CONTENTS 2

Executive Summary

3

What is Sarbanes-Oxley?

4

Who Does SarbanesOxley Affect?

5

How SOX Will Influence Information Technology

6

Common Compliance Needs

7

How Guardian Digital Can Help

Achieving Compliance

with Guardian Digital

Helping lping Businesses Understand Unders n and Become Sarbanes-Oxley Compliant

165 Chestnut Street

●

Second Floor ● Allendale, NJ 07401 ● (201) 934-9230

executive summary

T

he Sarbanes-Oxley (SOX) Act of 2002 is the most prominent United States government legislation of its kind since the Securities Exchange Act of 1934. Becoming law in July 2002, and officially called the U.S Public Company Accounting Reforms and Investor Protection Act, SOX was chartered in response to the surfacing of many infamous accounting scandals and in an effort to establish corporate accountability and to restore investor confidence in publicly traded corporations. The main intent of this legislation is to hold organizations and their executives responsible for the validity of corporate reporting by imposing requisites on all companies with public interests, forcing disclosure of internal weaknesses, and requiring executives to aest to the accuracy of financial conditions in hopes of increasing financial transparency and accountability. As mandated by SOX, corporations can accommodate these regulations through the design, implementation, and maintenance of efficient and effective internal controls. To comply with SOX, enterprises and small business alike are choosing to implement application solutions, like those offered by Guardian Digital, to improve already existing business processes and help ensure an unwavering corporate environment by assisting in the implementation, enforcement, and maintenance of these IT applications and procedures. With compliance deadlines fast approaching, (November 15, 2004 for corporations with capitalization over 75 million and July 15, 2005 for all other organizations) it is critical that companies act quickly and take the appropriate steps to satisfy the requirements of Sarbanes-Oxley. This document will serve as a resource to explain the mandates of Sarbanes-Oxley as it pertains to information technology and to further explain how Guardian Digital, the premier Internet and network security company, offers comprehensive and cost-effective application solutions to help any size organization comply with the latest United States legislations.

2

Sarbanes-Oxley compliance spending will reach $5.5 billion in 2004 Source: AMR Research

93% of executives are not aware of their SarbanesOxley responsibilities Source: Businesswire

Auditors estimate that they'll report shortcomings at 10% to 20% of public companies Source: Businessweek

What is Sarbanes-Oxley Key Points on Sarbanes-Oxley Corporations and their executives are liable for the accuracy and fairness of financial reports. Executives are required to personally certify the integrity of financial reports. Executives and auditors must confirm the effectiveness of internal controls including all procedures and processes involved in the creation, reporting, storage, and transmission of all financial information. All corporate assessments by both executives and independent auditors, including weaknesses in internal controls, will be disclosed in annual reports filed with the SEC. Criminal penalties including fines and imprisonment will be instituted for corporations and executives taking part in white collar crimes including the knowing alteration of material documents and any other form of fraud.

The Sarbanes-Oxley Act of 2002 was the United States government’s response to the Enron WorldCom, Adelphia, and Tyco accounting scandals of the late 1990’s. This legislation establishes acceptable conduct standards regarding the maintenance and preservation of electronic and paper records as well as the behavior and accountability of corporate executives, auditors, and employees. Containing 11 titles, SOX establishes new standards for corporate accountability as well as financial and imprisonment penalties for corporate wrongdoings and white-collar crimes. Under this act, the CEO and CFO of publicly traded companies must validate financial statements and other accounting information including annual and quarterly reports submitted to the SEC, ensure any significant deficiencies and material or non-material fraud is disclosed, and report on the effectiveness of internal controls regarding financial reporting, and fraud prevention. Section 404 of the Sarbanes-Oxley Act directly relates to the need for effective internal controls by corporations falling under SOX jurisdiction. Under Section 404 management must institute a comprehensive internal control structure which includes appropriated procedures to ensure accurate and complete financial reporting. An annual assessment by management must be made regarding the effectiveness of this structure and be supported by documented evidence and validation of management’s assessment by a registered public accounting firm. It is the hope of the legislators that by mandating these codes of conduct for business practices, corporations will be able to provide investors and stakeholders with confidence regarding the efficiency of operations, accuracy of financial matters, and lawful compliance with relevant government regulations.

