[RayPesek]

"I have a lot of heartburn over the concept of doing SSO with just user names and passwords."

SSO based on the above is what i consider dangerous. I agree that RSA does have a nice solution.

SOX is semi-useless for general security. External auditors seem to take a very narrow focus over what could cause problems and Jim is right. They don't care what the policy is unless it is really simple. If it cannot directly affect financial reporting, they do not care. After all, if they bounce too many clients, they won't get any more and they'll get replaced. That's why government inspectors in the US can be so effective. They're not paid by the entity they are inspecting (at least not legally!)

Ray