sell stock before it tanks is illegal.
>
> JaR

Neil
Wed Jun 23 12:24:17 CDT 2004

"Rick" <Rick@na.com> wrote in
news:OxRpARUWEHA.4032@TK2MSFTNGP11.phx.gbl:

> Thanks Jar. My question would be what policy would you have to put in
> place to cover and SEC audit of you network practices? Does anyone
> have a policy about using corporate data for financial gain?

it might be best to go straight to the horses mouth on this

http://www.sec.gov/contact/mailboxes.htm#smbus

being Canadian I can give you no personal experience, I don't think you
should implement systems or restrictions needlessly.

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"

Rick
Wed Jun 23 13:11:32 CDT 2004

Thanks Neil,

Hey it is worth a try so I am sending an email to them


Rick


"Neil" <neilmcse@nospamforyou.com> wrote in message
news:Xns9511885C73677neilmcsehotmailcom@207.46.248.16...
> "Rick" <Rick@na.com> wrote in
> news:OxRpARUWEHA.4032@TK2MSFTNGP11.phx.gbl:
>
> > Thanks Jar. My question would be what policy would you have to put in
> > place to cover and SEC audit of you network practices? Does anyone
> > have a policy about using corporate data for financial gain?
>
> it might be best to go straight to the horses mouth on this
>
> http://www.sec.gov/contact/mailboxes.htm#smbus
>
> being Canadian I can give you no personal experience, I don't think you
> should implement systems or restrictions needlessly.
>
> --
> Neil MCNGP #30
> "you'd do what, to who, for how many biscuits?"

Laura
Wed Jun 23 22:39:20 CDT 2004

circa Wed, 23 Jun 2004 11:55:10 -0400, in
microsoft.public.cert.exam.mcse, Rick (Rick@na.com) said,
> Ok this is a question for someone who is a US corporate guru. In a public
> traded company how do you satisfy the SEC rules regard email and file
> security. It sounds like that no one in the IT department for the
> organization is even allowed to have recovery agent authority because we
> might be able to read or see something that may lead us to purchase or sell
> stock. This puts the IT department in a bad situation as we a responsible
> for the backup and recovery of all data, however if a VP looses his
> certificate we can not recover his data. Does anyone here have experience
> with these type of policy decisions? I am looking to find out if a
> Certifcate server implementation can satisfy the SEC rules and what tuning
> to group policy, recover agents and key backups may need to be done.
>
Yes, I have worked with this kind of environment. I still do,
actually, and we just built a proper PKI a few weeks ago. Our CPS is
100 pages long, which might give you an idea of how complex the
answer to your question actually is.

There's a lot more than can be answered in a newsgroup post, but your
best bet is to take a look at either the MOC course 2821, or download
all of the PKI whitepapers from Microsoft's site and start plowing
through them. There's a lot to setting up a proper PKI.

You may also consider hiring consultants who specialize in this.

Laura
--
Experience is the name every one gives to their mistakes.
-Oscar Wilde

Laura
Wed Jun 23 22:39:51 CDT 2004

circa Wed, 23 Jun 2004 11:27:22 -0500, in
microsoft.public.cert.exam.mcse, nerd32768 (brin{removethis}
sons@spymac.com) said,
> You probably get an acceptable answer in
> "microsoft.public.win2000.security", because nobody here seems to like to
> answer valid Microsoft questions
>
Speak for yourself.

And the question isn't specific to Windows 2000.

Laura
--
Experience is the name every one gives to their mistakes.
-Oscar Wilde

Laura
Wed Jun 23 22:41:42 CDT 2004

circa Wed, 23 Jun 2004 09:48:23 -0700, in
microsoft.public.cert.exam.mcse, JaR (plentespam@nospamsofthome.net)
said,
> > You probably get an acceptable answer in
> > "microsoft.public.win2000.security", because nobody here seems to like to
> > answer valid Microsoft questions
> >
> >
> bugger off, puppy.
>
> To try to answer the question, however.
>
> There is no regulation prohibiting anyone in a corporate environment
> from having knowledge that could influence a stock purchase or sale. It
> is, however, illegal to use that knowledge to gain an unfair advantage
> when trading in stocks or securities. An executive, for example, will
> have advance knowledge of an impending bankruptcy, but to use that
> knowledge to sell stock before it tanks is illegal.
>
>
Actually, the SEC has some wonky regulations WRT to some types of
data and how they can or cannot be stored. In fact, EMC has built a
Centera implementation specifically for SEC compliance. It's really
quite interesting.

