When someone mentioned the Leveraging Open Source for SOX Compliance session in the OSCON press call this morning, my first reaction was “Hey, I do that!”
At my previous company a couple years ago, a few of us began to recognise the need for serious change control within our IT department. Better still, we had a plan for implementing the tools needed to do it, without paying 6-8 figures to an outsourcing vendor to manage the design, rollout, and maintenance of a proprietary solution.
I was the lead programmer on the project, so I chose to take advantage of free tools — Apache, mod_perl, and HTML::Mason to handle the web serving and templating; an old intranet codebase I had written to handle calendaring, table widgets, and other miscellaneous tasks; and a fresh install of Debian to give me a nice development environment (and allow me to reuse an old x86 server that was literally pulled out of the scrap heap).
Sometime during the development of the project, Sarbanes-Oxley compliance became the big thing in the IT department, and strong change control went from “sure, that would be nice” to “we need that NOW”. Since there was no way to even complete vendor selection on a proprietary product in the timeframe we needed, my pseudo-skunkworks project suddenly became a key part of the company’s SOX compliance story.
A few months after go-live, I decided to switch from employee to consultant to pursue my graphics interests and gain more time to contribute to open source projects. I still spend a fair percentage of my time consulting back to the old company to add new features to the change control system as usage grows. With thousands of RFCs in the system at this point, and quite a few hours billed, I’m told the total project cost is still a fraction of just the license fees (let alone consulting, training, etc.) for the leading proprietary options. Better still, the company knows that they can get almost any new feature they want, at a price and in a timeframe they can live with. If they don’t need any new features, there’s no continuing cost beyond (minimal) hardware to keep the service up. There’s no vendor lockin, because all of the code is open, built with open source tools, and uses open data formats.
And that’s an open source SOX success story if I ever heard one.
How have you used open source technologies to address Sarbanes-Oxley?