Four years ago, Michael Kamens joined Thermo Electron with marching orders to keep the $2 billion-plus maker of scientific instruments' global network up and running. Fast-forward to now, and Kamens finds himself neck-deep in network security and making sure IT is doing its part to make Thermo compliant with rules outlined in the Sarbanes-Oxley Act, which requires that a properly audited system of internal controls and processes is in place by November. Below is a summary of in-person and e-mail discussions between Kamens and Network World Executive News Editor Bob Brown.

Give me a thumbnail sketch of your job responsibilities and your company's network setup.

As global network/security manager I have a lot of responsibilities. I'm responsible for the creation of all IT security policies, Sarbanes audit procedures/testing and the training of 12 IT security auditors globally. My main concentration for the past 18 months has been IT security audits to ensure compliance with Sarbanes-Oxley Section 404 [management assessment of internal controls] and COBIT [security and control practices issued by the IT Governance Institute]. I modified the Deloitte & Touche Sarbanes tool to satisfy the requirements of our 118 global locations. I personally performed more than 60 on-site IT security audits. I'm also responsible for the design, engineering and operation of an [Internet Security Systems] SiteProtector intrusion-detection system consisting of 100 LAN- and host-based sensors plus 750 Desktop Protector licenses. We also beta-tested and installed 500 Determina host-based intrusion-prevention systems globally on all Win2K, [Internet Information Server], SQL Server and Exchange servers.

What about the network itself?

We've designed, engineered and implemented a Nortel Contivity solution with Nortel 2600s in the U.K., California and Massachusetts authenticating via three CiscoSecure ACS RADIUS servers for more than 3,000 mobile users. Migration to Microsoft Routing and Remote Access is in progress to enable more thorough integration with our Active Directory infrastructure. We've also designed, engineered and implemented a 118-node, fully meshed VPN globally utilizing IPSec/Triple-DES with [multipoint generic routing encapsulation] over regular T-1/E-1 circuits. This carries traffic for more than 10,000 users who send between 1.5 million and 2 million e-mails monthly and access corporate SAP, Hyperion, iManage and several other centralized applications.

How has your job changed over your four years at Thermo? For example, how much time are you spending on security-related issues vs. keeping the network up and running?

Initially my responsibility focused on building the VPN, which required 100% of my time. As of 24 months ago, additional security responsibilities such as creating IT security policies, training a global IT security team/IT security auditors consumed most of my time. As such, day-to-day VPN oversight was turned over to my senior network engineer with security requiring 90% of my time and 10% left to the VPN. As of 12 months ago, the Sarbanes requirements started accounting for 40% of my time, with general security 20%, security audits 25% and a [Microsoft] SMS project 15%.

As a network and IT security executive, how big a deal is Sarbanes-Oxley?

Sarbanes is all-encompassing as we consider failure not to be an option. All resources will be utilized to ensure full compliance.

When did your team start preparing for it, and what steps has your group taken?

We started almost 12 months ago but have increased our efforts dramatically in the past six to eight months. A Thermo Control Guide has been formalized along with a portal site to log all our findings and the steps to remediation. We have stepped up our internal education of compliance requirements. Weekly Sarbanes meetings are held to review the current status.