Title: SarbanesOxley and the Shoemakers Chlidren
1Sarbanes-Oxley and the Shoemakers Chlidren
- John Thielens
- CTO, Tumbleweed
- ISACA Atlanta
- January 18, 2005
2Dramatis Personae
?
Angry Investors
Voters
3Dramatis Personae
Angry
H.R. 3763
Voters
?
4Revised Model
5Tumbleweed
- The Secure Internet Messaging Leader
- Founded 1993
- IPO 1999
- SOX 2004
- Revenues (ttm) 40 million
- Cost of being public 1 million
- Cost of SOX 1 million more
6Tumbleweeds Business
- Security Software
- Email Firewalls (A/V, Anti-Spam, Filtering)
- Secure Email
- Secure File Transfer
- PKI Certificate Validation (OCSP)
- Sold as software and as security appliances
- Employees 300, including 100 in Europe
- Sales direct and channel
7Sarbanes-Oxley
- Public Company Accounting Oversight Board
- Auditor Independence
- Corporate Responsibility
- Enhanced Financial Disclosures
- Analyst Conflicts of Interest
- Commission Resources and Authority
- Studies and Reports
- Corporate and Criminal Fraud Accountability
- White-Collar Crime Penalty Enhancements
- Corporate Tax Returns
- Corporate Fraud and Accountability
8Sarbanes-Oxley
- Public Company Accounting Oversight Board
- Auditor Independence
- Section 302 CEO/CFO Signoff
- Section 404 Management Assessment of Internal
Controls - Analyst Conflicts of Interest
- Section 601 More SEC Resources (add 200 staff)
- Studies and Reports
- Teeth up to 10-20 years (securities fraud,
destruction) - More teeth up to 5 years/500,000 (willful
knowing) - Corporate Tax Returns
- Even more teeth up to 20 years (fraud)
9Why Me?
404
302
CFO
IT
CTO
PM
FinancialSystems
EngineeringSystems
Products
CorporateSystems
Email
10Section 404
Source http//news.findlaw.com/hdocs/docs/gwbush/
sarbanesoxley072302.pdf
11Interpretation
- Have controls
- Enforce the controls
- Validate testability of the controls
- I dont know is as good as guilty
- Partner with your auditor
12Risk Model
- Goal reduce risk of material misstatement
- Inherent risk
- Fraud risk
- Identify transactional workflows
- Quantify magnitude of potential misstatement
Source http//www.pwcglobal.com/extweb/manissue.n
sf/2e7e9636c6b92859852565e00073d2fd/23fdb9805fee7
ec085256cd20062978f/FILE/ManagementWP_Dec2003.pd
f
13SOX Readiness Phases
- Denial
- Resignation
- Initial Analysis
- Documentation
- Infection
- Reengineering
- Exhaustion
- Congestion
14Tumbleweed Money Machine
Sales
Sales Ops
SalesAutomation
SoftwareLicensing
orders
Guidance
sign
Execs
approve
FinancialSystems
approve
products
payment
Auditors
Finance
Board
Customers
Email
Domain
Desktops
Internet
15Spreadsheets
- MAY 24, 2004 (COMPUTERWORLD) - Washington-based
Fannie Mae made a 1.2 billion accounting error
last year because of what it called "honest
mistakes made in a spreadsheet" used in the
implementation of a new accounting standard.
Toronto-based TransAlta Corp. took a 24 million
charge last year after a bidding snafu caused by
a cut-and-paste error in an Excel spreadsheet. - These are spine-chilling mistakes, but research
indicates that many company spreadsheets have
errors. Anecdotal evidence suggests that 20 to
40 of spreadsheets have errors, but recent
audits of 54 spreadsheets found that 49 (or 91)
had errors, according to research by Raymond R.
Panko, a professor at the University of Hawaii.
Source http//www.computerworld.com/databasetopic
s/businessintelligence/story/0,10801,93292,00.html
16Affected Systems
- Access Controls
- Password Policy and expiration
- Change Controls
- Avoid email-based workflows
- Business Continuity
- Backup, replication, etc.
17Passwords
- Trying to Remember New Passwords Isn't As Easy as
ABC123 - Codes in Flux Have Employees Jotting, Not
Memorizing Long Lists on a Post-It - By SCOTT THURM and MYLENE MANGALINDAN Staff
Reporters of THE WALL STREET JOURNALDecember 9, 2
004 Page A1 - Before she begins work each morning, Kate Prior
must enter eight computer passwords. Each must
contain at least eight characters, and most
require letters and numbers. Every three months,
she must change them all. - How does the 28-year-old monitor of drug trials
remember her passwords? Easy They're written on
a blue Post-It note affixed to her computer.
Source http//online.wsj.com/article/0,,SB1102554
03000595158,00.html
18More on Passwords
- 75 of users memorize passwords (Symantec)
- Password crack time 45-60 days (SunGard)
- At Tumbleweed (a personal sampler)
- Domain - Source Control
- NIS - Problem Tracking
- VPN - Webex
- Secure Messenger - Benefits (ASP)
- Extranet - 401(k) (ASP)
19Password Solutions
- Single Sign On (e.g. ActiveDirectory)
- Two-factor/strong authentication
- X.509 certificates
- Tokens
20Major Initiatives
- Password policy enforcement
- Email retention policy enforcement (802)
- Change management controls
- Tape backup improvements
- Log monitoring
- Visitor badges telecommunications policy
- Encryption of most secure communications
- Security awareness communiqués
21Bout Time Benefits
- IT Steering Committee
- Security Committee
- Exchange upgrade (AD, 5.5?2003)
- Microsoft licensing program
- Hard external IT costs 150K
22Shoes, Dogfood,
23We are now eating/wearing
- Outbound disclaimer
- Secure board communications
- Manual use (SSO to AD)
- Automated filter (redirect by recipient)
- Retention/expiration controls
- Two-tiered email network
- DoS, DHA defenses in outer tier
- Virus/SPAM Quarantine in inner tier
This e-mail, including attachments, may include
confidential and/or proprietary information, and
may be used only by the person or entity to which
it is addressed. If the reader of this e-mail is
not the intended recipient or his or her
authorized agent, the reader is hereby notified
that any dissemination, distribution or copying
of this e-mail is prohibited. If you have
received this e-mail in error, please notify the
sender by replying to this message and delete
this e-mail immediately.
24Secure Mailbox
25Corporate Lessons Learned
- Avoid Email
- Use real workflow products
- Email has archiving/retention requirements
- Avoid spreadsheets
- Or place them under stringent review control
- Single-Sign-On
- New VPN coming
26Product Lessons Learned
- Single-Sign-On is a critical feature
- Support for dual internal/external systems
- Sensitivity to Email Retention Policies
- Even for mail queues
- Emphasis on reporting
- Control Structure for product features is in
many cases more important than the features
27Challenges
- Email change control
- More process around beta deployments
- Mail trend research more difficult
- Segregate non-corporate domains
- IT and Audits
- Cultivate trust between IT and auditors
28Summary
- This had to happen
- Because of fraud and errors
- We know this is the right thing to do
- But we never got it funded
- SOX is a market
- Some technology, but mostly auditors
- So you want to IPO.