3

MISCONCEPTIONS Due to the vagueness of the legislation, corporations frequently misconceive the regulations of the Sarbanes-Oxley Act. In many cases organizations that have not made steps towards SOX compliance is solely due to their lack of understanding of the requirements of the legislation. SOX is strictly an enterprise finance issue • Sarbanes-Oxley was actually designed to assure the preparation, disclosure, and maintenance of information was conducted under best practices for ALL publicly-traded and certain private corporations. Considering the generation, retention, and transactions of financial departments are profoundly dependent on technology, IT departments are also heavily affected by this mandate. Compliance is up to the independent corporate auditor • The law, conversely, was purposely created to ensure that companies were held accountable for the accuracy of their financial reporting and public disclosures. Both CEOs and CFOs must implement, monitor, and evaluate both the success of their internal controls and the measures taken for corporate financial reporting. After the internal evaluation is a complete an independent auditors must be brought on to then attest to the executives’ initial assessment and file a report on his/her findings. Clean financial statement audits proves compliance • The procedures independent auditors partake in when checking financial statements are not designed to measure SOX compliance by not taking into account the effectiveness of internal controls and only checking the correctness of the statements in hand. There are many other factors that contribute to sufficient SOX compliance including changes to internal policies, revamping of IT infrastructures, creation of document and records management, and altering communication methodologies.

4

Unlike other comparable government legislations that zone in on specific industries and business sectors, the Sarbanes-Oxley Act affects a wide-range of organizations in all industries both inside and outside the United States. Becoming compliant with the mandate of SOX is necessary for all publicly traded firms, private organizations with public debt in the United States, as well as qualifying foreign organizations.

Who Does Sarbanes-Oxley Affect?

It is understandable why United States companies involving public interests would be regulated under by Enron, US investors need to be absolutely certain the information they are receiving regarding a particular company (foreign or domestic) is both financially fair and accurate so that they are able to make informed and logical investment decisions. Aware of a global concern for the stability of homeland markets, the United States government implemented SOX to regulate all organizations holding US investment interests and to mitigate any further corporate conduct discrepancies. Included in the thousands of US companies registered companies. These companies, from 59 foreign countries, are also represented on the New York Stock Exchange and the NASDAQ. In these instances, the overseas companies are also subject to SOX based on their involvement with US public interests. Furthermore, under the same rational, the statue affects thousands more foreign entities by forcing any non-US company with US subsidiaries to also comply.

?

How will SOX Influence

Information Technology Although SOX affects every level of an organization, much of the measures of compliance will fall on the upper tier executives as well as finance and IT departments. As discussed previously, the main concern surrounding SOX is the security and integrity of pertinent financial information. Given that almost all business information today is created, stored, and shared electronically, information technology, with special regard to information security, is a significant component of the effective internal controls mandated by SOX. Any aspect of information technology controls which directly affects the processes or procedures involved in creating and preparing corporate data, including all hardware, software, and IT policies relevant to the preparation and retention of information would then be subject to compliance to the act. Taking into account that the security of an IT infrastructure can directly relate to the integrity of the information stored on the system, these executives must certify not only the validity of disclosed information and the success of internal controls, but also on a more targeted scale, the effectiveness of corporate IT security policies and procedures.

Already in 2004, more than 300 companies have admitted in SEC filings to some weaknesses in their internal controls. Source: Compliance Week

In 2004, 67% of management felt their forecasting process and reporting outputs had a high-degree of reliability. In 2003 on 42% of companies made that claim.

30-40% of a corporation's internal controls over financial reporting are dependent on information technology. Source: Businesswire

85% of companies will require changes to their IT infrastructures. Source: Information Week

Source: Hacke
Group

In July, 2004 79% of respondents said they still had to make improvements to processes including financial reporting, auditing, computer controls, and security controls to comply with Section 404. Source: PricewaterhouseCoopers 5

