SarbanesOxley and the Shoemakers Chlidren

1
Sarbanes-Oxley and the Shoemakers Chlidren

• John Thielens
• CTO, Tumbleweed
• ISACA Atlanta
• January 18, 2005

2
Dramatis Personae
?
Angry Investors
Voters
3
Dramatis Personae
Angry
H.R. 3763
Voters
?
4
Revised Model
5
Tumbleweed

• The Secure Internet Messaging Leader
• Founded 1993
• IPO 1999
• SOX 2004
• Revenues (ttm) 40 million
• Cost of being public 1 million
• Cost of SOX 1 million more

6
Tumbleweeds Business

• Security Software
• Email Firewalls (A/V, Anti-Spam, Filtering)
• Secure Email
• Secure File Transfer
• PKI Certificate Validation (OCSP)
• Sold as software and as security appliances
• Employees 300, including 100 in Europe
• Sales direct and channel

7
Sarbanes-Oxley

• Public Company Accounting Oversight Board
• Auditor Independence
• Corporate Responsibility
• Enhanced Financial Disclosures
• Analyst Conflicts of Interest
• Commission Resources and Authority
• Studies and Reports
• Corporate and Criminal Fraud Accountability
• White-Collar Crime Penalty Enhancements
• Corporate Tax Returns
• Corporate Fraud and Accountability

8
Sarbanes-Oxley

• Public Company Accounting Oversight Board
• Auditor Independence
• Section 302 CEO/CFO Signoff
• Section 404 Management Assessment of Internal
  Controls
• Analyst Conflicts of Interest
• Section 601 More SEC Resources (add 200 staff)
• Studies and Reports
• Teeth up to 10-20 years (securities fraud,
  destruction)
• More teeth up to 5 years/500,000 (willful
  knowing)
• Corporate Tax Returns
• Even more teeth up to 20 years (fraud)

9
Why Me?
404
302
CFO
IT
CTO
PM
FinancialSystems
EngineeringSystems
Products
CorporateSystems
Email
10
Section 404
Source http//news.findlaw.com/hdocs/docs/gwbush/
sarbanesoxley072302.pdf
11
Interpretation

• Have controls
• Enforce the controls
• Validate testability of the controls
• I dont know is as good as guilty
• Partner with your auditor

12
Risk Model

• Goal reduce risk of material misstatement
• Inherent risk
• Fraud risk
• Identify transactional workflows
• Quantify magnitude of potential misstatement

Source http//www.pwcglobal.com/extweb/manissue.n
sf/2e7e9636c6b92859852565e00073d2fd/23fdb9805fee7
ec085256cd20062978f/FILE/ManagementWP_Dec2003.pd
f
13
SOX Readiness Phases

• Denial
• Resignation
• Initial Analysis
• Documentation
• Infection
• Reengineering
• Exhaustion
• Congestion

14
Tumbleweed Money Machine
Sales
Sales Ops
SalesAutomation
SoftwareLicensing
orders
Guidance
sign
Execs
approve
FinancialSystems
approve
products
payment
Auditors
Finance
Board
Customers
Email
Domain
Desktops
Internet
15
Spreadsheets

• MAY 24, 2004 (COMPUTERWORLD) - Washington-based
  Fannie Mae made a 1.2 billion accounting error
  last year because of what it called "honest
  mistakes made in a spreadsheet" used in the
  implementation of a new accounting standard.
  Toronto-based TransAlta Corp. took a 24 million
  charge last year after a bidding snafu caused by
  a cut-and-paste error in an Excel spreadsheet.
• These are spine-chilling mistakes, but research
  indicates that many company spreadsheets have
  errors. Anecdotal evidence suggests that 20 to
  40 of spreadsheets have errors, but recent
  audits of 54 spreadsheets found that 49 (or 91)
  had errors, according to research by Raymond R.
  Panko, a professor at the University of Hawaii.

Source http//www.computerworld.com/databasetopic
s/businessintelligence/story/0,10801,93292,00.html
16
Affected Systems

• Access Controls
• Password Policy and expiration
• Change Controls
• Avoid email-based workflows
• Business Continuity
• Backup, replication, etc.

17
Passwords

• Trying to Remember New Passwords Isn't As Easy as
  ABC123
• Codes in Flux Have Employees Jotting, Not
  Memorizing Long Lists on a Post-It
• By SCOTT THURM and MYLENE MANGALINDAN Staff
  Reporters of THE WALL STREET JOURNALDecember 9, 2
  004 Page A1
• Before she begins work each morning, Kate Prior
  must enter eight computer passwords. Each must
  contain at least eight characters, and most
  require letters and numbers. Every three months,
  she must change them all.
• How does the 28-year-old monitor of drug trials
  remember her passwords? Easy They're written on
  a blue Post-It note affixed to her computer.

Source http//online.wsj.com/article/0,,SB1102554
03000595158,00.html
18
More on Passwords

• 75 of users memorize passwords (Symantec)
• Password crack time 45-60 days (SunGard)
• At Tumbleweed (a personal sampler)
• Domain - Source Control
• NIS - Problem Tracking
• VPN - Webex
• Secure Messenger - Benefits (ASP)
• Extranet - 401(k) (ASP)

19
Password Solutions

• Single Sign On (e.g. ActiveDirectory)
• Two-factor/strong authentication
• X.509 certificates
• Tokens

20
Major Initiatives

• Password policy enforcement
• Email retention policy enforcement (802)
• Change management controls
• Tape backup improvements
• Log monitoring
• Visitor badges telecommunications policy
• Encryption of most secure communications
• Security awareness communiqués

21
Bout Time Benefits

• IT Steering Committee
• Security Committee
• Exchange upgrade (AD, 5.5?2003)
• Microsoft licensing program
• Hard external IT costs 150K

22
Shoes, Dogfood,
23
We are now eating/wearing

• Outbound disclaimer
• Secure board communications
• Manual use (SSO to AD)
• Automated filter (redirect by recipient)
• Retention/expiration controls
• Two-tiered email network
• DoS, DHA defenses in outer tier
• Virus/SPAM Quarantine in inner tier

This e-mail, including attachments, may include
confidential and/or proprietary information, and
may be used only by the person or entity to which
it is addressed. If the reader of this e-mail is
not the intended recipient or his or her
authorized agent, the reader is hereby notified
that any dissemination, distribution or copying
of this e-mail is prohibited. If you have
received this e-mail in error, please notify the
sender by replying to this message and delete
this e-mail immediately.
24
Secure Mailbox
25
Corporate Lessons Learned

• Avoid Email
• Use real workflow products
• Email has archiving/retention requirements
• Avoid spreadsheets
• Or place them under stringent review control
• Single-Sign-On
• New VPN coming

26
Product Lessons Learned

• Single-Sign-On is a critical feature
• Support for dual internal/external systems
• Sensitivity to Email Retention Policies
• Even for mail queues
• Emphasis on reporting
• Control Structure for product features is in
  many cases more important than the features

27
Challenges

• Email change control
• More process around beta deployments
• Mail trend research more difficult
• Segregate non-corporate domains
• IT and Audits
• Cultivate trust between IT and auditors

28
Summary

• This had to happen
• Because of fraud and errors
• We know this is the right thing to do
• But we never got it funded
• SOX is a market
• Some technology, but mostly auditors
• So you want to IPO.