How Sarbanes-Oxley Affects Corporate Email Systems

Written by CipherTrust

The Sarbanes-Oxley Act of 2002 and associated rules adopted byrepparttar Securities and Exchange Commission (SEC) require certain businesses to report onrepparttar 109516 effectiveness of their internal controls over financial reporting. Effective internal controls ensure information integrity by mandatingrepparttar 109517 confidentiality, privacy, availability, controlled access, monitoring and reporting of corporate or customer financial information. Companies that must comply with Sarbanes-Oxley include U.S. public companies, foreign filers in U.S. markets and privately held companies with public debt. U.S. companies with market cap greater than $75M and on an accelerated (2004) filing deadline are required to comply for fiscal years ending on or after Nov. 15, 2004. All others are required to comply for fiscal years ending on or after April 15, 2005.

The role of email in Sarbanes-Oxley compliance cannot be overstated. At a high level, email isrepparttar 109518 primary internal and external communication tool for corporations. However, a more granular inspection of email’s role, especially as pertaining to corporate information security, reveals that it can make or break a company’s efforts to comply with Sarbanes-Oxley. Email systems are critical to ensuring effective internal control over financial reporting, encryption of external messages and active policy enforcement, all essential elements of compliance.

Complying with Sarbanes-Oxley

The changes required to ensure Sarbanes-Oxley compliance reach across nearly all areas of a corporation. In fact, Gartner Research went so far as to callrepparttar 109519 Act “the most sweeping legislation to affect publicly traded companies sincerepparttar 109520 reforms duringrepparttar 109521 Great Depression.” Sincerepparttar 109522 bulk of information in most companies is created, stored, transmitted and maintained electronically, one could logically conclude that IT shoulders a lion’s share ofrepparttar 109523 responsibility for Sarbanes-Oxley compliance. Enterprise IT departments are responsible for ensuring that sound practices, including corporate-wide information security policies and enforced implementation of those policies, are in place for employees at all levels. Information security policies should govern:

  • Network security
  • Access controls
  • Authentication
  • Encryption
  • Logging
  • Monitoring and alerting
  • Pre-planning coordinated incident response
  • Forensics

These components enable information integrity and data retention, while enabling IT audits and business continuity.

In order to comply with Sarbanes-Oxley, companies must be able to show conclusively that:

  • They have reviewed quarterly & annual financial reports;
  • The information is complete and accurate;
  • Effective disclosure controls and procedures are in place and maintained to ensure that material information aboutrepparttar 109524 company is made known to them.

Sarbanes-Oxley Section 404

This section regulates enforcement of internal controls. Management must show that it has established an effective internal control structure and procedures for accurate and complete financial reporting. In addition,repparttar 109525 company must produce documented evidence of an annual assessment ofrepparttar 109526 internal control structure’s effectiveness, validated by a registered public accounting firm. By instituting effective email controls, organizations are not only ensuring compliance with Sarbanes-Oxley Section 404; they are also taking a giant step inrepparttar 109527 right direction with regards to overall email security.

Effective Email Controls

Email has evolved into a business-critical application unlike any other. Unfortunately, it is also one ofrepparttar 109528 most exposed areas of a technology infrastructure. Enterprises must install a solution that actively enforces policy, stops offending mail both inbound and outbound and halts threats before internal controls are compromised, as opposed to passively noting violations as they occur.

An effective email security solution must address all aspects of controlling access to electronically stored company financial information. This includes access during transport as well as access to static information resident atrepparttar 109529 company or on a remote site or machine. Givenrepparttar 109530 wide functionality of email, as well asrepparttar 109531 broad spectrum of threats that face email systems, ensuring appropriate information access control for all of these points requires:

  • A capable policy enforcement mechanism to set rules in accordance with each company’s systems of internal controls;
  • Encryption capabilities to ensure privacy and confidentiality through secure and authenticated transport and delivery of email messages;
  • Secure remote access to enable remote access for authorized users while preventing access from unauthorized users;
  • Anti-spam and anti-phishing technology to prevent malicious code from entering a machine and to prevent private information from being provided to unauthorized parties

Why Corporations Need to Worry About Phishing

Written by CipherTrust

Phishing is a relatively new form of online fraud that focuses on foolingrepparttar victim into providing sensitive financial or personal information to a bogus website that bears a significant resemblance to a tried and true online brand. Typically,repparttar 109515 victim provides information into a form onrepparttar 109516 imposter site, which then relaysrepparttar 109517 information torepparttar 109518 fraudster.

