Cyber Security Industry Alliance Kicks Off Sarbanes-Oxley Compliance Initiative

Washington, D.C. – December 14, 2004 – Cyber Security Industry Alliance (CSIA), the only CEO public policy and advocacy group exclusively focused on cyber security policy issues, today kicked off an initiative on Sarbanes-Oxley compliance with the release of a report outlining the implications of Section 404 on information security. The question is no longer “whether” Section 404 covers information security the report concludes, but rather “how” to comply with this critical section in the context of IT security.

Congress adopted Sarbanes-Oxley, and Section 404 in particular, to protect investors and shareholders by ensuring the integrity of financial reporting and forcing corporate officials to take full responsibility for public disclosures required under the law. There is, however, considerable question over the law’s implications for corporate information security. After an extensive and objective review of the statute, and its implementing guidance by outside experts, CSIA finds that the internal control provisions clearly require publicly traded companies to employ information security to the extent necessary to ensure the effectiveness of internal controls over financial reporting.

“Companies are now realizing the sheer magnitude of implementing Sarbanes-Oxley Section 404 controls, and many have only touched the tip of the iceberg,” said BindView CEO Eric J. Pulaski. “Compliance and successful audits for Sarbanes-Oxley place an extraordinary burden across the enterprise, and particularly on IT organizations that must respond to the demanding and watchful eyes of their CEOs, CFOs and boards of directors. With millions of dollars, company reputation and your personal liability at stake, it’s a safe bet that few compromises will be made in locking down internal controls. While many companies will meet the initial deadlines by throwing people and money at the problem, the greatest long-term challenge will be how to sustain compliance in an affordable manner.”

With publicly traded companies increasingly relying on complex and interdependent IT systems to run their businesses, a key question is whether Sarbanes-Oxley regulators have provided sufficient guidance to corporate management and auditors on IT governance and security to comply with Section 404. In this context, CSIA will hold a summit in Washington, D.C. in April 2005 with representatives from both the corporate management and auditing communities to examine their experiences in complying with Sarbanes-Oxley and to address the question whether additional guidance is needed.

“Corporate boards and executive management are still wrestling with differing interpretations of Sarbanes-Oxley and information security, which vary widely depending on whether you are talking to the CEO, CFO, CIO, legal counsel, policymakers or regulators,” said Bill Conner, President, CEO and Chairman of Entrust, Inc. “The debate, however, has now moved beyond whether Sarbanes-Oxley covers information security to how best public companies can comply with the law. Our emphasis should now be on the people, process and technologies that constitute information security governance.”

“While we have determined that information security is clearly covered under Sarbanes-Oxley, an open question remains whether the guidance provided by regulators is sufficiently detailed and specific for managers of publicly traded companies to comply with this aspect of the law,” said Paul Kurtz, executive director of CSIA. “As a second step in this initiative, we are organizing a summit in April with key stakeholders affected by the internal controls provisions to actively address the questions that still remain and consider whether additional guidance is necessary from the Federal government and other organizations.”

CSIA’s report on Sarbanes-Oxley was researched and developed by Lee Zeichner, president of Zeichner Risk Analytics, and John Tritak, president of Tritak Consulting and former director of the Critical Infrastructure Assurance Office at the Department of Commerce. To obtain a complete copy of the report, please visit

About CSIA

Launched in February 2004 by a group of cyber security software, hardware and services companies, the CSIA is an advocacy group whose mission is to enhance cyber security through public policy initiatives, public sector partnerships, corporate outreach, academic programs, alignment behind emerging industry technology standards and public education. The CSIA is the only CEO public policy and advocacy group exclusively focused on cyber security policy issues.

Members of the CSIA include BindView Corp. (NASDAQ: BVEW); Check Point Software Technologies Ltd. (NASDAQ: CHKP); Citadel Security Software Inc. (NASDAQ: CDSS); Computer Associates International, Inc. (NYSE: CA); Entrust, Inc. (NASDAQ: ENTU); Internet Security Systems Inc. (NASDAQ: ISSX); Juniper Networks, Inc. (NASDAQ: JNPR); McAfee, Inc. (NYSE: MFE); PGP Corporation; Qualys, Inc.; RSA Security Inc. (NASDAQ: RSAS); Secure Computing Corporation (NASDAQ: SCUR), Symantec Corporation (NASDAQ: SYMC) and TechGuard Security, LLC.

To learn more about the CSIA, please visit our Web site at or call +1-202-204-0838.

Don't miss