In Sync Network Time Ben Rothke


Published on

Synchronizing time is a fundamental
business and technology decision that should be an integral part of an effective network and security architecture

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

In Sync Network Time Ben Rothke

  1. 1. INDUSTRY VOICE >>> Stock Options Backdating In Sync: Network Time I N 2006 hundreds of companies were implicated in even that did not stop some companies from continuing back- stock-option timing scandals, and a number of exec- dating practices. Accurate timing of transactions — stock or utives were indicted for illegally backdating stock otherwise — is fundamental to any SOX report. Further, begin- options. While greed is the primary reason for back- ning in August 2002, and pursuant to SOX and other securities dating, it is abetted by weak enforcement of corpo- laws, the SEC started requiring companies to disclose their rate governance that should prevent the practice in stock-option awards within two days of options grants. the first place. Often, there also is a lack of technical With new regulations in place, backdating now is a regula- controls on corporate networks to deter such activities. tory issue, and, as such, companies can no longer bury their Options backdating is the dating of employee stock options heads in the sand and hope no one notices. It has become with an earlier date than the actual date of the grant. The clear that the element of time is now an internal control. Any objective is to choose a date on which the price of the under- weaknesses in tracking the time of stock-option grants must lying stock is lower than the current price, resulting in an be investigated, reported and corrected. instant profit to the grantee. When dealing with tens or hun- Companies now must take the necessary steps to ensure dreds of thousands of shares, and price differentials in the that any backdating will be detected. Besides the develop- range of $50 a share, the amount of illicit gain can be immense. ment of policies, procedures and standards around backdat- This time distortion results not only in the value of the ing, there are technical solutions that can be implemented to option being much greater to the employee receiving it, but support such an endeavor. in a correlative detriment to shareholders by way of stock Time Synchronization Is Imperative >>> About the Author These technical solutions center on time synchronization. Ben Rothke, CISSP , Companies must proactively create a time-synchronization Senior Security Consultant, INS mandate and ensure that it is correctly deployed throughout Ben Rothke is a senior security consultant at their IT environments. Fortunately, creating such a time syn- Mountain View, Calif.-based INS and the author of chronization infrastructure is relatively easy, and the ROI on “Computer Security: 20 Things Every Employee Should Know” (McGraw-Hill, 2006). You can contact such an undertaking can be significant. him at As time-synchronization hardware is a needed investment, properly communicating the need to management is crucial to price dilution. While backdating of stock options is not nec- getting funding for the technology. Synchronizing time is a fun- essarily illegal if the grantor of the stock options properly dis- damental business and technology decision that should be an closes the backdating, it remains to be seen whether some integral part of an effective network and security architecture. other fiduciary duty has been breached. The need for this is evident in that an enterprise informa- Most of the legal issues arising from backdating are a result tion network and security infrastructure is highly dependent of the grantor falsifying documents to conceal the backdating. on synchronized time. In addition, there also are regulatory According to attorney Louis Brilleman, counsel at Sichenzia issues that require correct synchronized time — from NASD Ross Friedman Ference in New York, a law firm specializing in OATS, FFIEC and GLBA, to Visa CISP and many more. securities matters, backdating is illegal under most circum- All of these regulations recognize that correct time is crit- stances. The practice usually leads to the creation of fraudu- ical for transactions across a network. Many events on the lent documents through the disclosure of misleading corpo- network need the correct time to initiate jobs, complete rate earnings and the improper reporting of the option grant transactions, etc. Correct time is critical for billing systems, under applicable tax rules, Brilleman explains. authentication systems, manufacturing, forensics and more. Options backdating has been going on for many years. The Common to all of these regulations is the requirement that rules changed in 2002 with the passage of Sarbanes-Oxley, but financial transactions and changes to electronic records be w w w. w a l l s t r e e t a n d t e c h . c o m MARCH 2007 41
  2. 2. INDUSTRYVOICE >>> Stock Option Backdating accurately time-stamped. To provide accurate time stamps, Without a policy, there will be no impetus for staff to achieve all network devices must be synchronized relative to nation- accurate, synchronized time. Often, a simple policy, such as, al and international time standards “Time synchronization to an accurate time source is required At the application and operating system level, most appli- on all enterprise network devices,” is a sufficient first step. cations and networking pro- tocols require correct syn- chronized time. Vendors such as Microsoft, Cisco, Ora- >>> “Synchronizing time is a fundamental business and tech- Step 4: Architecture The first step to architecting an accurate time-synchro- cle, Red Hat, Novell and Baan nization solution is to estab- all state that their systems nology decision that should be lish a network time source, must be configured to an authoritative time server for an integral part of an effective known as a reference clock, for tracability to national and proper and secure use. network and security architecture.” international standards. A Time servers cost from typical reference clock would $2,000 to $10,000, depend- use GPS (Global Positioning ing on the level of accuracy and redundancy required. Time System) to receive time from satellites. Second, create a servers, which take but a few hours to install, provide addi- downstream topology for all network components to use the tional benefits, such as reduced downtime and the ability to reference clock as the network’s master source of time. mitigate legal exposure. Options backdating is the problem, and time synchroniza- Step 5: Auditability tion is the solution. But getting from solution to implementa- Steps 1 through 4 are important from a technical perspective. tion takes proper planning and project management. With that, But even with the most sophisticated timing device, you still the following five steps can be used as a high-level framework need to have independent and auditable time controls in for implementing synchronized time in your organization. place. As part of this, you must be able to prove to auditors and regulators that the time on any monitored system was Step 1: Risks and Requirements correctly synchronized with a specified time source. The first step is to formally determine the risk to your compa- Also, it is important to note that time synchronization will ny if you do not have synchronized time. Don’t underestimate not magically cure a regulatory material weakness leading to the risks; if you don’t practice due care pertaining to the time an internal controls problem. Those in control of time syn- on your network system, you can be legally liable for negligence chronization still can manipulate time and/or data. It and held accountable for the ramifications of that negligence. becomes an issue, at least in part, of taking control over this Next, determine how accurate your clocks need to be. This material weakness away from insiders. With that, it is imper- can be anywhere from milliseconds to a few seconds. Finally, ative to ensure that insiders are not engaging in any time- advise management of the risks of nonsynchronized time and based data manipulation. get their approval for the purchase of time-synchronization Also, if something goes to court, you need to prove that all equipment and the initiation of a time-synchronization project. your devices on your network are synchronized and that all transactions that took place are able to provide an accurate, Step 2: Hardware and Software authenticated time source. This requires that all logs are han- Start meeting with vendors of time-synchronization equipment dled within the context of digital forensics and staff members to determine the solution that best fits your organization and are following the appropriate rules of evidence. specific needs. Some of the leading vendors in this space include Spectracom, Symmetricom and EndRun Technologies. Conclusion The backdating fiasco demonstrates that the need for syn- Step 3: Policy chronized time is a crucial business and technology require- If policies for time synchronization are not in place already, ment. As such, it is an integral part of an effective network and work with the information security department to ensure that security architecture. Ensuring accurate time is relatively inex- time synchronization becomes part of the global enterprise pensive and offers a significant ROI. And it is a great way to information technology policy. Time synchronization must be stop your company from getting negative press — not to men- made part of the corporate IT systems and security policies. tion to keep your management team from being indicted. <<< 42 MARCH 2007 w w w. w a l l s t r e e t a n d t e c h . c o m