You may enjoy this exchange with a customer from a few years back. I’ve changed the names to protect the guilty:
I reviewed your Sarbanes Oxley compliance document and noticed a few things that are worthy of mention:
1. The security section requires that sensitive information be encrypted in transit but most users do not have encryption tools available.
2. The security section mentioned that a user is not allowed to disable his virus scanner, yet this is permitted on most or all workstations.
3. The security section requires that if possible a session must time out after 30 minutes, but none of the windows workstations times out. This is something that could be centrally controlled.
And the response:
Thanks for your feedback. I’ll forward your email to Sue and Francine and add it to my file.