Laura
--
Experience is the name every one gives to their mistakes.
-Oscar Wilde

Laura
Wed Jun 23 22:43:43 CDT 2004

circa Wed, 23 Jun 2004 13:07:11 -0400, in
microsoft.public.cert.exam.mcse, Rick (Rick@na.com) said,
>
> Thanks Jar. My question would be what policy would you have to put in place
> to cover and SEC audit of you network practices? Does anyone have a policy
> about using corporate data for financial gain?
>
Rick, there is *so* much that needs to be done to properly address
SEC regulations. What you're asking really can't be answered well in
a newsgroup. Do you have a budget for this project? If not, it's time
to start pushing for one.

Laura
--
Experience is the name every one gives to their mistakes.
-Oscar Wilde

Laura
Wed Jun 23 22:45:04 CDT 2004

circa Wed, 23 Jun 2004 10:24:17 -0700, in
microsoft.public.cert.exam.mcse, Neil (neilmcse@nospamforyou.com)
said,
>
> > Thanks Jar. My question would be what policy would you have to put in
> > place to cover and SEC audit of you network practices? Does anyone
> > have a policy about using corporate data for financial gain?
>
> it might be best to go straight to the horses mouth on this
>
> http://www.sec.gov/contact/mailboxes.htm#smbus
>
> being Canadian I can give you no personal experience, I don't think you
> should implement systems or restrictions needlessly.
>
SEC regulations are very complex. We have full-time lawyers on staff
who do nothing but SEC gunk, in fact.

Hire consultants.

Laura
--
Experience is the name every one gives to their mistakes.
-Oscar Wilde

Laura
Wed Jun 23 22:45:56 CDT 2004

circa Wed, 23 Jun 2004 12:41:11 -0400, in
microsoft.public.cert.exam.mcse, fygar (cpudoc10@hotmail.com) said,
>
> Which of, and do you have a link to, the SEC rules you are talking
> about? I've not interpreted anything I've read dealing with SOX that
> leads to your delimma.
>
>
It depends on the nature of his company and what they do with whose
data.

Laura
--
Experience is the name every one gives to their mistakes.
-Oscar Wilde

Neil
Thu Jun 24 06:38:45 CDT 2004

Laura A. Robinson <geekwench@snippit.hotmail.com> wrote in
news:MPG.1b441783ddda2a1798aa52@msnews.microsoft.com:

> In fact, EMC has built a
> Centera implementation specifically for SEC compliance. It's really
> quite interesting.
>

you get to work with cool stuff...
(so do I some days. but this thing is starting to sound interesting. does
that make me strange?)

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"

Laura
Thu Jun 24 10:23:02 CDT 2004

circa Thu, 24 Jun 2004 04:38:45 -0700, in
microsoft.public.cert.exam.mcse, Neil (neilmcse@nospamforyou.com)
said,
> > In fact, EMC has built a
> > Centera implementation specifically for SEC compliance. It's really
> > quite interesting.
> >
>
> you get to work with cool stuff...

Indeed I do. Did I mention our 200-server TS/Citrix implementation?
:-)

> (so do I some days. but this thing is starting to sound interesting. does
> that make me strange?)

I'm probably not the appropriate person to judge that...