Common Information Technology Compliance Needs Most organizations can become SOX compliant by adding the policies, procedures, and technology they already have. However, compliance will surely require an abundant amount of changes to existing corporate cultures and environments. Probably the most significant change all organizations will feel is the alteration of the roles and responsibilities of senior management. Always bearing accountability for the success of an operation, managers and executives now have to document disclose and certify the correctness of all material information and make public any acts of fraud appearing within corporate boundaries. To help the appropriate people accurately certify the necessary information and the success of relevant business processes, organizations are going to have to evolve current policies and procedures to SOX compliance requirements. Changes to internal policies would be the foremost step towards full compliance. According to SOX, all corporations must pass a set of rules for every division within a company that may be involved in the generation, manipulation, and reporting of corporate information. With regard to IT departments, however, these policies will be created to drive security and ensure the integrity of all information contained on the network. Documented policies and procedures set acceptable rules for employees and executives conduct alike and furthermore, provide blueprints on how certain situations should most effectively be handled eliminating guesswork and inadvertent transgressions. Setting information security policies, properly enforcing them and proactively evolving existing policies to adjust to corporate growth is the backbone for SOX compliance and is essential to achieve optimum performance and security on the system. Although properly executed acceptable use policies are a good defense against many of the internal threats facing corporate infrastructure, they cannot protect the integrity of corporate data alone. A solid infrastructure incorporates numerous technologies including those that will protect corporate confidentiality, the continuity of secure network operations, and further assist in enforcing corporate network and Internet policies. These solutions should include firewalls for traffic monitoring, comprehensive auditing features to reveal user and system activity, strong encryption mechanisms to ensure data integrity when transferring pertinent information, user authentication mechanisms such as passwords and digital certification, and a system back-up module to provide critical recovery services. A cohesive collection of all these applications is a step in the right direction for SOX compliance as well as a chance for organizations to empower their IT infrastructure through technologically advanced applications. Such improvements not only provide governmental compliance and greater network protection but can also result in a dramatic performance increase.

6

Benefits of Guardian Digital Solutions in SOX Compliance Engineered Security Designed with security applications at every level, Guardian Digital’s awardwinning solutions provide best-in-class security to ensure effectiveness of internal IT controls.

Customization Ability Utilizing the merits of open source software, Guardian Digital solutions can be customized to work with any infrastructure and fit any and all IT compliance needs.

Improved System Performance Guardian Digital’s Internet and network solutions are engineered with the perfect blend of bulletproof security and unmatched productivity applications to increase the security, speed, and power of corporate networks.

Ease of Configuration and Deployment IT compliance can be met quickly and easily with Guardian Digital’s simplified web-based management system. Configure system settings easily providing IT managers with more time for core competencies and spend less time worrying about system security.

Automated Updates Automatic system updates through the Guardian Digital Secure Network keeps corporate infrastructures current and consistently secure.

How Guardian Digital Helps Organizations with SOX Compliance Corporations affected by Sarbanes-Oxley will spend in upwards of 0.01% (for large enterprises) and 2.0% (for small-to-medium sized businesses) of their revenue on compliance solutions. To many organizations this is a substantial investment. Guardian Digital’s portfolio of secure solutions can help organizations of all sizes cost-effectively adhere to the mandates of this legislation while increasing the security and performance of their corporate infrastructure. Engineered to be secure, Guardian Digital solutions provide organizations with everything from secure web and email services, to VPN applications as well as best-in-class intrusion detection and prevention, proxy management, policy enforcement applications, and a myriad of other security-rich tools designed to ensure system integrity and efficiency of business processes. Realizing that compliance needs are as distinct as the organizations themselves, each solution utilizes the merits of open source technology to offer highly secure, customized applications engineered for your corporate environment. With Guardian Digital on the network, SOX compliance can transform from an enterprise nuisance to a near effortless, cost-effective way to increase system security and performance while ensuring IT infrastructure conformity with government regulations.

Unparalleled Support The extensive support packages offered by Guardian Digital provide corporations with everything from technical assistance to managed services and project engineering ensure EnGarde systems operate at its optimum performance level.

Table 1.1 on the following page describes the effectiveness of Guardian Digital solutions to corporate SOX compliance needs.

GUARDIAN DIGITAL SOLUTION QUICK FACTS DATA INTEGRITY · EnGarde Secure Linux · Secure Mail Suite · Internet Defense and Detection Server

CORPORATE CONFIDENTIALITY · EnGarde Secure Linux · Internet Defense and Detection Server

SECURE INFORMATION ACCESS · EnGarde Secure Linux · Secure VPN Server Suite

STABILITY OF NETOWORK OPERATIONS · EnGarde Secure Linux · Secure Mail Suite · Internet Defense and Detection Server · Guardian Digital Secure Network

CORPORATE POLICY ENFORCEMENT · EnGarde Secure Linux · Secure Mail Suite · Internet Acceleration and Management Server

INFORMATION BACK-UP AND RECOVERY · EnGarde Secure Linux

7

TABLE 1.1 - The Guardian Digital Solution to Corporate Compliance Requirements Sarbanes-Oxley IT Infrastructure Requirements

Guardian Digital Solutions

Assurance of Data Integrity

Guardian Digital solutions help IT infrastructures conserve the integrity of corporate data with:

Corresponding Application Suites

• EnGarde Secure Linux • Secure Mail Suite

• Industry-standard data encryption - protects data integrity when being transmitted over insecure channels such as the Internet. • System-wide access controls -ensure sensitive corporate information is accessed by authorized users. • Digital certificates - provide authentication by identifying where data is coming from allowing users to determine its legitimacy.

