The Sarbanes-Oxley Act of 2002 and associated rules adopted by Securities and Exchange Commission (SEC) require certain businesses to report on effectiveness of their internal controls over financial reporting. Effective internal controls ensure information integrity by mandating confidentiality, privacy, availability, controlled access, monitoring and reporting of corporate or customer financial information. Companies that must comply with Sarbanes-Oxley include U.S. public companies, foreign filers in U.S. markets and privately held companies with public debt. U.S. companies with market cap greater than $75M and on an accelerated (2004) filing deadline are required to comply for fiscal years ending on or after Nov. 15, 2004. All others are required to comply for fiscal years ending on or after April 15, 2005.

The role of email in Sarbanes-Oxley compliance cannot be overstated. At a high level, email is primary internal and external communication tool for corporations. However, a more granular inspection of email’s role, especially as pertaining to corporate information security, reveals that it can make or break a company’s efforts to comply with Sarbanes-Oxley. Email systems are critical to ensuring effective internal control over financial reporting, encryption of external messages and active policy enforcement, all essential elements of compliance.

Complying with Sarbanes-Oxley

The changes required to ensure Sarbanes-Oxley compliance reach across nearly all areas of a corporation. In fact, Gartner Research went so far as to call Act “the most sweeping legislation to affect publicly traded companies since reforms during Great Depression.” Since bulk of information in most companies is created, stored, transmitted and maintained electronically, one could logically conclude that IT shoulders a lion’s share of responsibility for Sarbanes-Oxley compliance. Enterprise IT departments are responsible for ensuring that sound practices, including corporate-wide information security policies and enforced implementation of those policies, are in place for employees at all levels. Information security policies should govern:

• Network security
• Access controls
• Authentication
• Encryption
• Logging
• Monitoring and alerting
• Pre-planning coordinated incident response
• Forensics

These components enable information integrity and data retention, while enabling IT audits and business continuity.

In order to comply with Sarbanes-Oxley, companies must be able to show conclusively that:

• They have reviewed quarterly & annual financial reports;
• The information is complete and accurate;
• Effective disclosure controls and procedures are in place and maintained to ensure that material information about company is made known to them.

Sarbanes-Oxley Section 404

This section regulates enforcement of internal controls. Management must show that it has established an effective internal control structure and procedures for accurate and complete financial reporting. In addition, company must produce documented evidence of an annual assessment of internal control structure’s effectiveness, validated by a registered public accounting firm. By instituting effective email controls, organizations are not only ensuring compliance with Sarbanes-Oxley Section 404; they are also taking a giant step in right direction with regards to overall email security.

Effective Email Controls

Email has evolved into a business-critical application unlike any other. Unfortunately, it is also one of most exposed areas of a technology infrastructure. Enterprises must install a solution that actively enforces policy, stops offending mail both inbound and outbound and halts threats before internal controls are compromised, as opposed to passively noting violations as they occur.

An effective email security solution must address all aspects of controlling access to electronically stored company financial information. This includes access during transport as well as access to static information resident at company or on a remote site or machine. Given wide functionality of email, as well as broad spectrum of threats that face email systems, ensuring appropriate information access control for all of these points requires:

• A capable policy enforcement mechanism to set rules in accordance with each company’s systems of internal controls;
• Encryption capabilities to ensure privacy and confidentiality through secure and authenticated transport and delivery of email messages;
• Secure remote access to enable remote access for authorized users while preventing access from unauthorized users;
• Anti-spam and anti-phishing technology to prevent malicious code from entering a machine and to prevent private information from being provided to unauthorized parties

Phishing is a relatively new form of online fraud that focuses on fooling victim into providing sensitive financial or personal information to a bogus website that bears a significant resemblance to a tried and true online brand. Typically, victim provides information into a form on imposter site, which then relays information to fraudster.

Although this form of fraud is relatively new, its prevalence is exploding. From November 2003 to May 2004, Phishing attacks have increased by 4000%. Compounding issue of increasing volume, response rates for phishing attacks are disturbingly high, sometimes as high as 5%, and are most effective against new internet users who are less sophisticated about spotting potential fraud in their inbox.

Corporations should be concerned with following four issues:

1. Protecting employees from fraud
2. Reassuring and educating customers
3. Protecting their brand
4. Preventing network intrusions and dissemination of trade secrets

A failure to succeed in any of these areas could be catastrophic to a company’s ability to function in marketplace. If employees are not protected, company could be held accountable for not putting protections in place to prevent fraud. If a hacker impersonates a company, then company’s reputation and brand may be tarnished or ruined because customers feel that they can no longer trust organization with their sensitive information. And finally, latest trend in phishing has been to socially engineer employees or business partners to divulge sensitive trade secrets to hackers. The implications of employee login information getting into wrong hands could result in grave consequences once hackers are able to “log in” to an employee’s network account using VPN or PC Anywhere software.

Protecting Employees from Phishing

One of best ways to protect employees from Phishing is to prevent spam from ever getting to user’s inbox. Since most phishing attacks proliferate through unsolicited e-mail, spam filtering technologies can be very effective at preventing majority of phishing attempts.

New technologies are also available to help prevent phishing. One such technology offered as a standard by Microsoft and supported by CipherTrust is Sender ID Framework (SIDF), which prevents spammers from obfuscating their IP address by verifying source of each email.

Of course, spam filtering and SIDF cannot solve problem entirely. Many phishing attacks are actually sent on an individual basis to users not protected by cutting edge spam detection technologies. Other attacks are distributed through online email accounts such as Yahoo! Mail, Gmail, MSN, and others. In short, technology alone cannot solve phishing problem. Employees must be educated about phishing and how to spot fraudulent emails and websites.

Reassuring and Educating Customers

Once a consumer receives a fraudulent email that appears to come from a trusted company, he or she may never trust that company’s email communications again. That is damage that is not easily undone. It is essential that organizations communicate openly and frequently about how customers can identify legitimate email communications, and need to report fraudulent ones. For those organizations that frequently process consumer credit card transactions, it is recommended that a special section of site be devoted to helping customers avoid fraud.

Companies that make efforts to educate their customers about phishing are much less attractive targets than those who make no efforts at all. Some examples of organizations that have developed extensive policies around this issue are:

• USBank
• Wells Fargo Bank
• Ebay and PayPal
• Citibank

Protecting Company Brand

Each time a phishing attack is launched, a legitimate company’s trademark is tarnished and brand equity is eroded. The more attacks a company suffers, less consumers feel they can trust company’s legitimate email communications or websites. The value of this trust is difficult to quantify – at least until a company begins to lose customers. When customers no longer trust company’s ability to protect their personal information, they often defect to competitors or opt to use more expensive commercial options such as telesales or retail locations.

Clearly goal is to convince fraudsters that your customers will not fall for scam. This is why having an obvious anti-phishing program that is public for all to see can be very effective. The fraudsters tend to follow path of least resistance. Seeing that customers are well informed of how to avoid phishing attacks, perpetrators simply turn their attention to other “softer” targets.

Preventing Network Intrusions and Dissemination of Trade Secrets