Laura
>

--
Experience is the name every one gives to their mistakes.
-Oscar Wilde

Laura
Thu Jun 24 10:25:03 CDT 2004

circa Thu, 24 Jun 2004 04:38:45 -0700, in
microsoft.public.cert.exam.mcse, Neil (neilmcse@nospamforyou.com)
said,
> > In fact, EMC has built a
> > Centera implementation specifically for SEC compliance. It's really
> > quite interesting.
> >
>
> you get to work with cool stuff...
> (so do I some days. but this thing is starting to sound interesting. does
> that make me strange?)
>
Check it out: http://www.emc.com/products/systems/centera.jsp
--
Experience is the name every one gives to their mistakes.
-Oscar Wilde

Neil
Thu Jun 24 11:09:56 CDT 2004

Laura A. Robinson <geekwench@snippit.hotmail.com> wrote in
news:MPG.1b44bbdf43bb17298aa63@msnews.microsoft.com:

> I'm probably not the appropriate person to judge that...

ever stopped anyone before....

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"

Neil
Thu Jun 24 11:14:04 CDT 2004

Laura A. Robinson <geekwench@snippit.hotmail.com> wrote in
news:MPG.1b44bc5dbd95ab4298aa64@msnews.microsoft.com:

> http://www.emc.com/products/systems/centera.jsp

niiiiiiicccccceee. now how am I gonna get HP to anti up. this could really
help me on my MFIPA/records/EDM stuff here.

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"

JaR
Thu Jun 24 11:15:27 CDT 2004

Laura A. Robinson wrote:
> circa Thu, 24 Jun 2004 04:38:45 -0700, in
> microsoft.public.cert.exam.mcse, Neil (neilmcse@nospamforyou.com)
> said,
>
>>> In fact, EMC has built a
>>>Centera implementation specifically for SEC compliance. It's really
>>>quite interesting.
>>>
>>
>>you get to work with cool stuff...
>
>
> Indeed I do. Did I mention our 200-server TS/Citrix implementation?
> :-)
>

Can I come over and play with your toys?

JaR
Eager Thug

Neil
Thu Jun 24 11:18:38 CDT 2004

JaR <plentespam@nospamsofthome.net> wrote in news:uD6H1ZgWEHA.2940
@TK2MSFTNGP09.phx.gbl:

>
> Can I come over and play with your toys?

not surprisingly, that just sounds dirty. I'm tellin your misses....

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"

Laura
Thu Jun 24 15:15:22 CDT 2004

circa Thu, 24 Jun 2004 09:15:27 -0700, in
microsoft.public.cert.exam.mcse, JaR (plentespam@nospamsofthome.net)
said,
> >>> In fact, EMC has built a
> >>>Centera implementation specifically for SEC compliance. It's really
> >>>quite interesting.
> >>>
> >>
> >>you get to work with cool stuff...
> >
> >
> > Indeed I do. Did I mention our 200-server TS/Citrix implementation?
> > :-)
> >
>
> Can I come over and play with your toys?
>
Nope.
--
Experience is the name every one gives to their mistakes.
-Oscar Wilde

Laura
Thu Jun 24 15:17:23 CDT 2004

circa Thu, 24 Jun 2004 09:14:04 -0700, in
microsoft.public.cert.exam.mcse, Neil (neilmcse@nospamforyou.com)
said,
> > http://www.emc.com/products/systems/centera.jsp
>
> niiiiiiicccccceee. now how am I gonna get HP to anti up. this could really
> help me on my MFIPA/records/EDM stuff here.
>
It really is nice. Not cheap, but nice. And they give you a deal if
you buy lots of 'em. :-)

Laura
--
Experience is the name every one gives to their mistakes.
-Oscar Wilde

JaR
Thu Jun 24 15:34:15 CDT 2004

Laura A. Robinson wrote:

>>Can I come over and play with your toys?
>>
>
> Nope.

I'll let you pet my Basset.

JaR
Lovable Thug

Neil
Thu Jun 24 15:38:01 CDT 2004

JaR <plentespam@nospamsofthome.net> wrote in news:#8yccqiWEHA.1144
@TK2MSFTNGP10.phx.gbl:

> I'll let you pet my Basset.

is that what you call yours?

--
Neil MCNGP #30
"you'd do what, to who, for how many biscuits?"