Getting ahead of Sarbanes-Oxley

Four years ago, Michael Kamens joined Thermo Electron with marching orders to keep the $2 billion-plus maker of scientific instruments’ global network up and running. Fast-forward to now, and Kamens finds himself neck-deep in network security and making sure IT is doing its part to make Thermo compliant with rules outlined in the Sarbanes-Oxley Act, which requires that a properly audited system of internal controls and processes is in place by November.

Four years ago, Michael Kamens joined Thermo Electron with marching orders to keep the $2 billion-plus maker of scientific instruments’ global network up and running. Fast-forward to now, and Kamens finds himself neck-deep in network security and making sure IT is doing its part to make Thermo compliant with rules outlined in the Sarbanes-Oxley Act, which requires that a properly audited system of internal controls and processes is in place by November. Below is a summary of in-person and e-mail discussions between Kamens and Network World Executive News Editor Bob Brown.

Give me a thumbnail sketch of your job responsibilities and your company’s network setup.

As global network/security manager I have a lot of responsibilities. I’m responsible for the creation of all IT security policies, Sarbanes audit procedures/testing and the training of 12 IT security auditors globally. My main concentration for the past 18 months has been IT security audits to ensure compliance with Sarbanes-Oxley Section 404 [management assessment of internal controls] and COBIT [security and control practices issued by the IT Governance Institute]. I modified the Deloitte & Touche Sarbanes tool to satisfy the requirements of our 118 global locations. I personally performed more than 60 on-site IT security audits. I’m also responsible for the design, engineering and operation of an [Internet Security Systems] SiteProtector intrusion-detection system consisting of 100 LAN- and host-based sensors plus 750 Desktop Protector licenses. We also beta-tested and installed 500 Determina host-based intrusion-prevention systems globally on all Win2K, [Internet Information Server], SQL Server and Exchange servers.

What about the network itself?

We’ve designed, engineered and implemented a Nortel Contivity solution with Nortel 2600s in the U.K., California and Massachusetts authenticating via three CiscoSecure ACS RADIUS servers for more than 3,000 mobile users. Migration to Microsoft Routing and Remote Access is in progress to enable more thorough integration with our Active Directory infrastructure. We’ve also designed, engineered and implemented a 118-node, fully meshed VPN globally utilizing IPSec/Triple-DES with [multipoint generic routing encapsulation] over regular T-1/E-1 circuits. This carries traffic for more than 10,000 users who send between 1.5 million and 2 million e-mails monthly and access corporate SAP, Hyperion, iManage and several other centralized applications.

How has your job changed over your four years at Thermo? For example, how much time are you spending on security-related issues vs. keeping the network up and running?

Initially my responsibility focused on building the VPN, which required 100% of my time. As of 24 months ago, additional security responsibilities such as creating IT security policies, training a global IT security team/IT security auditors consumed most of my time. As such, day-to-day VPN oversight was turned over to my senior network engineer with security requiring 90% of my time and 10% left to the VPN. As of 12 months ago, the Sarbanes requirements started accounting for 40% of my time, with general security 20%, security audits 25% and a [Microsoft] SMS project 15%.

As a network and IT security executive, how big a deal is Sarbanes-Oxley?

Sarbanes is all-encompassing as we consider failure not to be an option. All resources will be utilized to ensure full compliance.

When did your team start preparing for it, and what steps has your group taken?

We started almost 12 months ago but have increased our efforts dramatically in the past six to eight months. A Thermo Control Guide has been formalized along with a portal site to log all our findings and the steps to remediation. We have stepped up our internal education of compliance requirements. Weekly Sarbanes meetings are held to review the current status.

What’s involved in doing audits?

The audits require internal IT, internal security auditors, external security auditors, auditors from our public accounting firm as well as IT Sarbanes contract auditors. Site visits are required initially to ascertain whether the site is in compliance followed by extensive reports indicating any remediation steps necessary.

What are the biggest surprises from doing these audits?

We expected most of the findings. The biggest surprises are that most remediation can be accomplished if we work as a team. Changes in the way IT does business has been the resulting outcome, and that is making us more secure.

From a technology standpoint, what sorts of things have you had to change to ensure Sarbanes compliance?

Most of our technology changes centered on corporate-mandated policies, procedures, guidelines and standards. Change management, password control, segregation of responsibilities and consistency in the manner with which we conduct business have been the items changed. One major technology change was the implementation of a centralized SMS patch management system to handle all the updates and patches each site needs to push out.

How has all this affected your annual IT budget?

What budget? The increased resources needed that were not anticipated when our 2004 budget was created has caused us to require additional funding. The SMS project plus the external IT Sarbanes auditors account for the majority of budget increases.

Do you have a sense of how well prepared other companies’ IT shops are for Sarbanes?

As the IT security community is fairly small, my understanding from talking to my peers is that numerous companies are in trouble. [As of September, many had] not even begun the process. Thankfully, we are ahead of the curve.

What advice would you offer them?

Take Sarbanes very seriously. Whatever resources are needed must be allocated for you to be in compliance. Failure or non-compliance will have devastating impact on your company and the way the public perceives you.

Aside from Sarbanes, what are your other hot buttons?

I have several: increased spam and how to combat it; increased hacker/cracker attempts; constant patches required to close vulnerabilities; decreased time to react from the moment a vulnerability is announced to the impending attack.