Problem solve Get help with specific problems with your technologies, process and projects.

Sarbanes-Oxley: An email security selling tool

This tip contains email security strategies that make consultants and value-added resellers (VARs) indispensable to SOX-compliant businesses.

The Sarbanes-Oxley Act (SOX) is a massive overhaul of the way America does business. Public companies must have certain controls in place, including the ability to archive and search their emails over the last seven years. Non-compliance can bring senior management up to 20 years of jail time and fines up to $5 million. That sort of penalty tends to concentrate one's focus. It also gives value-added resellers (VARs) and consultants a great selling tool. Consultants who customize off the shelf hardware and software to meet these needs will find a fertile market for their services.

SOX Section 404

One of the most critical sections of SOX is section 404. It requires the management of a public company to assess the effectiveness of the company's internal control over financial reporting (as of the end of the company's most recent fiscal year). SOX makes management legally commit to the veracity of the internal controls in use.

That means whatever internal control system is in place for the audit gets graded on a number of criteria set down by the Public Company Accounting Oversight Board (PCAOB is the private-sector, non-profit corporation set up to oversee implementation. PCAOB answers to the Securities and Exchange Commission which, in turn, has the ultimate responsibility to see that SOX is carried out). It should be noted that PCAOB has considered the possible effects of the proposed standard on small and medium-sized companies, noting that internal control is not "one-size-fits-all." It has to be customized for any size business, which is where you come in.

The board has defined examples of what companies should not do; circumstances that are a strong indicator that there exists a material weakness in a company's internal controls. One such instance is when significant deficiencies have been communicated to management and the audit committee but remain uncorrected after a reasonable period of time. In other words, not acting on a consultant's recommendations may be seen in a harsh light by PCAOB. This requirement may be the consultant's most effective selling tool ever given to him.

A publicly traded company now has the requirement under SOX to have effective audit controls in place, along with message and information retention policies and solutions. SOX gives you the chance to present to management a comprehensive enterprise-wide strategy to fulfill this need. You must be able to present a comprehensive solution meeting all the requirements that SOX imposes, from written policies to document retention products that support those policies.

Solution partners

There's a range of hardware solutions embedded with software that will work for most enterprises. Your job is to pick the right one.

EMC is the 800lb gorilla in the space; especially since they bought RSA Security and Network Intelligence. Network Intelligence compliance software and EMC Centera hardware in combination can solve the problem of security data management for your enterprise customers. EMC Centera implements their Content-Addressed Storage architecture to attest that security information written to online archives is authenticated and cannot be modified. Using EMC Centera's Content Addressable Storage technology, classes of security information can be marked as un-erasable over a given retention period to comply with corporate and government data retention policies, or be put on litigation hold if ordered.

While NI is now part of EMC, they also have partnered in the past with other entities to serve the smaller business. Network Engines is one such vendor. Their ApplianceEngine 1000 Series consists of 1U rack mounted platforms designed to satisfy the requirements of most applications. The ApplianceEngine 1000 Series can be configured with a single Pentium™ D, Pentium 4 or Celeron™ processor, up to 4 GB of SDRAM, up to four hot-swap SATA hard drives and two embedded Gigabit Ethernet interfaces. It's their base model for the smaller enterprise.

The NE AE7100sr is a 3U rack mounted server optimized for more processing power. It can be configured with up to two Xeon processors and up to eight hot-swap SCSI disks. Its airflow / thermal-control design is said to be optimized for the next generation Xeon platform. The AE7100sr is aimed at large storage and archiving applications, and allows for increased capacity.

Auditing the auditors

SOX also requires that at least once every three years PCAOB inspect every firm that audits public companies. That means that SMB auditing firms (and the audits they sign off on) are being looked at for the first time. In turn, the companies they provide services for are having their audits reviewed by PCAOB. You can therefore pitch a records-retention solution to any size public company – including the auditors themselves.

A pre-built, customizable email retention appliance may be a useful approach. Not only does it minimize disruptions of existing systems, but may also eliminate any problems with liability regarding the design of that system. Moreover, the solution will be up and running faster than if you self-integrate hardware and software for the customer.

About the author
Larry Loeb has been online since the world revolved around {!decvax}. He's been in many of last century's dead tree magazines about computers, having been a Consulting Editor to the late, lamented BYTE magazine, among other things. You can reach him at


Dig Deeper on Regulatory compliance with cybersecurity laws and regulations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.