From ITBusinessEdge.com - Posted by Lora Bentley on September 25, 2007 at 3:18 pm

Business Insurance reports that the SEC reiterated its position yesterday regarding Sarbox compliance deadline extensions for smaller companies: There won’t be another one.

Specifically, the SEC’s corporation finance director, John White, said:

I would just urge all of you that are advising small companies that, at least from this building (the SEC), we are not anticipating any extensions … If you want to do this in an efficient and effective way, you should be getting to work on the task that is at hand for the end of the year.

Companies with a market capitalization of less than $75 million must comply with the controversial corporate reform law’s internal controls requirements beginning this year. The agency has already delayed the deadline for internal controls compliance four times, and the story indicates that some SMBs are “still moving slowly” on compliance.

Given the tone of White’s comments, I would guess they’re in for a rude awakening if they don’t get it in gear. 

Small companies are supposed to be compliant with the management portion of the act for financial statements filed on or after Dec.15 2007 and compliant with the SEC’s auditor assessments by 2009. Will your company be ready?

ITBusinessEdge.com - Posted by Carl Weinschenk on September 21, 2007 at 11:11 am

Small businesses need to watch how they research and buy — as well as discard — computers and computer-related devices. The reason is simple: In many cases, gadgets are sold, given away, donated or trashed with valuable data intact.

This week, Dell said that it is offering a service to customers with fewer than 10 pieces of computer equipment that will allow them to more professionally manage and return the machines. While security is not the only reason this is a good idea — there are dangerous materials in computer screens and keyboards that must be disposed of properly — it is a key driver. The need to manage the data on computing gear leaving an organization is growing more important as regulations tighten and criminals get more enterprising.

The key is ensuring that data really is off the devices’ drives. This well-done overview of the data wiping issue at How Secure is My Computer says that deleting or even reformatting the hard drive doesn’t actually wipe out the information. It only removes the entries in the index or table of contents; the actual data can be recovered fairly easily.

The writer says that truly erasing the hard drive involves wiping software that overwrites the real data with nonsensical data. The author also recommends “history wiping” software that deletes Internet history, pictures viewed and just about everything else. True data wiping involves spreading a pattern of meaningless data, reversing that pattern in a second sweep and, in a third sweep, spreading a random pattern of ones and zeros.

Companies worrying about information remaining on their antiquated machines after they are outside the control of the company are not neurotic. This Chosun feature recounts an experiment by two apparently well-financed MIT students who bought 158 computers from online auctions. The students recovered 5,000 credit card numbers and a tremendous amount of other personal data.

The story also notes that putting files in a machine’s trash can or recycle bin doesn’t delete the actual data and that the U.S. Defense Department only considers data truly obscured if it is covered with garbage files seven times. It is important to pay attention to cell phones as well. An effort similar to the MIT initiative led to the recovery of 27,000 pages of personal data from 10 used phones.

One sure way to make sure the wrong people don’t retrieve data from drives involves a chain saw and safety goggles. Though it’s a funny image, experts say that actual physical destruction of drives is sure-fire option. Of course, this approach tends to depress the resale value of the machine.

For those of us who failed shop class, here are a couple of examples of the many sites of the Internet that offer advice on how to truly cleanse drives. Simplehelp offers a tutorial on how to use Dariks Boot and Nuke (DBAN), which promises to wipe all data off the hard drive. With only seven steps, it’s as intense as some other online tutorials. This post at FOSSwire describes a resident program in most Linux and some UNIX distributions called shred. Again, it doesn’t seem overwhelming — especially considering it is Linux-based.

Making the Case

Where does it all begin? Like any project in a company, basic organizational needs must be addressed before anyone pays attention to the project.

• Get a realistic budget approved
• Involve all levels of the organization
• Utilize the experience of other organizations in your geographic location or engaged in a similar business
• The plan starts as a project, but becomes an integral part of the fabric of an organization
• It’s about the people

Addressing these needs can be the 1^st hurdle that will need to be cleared, but it will certainly not be the last.

Lisa DuBrock is a Partner and IT Compliance Practice Manager for The Radian Group, LLC.  You can contact her via email.