Although this form of fraud is relatively new, its prevalence is exploding. From November 2003 to May 2004, Phishing attacks have increased by 4000%. Compoundingrepparttar 109519 issue of increasing volume, response rates for phishing attacks are disturbingly high, sometimes as high as 5%, and are most effective against new internet users who are less sophisticated about spotting potential fraud in their inbox.

Corporations should be concerned withrepparttar 109520 following four issues:

  1. Protecting employees from fraud
  2. Reassuring and educating customers
  3. Protecting their brand
  4. Preventing network intrusions and dissemination of trade secrets

A failure to succeed in any of these areas could be catastrophic to a company’s ability to function inrepparttar 109521 marketplace. If employees are not protected,repparttar 109522 company could be held accountable for not putting protections in place to prevent fraud. If a hacker impersonates a company, thenrepparttar 109523 company’s reputation and brand may be tarnished or ruined because customers feel that they can no longer trustrepparttar 109524 organization with their sensitive information. And finally,repparttar 109525 latest trend in phishing has been to socially engineer employees or business partners to divulge sensitive trade secrets to hackers. The implications of employee login information getting intorepparttar 109526 wrong hands could result in grave consequences once hackers are able to “log in” to an employee’s network account using VPN or PC Anywhere software.

Protecting Employees from Phishing

One ofrepparttar 109527 best ways to protect employees from Phishing is to prevent spam from ever getting torepparttar 109528 user’s inbox. Since most phishing attacks proliferate through unsolicited e-mail, spam filtering technologies can be very effective at preventingrepparttar 109529 majority of phishing attempts.

New technologies are also available to help prevent phishing. One such technology offered as a standard by Microsoft and supported by CipherTrust isrepparttar 109530 Sender ID Framework (SIDF), which prevents spammers from obfuscating their IP address by verifyingrepparttar 109531 source of each email.

Of course, spam filtering and SIDF cannot solverepparttar 109532 problem entirely. Many phishing attacks are actually sent on an individual basis to users not protected by cutting edge spam detection technologies. Other attacks are distributed through online email accounts such as Yahoo! Mail, Gmail, MSN, and others. In short, technology alone cannot solverepparttar 109533 phishing problem. Employees must be educated about phishing and how to spot fraudulent emails and websites.

Reassuring and Educating Customers

Once a consumer receives a fraudulent email that appears to come from a trusted company, he or she may never trust that company’s email communications again. That is damage that is not easily undone. It is essential that organizations communicate openly and frequently about how customers can identify legitimate email communications, andrepparttar 109534 need to report fraudulent ones. For those organizations that frequently process consumer credit card transactions, it is recommended that a special section ofrepparttar 109535 site be devoted to helping customers avoid fraud.

Companies that make efforts to educate their customers about phishing are much less attractive targets than those who make no efforts at all. Some examples of organizations that have developed extensive policies around this issue are:

Protectingrepparttar 109536 Company Brand

Each time a phishing attack is launched, a legitimate company’s trademark is tarnished and brand equity is eroded. The more attacks a company suffers,repparttar 109537 less consumers feel they can trustrepparttar 109538 company’s legitimate email communications or websites. The value of this trust is difficult to quantify – at least until a company begins to lose customers. When customers no longer trustrepparttar 109539 company’s ability to protect their personal information, they often defect to competitors or opt to use more expensive commercial options such as telesales or retail locations.

Clearlyrepparttar 109540 goal is to convincerepparttar 109541 fraudsters that your customers will not fall forrepparttar 109542 scam. This is why having an obvious anti-phishing program that is public for all to see can be very effective. The fraudsters tend to followrepparttar 109543 path of least resistance. Seeing that customers are well informed of how to avoid phishing attacks,repparttar 109544 perpetrators simply turn their attention to other “softer” targets.

Preventing Network Intrusions and Dissemination of Trade Secrets

Cont'd on page 2 ==> © 2005
Terms of Use