Corporate Confidentiality

Guardian Digital helps relieve corporate confidentiality concerns through: • Powerful network and host intrusion detection - provides administrators with the ability to track potential intruders and prevent unauthorized system access.

• EnGarde Secure Linux • Internet Defense and Detection Server

• Gateway firewall services - provide bulletproof protection for network integrity and corporate confidentiality from malicious activity and cyber vandals. • Sophisticated access control methods - administrators can configure firewalling and port forwarding capabilities as well as fine tune user access to system applications. • Authentication mechanisms - such as passwords and digital certificates help keep corporate information away from intruders.

Secure Information Access

Guardian Digital incorporates various technologies for secure access to critical information including: • Secure remote access - utilizing secure shell accounts provides a secure encrypted communications link from a remote location, eliminating the risk previously found in other remote access methods. • System-wide access controls - ensure sensitive corporate information is accessed by authorized users. • IPsec VPN - allows branch offices and mobile users to securely connect and communicate with an organization's internal network.

8

• EnGarde Secure Linux • Secure VPN Server Suite

TABLE 1.1 - Guardian Digital Solution to Corporate Compliance Requirements (Continued) Sarbanes-Oxley IT Infrastructure Requirements Corporate Policy Enforcement

Guardian Digital Solutions Guardian Digital can ensure corporate policies are stringently enforced utilizing: • Web and email content filtering - protects users from inappropriate conduct while ensuring system resources are being used for legitimate business purposes.

Corresponding Application Suites

• EnGarde Secure Linux • Secure Mail Suite • Internet Acceleration and Management Server

• System and user specific auditing and reporting - provides administrators with information regarding user and system activities allowing policy offenders to be identified. • Internet user access controls - allows administrators to manage groups of users access to Internet resources, restrict access to unauthorized sites or permit access to only specific sites. • Application Controls - give administrators the ability to allow or deny access to specific media types, such as executables, Real Audio, NetMeeting, streaming media, MP3 files, etc. according to corporate policies. Stability of Secure Network Operations

Through multi-tiered defenses and embedded security, Guardian Digital solutions ensure the consistent efficiency and availability of network operations via: • System-wide virus protection -provides the best defense against common as well as unknown viruses, by detecting and disinfecting (if possible) viruses through on demand and scheduled virus scanning and file scanning.

• EnGarde Secure Linux • Secure Mail Suite • Internet Defense and Detection Server • Guardian Digital Secure Network

• Frequent automatic system updates - provide corporate systems with the most secure and up-to-date applications available. • Auditing and graphical system reporting - gives administrators the information necessary to pinpoint performance bottlenecks, identify unauthorized system use, and show overall system performances.

Information Back-up and Recovery

Through a comprehensive back-up and recovery system, corporations can increase the effectiveness of document management with protection against data loss.

• EnGarde Secure Linux

• Back-up & recovery system - protects valuable corporate information and saves substantial time and money when recovering from an unfortunate disk failure.

9

Corporate Headquarters Guardian Digital, Inc. 165 Chestnut Street Allendale, NJ 0740, USA

Phone: 201-934-9230 Fax: 201-934-9231

www.guardiandigital.com

All contents are copyright © Guardian Digital, Inc. 2004 All Rights Reserved. Guardian Digital, All contents are copyright © Guardian Digital, Inc. 2004 All Rights Reserved. Guardian Digital, Inc., Guardian Digital Corporate Logo, EnGarde, Secure Mail Suite, WorkGroup Suite, Secure VPN Server Suite, Internet Acceleration and Management Server, Internet Defense & Detection System, Corporate Commerce Suite, Internet Productivity Suite, WebTool, Guardian Digital Secure Network, GDSN, and Master Support are trademarks of Guardian Digital, Inc.