Want to Stay Out of Jail? Going Thin-Client Is Your Safest BetCan your IT practices lead to jail time? Under the new Sarbanes-Oxley Act signed into law by President Bush on July 30, 2002, this concept is not as outlandish as it sounds. |
 |
Can your IT practices lead to jail time? Under the new Sarbanes-Oxley Act signed into law by President Bush on July 30, 2002, this concept is not as outlandish as it sounds. Suppose your legal department directs IT to regularly delete all old emails. If their intent is to avoid producing incriminating correspondence in response to court requests for information, you could be in violation of the document-retention clause of Sarbanes-Oxley. The Act carries serious penalties including corporate and individual fines of up to $25M along with jail terms for executives of up to 20 years.
Also known as the Public Company Accounting Reform and Investor Protection Act of 2002, Sarbanes-Oxley requires that all publicly traded companies maintain all correspondence, communications, electronic documents, faxes and application data and records between themselves and their public auditors for five years. It requires the CEO and CFO to sign certifications that the statements in the quarterly report are true and can be supported with all necessary documentation. The Act requires companies to be able to furnish records supporting public assertions about the corporations' financial statements. It also prevents retaliation against employees who report abuse and places the burden of proof of innocence on the companies.
The broad language of Sarbanes-Oxley is scary. For instance, Section 1519 states: "Whomever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the Untied States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both."
Something as low-profile as an employee reporting sexual harassment to Human Resources (with an anticipated follow-up complaint to the EOC) could kick Section 1519 into effect. From the moment the employee complains to Human Resources, the company is presumably responsible for maintaining every email and document for the next five years that could possibly confirm a sexual discrimination bias. Even the process of allowing users to load distasteful games, animations and images onto the network could conceivably put companies at risk.
Section 1519 is also the part of the legislation that makes it particularly dangerous for the legal department to establish a regular policy of deleting all emails. The intent behind the policy could easily be construed as an attempt to destroy documents in contemplation of a potential government agency investigation; hence the company and its officers would be in violation of Sarbanes-Oxley.
Organizations could, of course, continue destroying non-pertinent email and related documents and just maintain those messages that might be relevant to an investigation. But, this strategy is fraught with problems. Even if a company could somehow work out a categorization scheme for determining which emails and documents to store, it would be a subjective process distributed to different individuals. It would consume tremendous personnel resources and still be far from infallible.
The same type of problem can be envisioned by enabling employees to create and store documents on their local PCs. Suppose a document is saved on an employee's local hard drive that lends support to evidence of discrimination against a whistleblower. Management's lack of knowledge about the document's existence could lead them to be severely blindsided in a court proceeding. The same scenario could happen with any documents that establish or validate a trail of facts that ultimately led to the conclusions made in auditable statements about the company's financial health.
All communications, documents and work flows should both originate and be stored on central servers. Companies need to eliminate the "personal" from personal computers and instead make them information access appliances. Doing so ensures that Management will always have copies of every stored document and will be able to utilize software and hardware products to better protect and access the central information.
Fortunately, establishing a centralized computing environment does not require going back to the mainframe era of six month queues to get MIS to generate a new report. Microsoft's Windows 2000 Terminal Services and Citrix MetaFrame software enable organizations to utilize PC servers to build centralized computing environments. Users consequently have all the flexibility and versatility they expect from PCs while companies enjoy the advantages normally associated with the mainframe world: better security, standardization, control and lower costs.
This type of architecture is often referred to as thin-client since the fat applications execute on central servers, and just enough thin software code runs on PCs or on Windows terminals in order for them to access the central servers. Since the PCs only show screen prints of the applications, all processing and data remain on the Windows 2000/Citrix central servers. The employees use computers or Windows terminals only as information access appliances.
Thin-client makes far more sense than utilizing distributed PC processing from a security perspective. Failed individual hard drives do not affect the integrity of corporate data. Employees can no longer load their own applications without IT permission. All network access can be channeled through a limited number of data centers where it can be much better monitored and controlled. Complimentary software products such as AppSense enhance organizations' ability to limit the execution of email-attached documents and to virtually eliminate the threat of macro Viruses from affecting Microsoft Exchange and Office products.
Beyond providing an environment much more conducive to satisfying Sarbanes-Oxley, a thin-client architecture also makes far more economic sense than a distributed computing environment. For instance, individual PCs no longer need upgrading in order to accommodate more resource-intensive applications or operating systems. Remote offices generally do not require servers, tape backups, UPS devices or network administrators. And the requirement for PC-support technicians goes away (if a PC breaks, it generally is replaced with an inexpensive Windows terminal that has no moving parts at all and a meantime between failure measured in decades).
Because users see only screen prints of applications which requires very little bandwidth, a thin-client computing environment enables employees to quickly access their data from anywhere, whether using their own PCs at headquarters, Windows Terminals in a remote office, or when dialing into the VPN from home through the Internet. This architecture in turn enhances productivity and generates more enthusiasm among employees who are no longer chained to their desks. Since the IT help desk can use Citrix MetaFrame to shadow employees' sessions, they are able to provide much faster and better support, and can also provide training simultaneously for users across the enterprise.
Centralized processing provides strategic advantages as well. Applications are deployed to users around the country in a matter of hours meaning that employees have much faster access to relevant software and information. New employees can be set up in a matter of minutes simply by taking a Windows terminal out of the box and plugging it in. Remote offices can come on line with nothing more than Windows terminals, a hub, router and Internet connection.
Centralized computing also greatly enhances disaster recovery and business continuance. For instance, companies can maintain both Windows 2000/Citrix servers and replicated data in multiple data centers. A failure in one data center causes the processing for users across the enterprise to simply shift to another data center so that they don't suffer from extended downtime.
There has never been a more important time to reexamine the practices and procedures around corporate document and email retention. With a server-based computing environment supplemented with salient email policies, a CEO can sign the compliance document without wondering if an email or document exists that might make her certification inaccurate.
Steve Kaplan is vice president, enterprise accounts, for Vector ESP, a leading integrator of Web-centric computing solutions. Ranked as the number one server-based computing integrator, Vector is helping to define the rapidly emerging market for enterprise integration portals, providing seamless access to Web-centric and legacy applications via a single, flexible platform.
Kaplan is the coauthor of Citrix Metaframe for Windows Terminal Services : The Official Guide. He was a charter columnist for Solutions Integrator, and was formerly a columnist for Reseller Management. He has had articles published in several computer industry magazines as well as in The Journal of Cash Management and in Supermarket Business. He is also the author of a thin-client comic book, a Clipper compiled point-of-sales program and an early PC DOS users manual.
For more information on ACP Industrial Thin Client computers, please visit our web site at http://www.thinmanager.com
To sign up for the E-mail newsletter go here: ACP newsletter signup
For an archive of past newsletter articles go to: ACP Newsletter Archive