Chugach Electric Gets Control of Spreadsheets for SOX Compliance with Brainloop Secure Dataroom

Most organizations don’t have any of those standard controls in place around spreadsheets, and Chugach was no different.”
– Cheryl Klein, Founder and Principal Consultant, GRC Consulting Services

Spreadsheets out of Control

Chugach Electric Association needed to get its Excel spreadsheets under control for compliance with Sarbanes-Oxley (SOX) regulations. “A lot of organizations have issues with Excel spreadsheets,” said Cheryl Klein, founder and principal consultant of GRC Consulting Services. “The most often-used financial application for tracking, accounting and reporting is Excel. Unfortunately there are very few controls around anything within Excel to ensure that the information is valid, that it is correct, that it reports correctly, that someone hasn’t made a change inadvertently… Generally speaking most organizations don’t have any of those standard controls in place around spreadsheets, and Chugach was no different.”

Chugach Electric, headquartered in Anchorage, Alaska, is the largest producer and distributor of electricity in the state. It is a member-owned cooperative and therefore a private organization, though it had taken on a public debt which required it to comply with federal financial regulations, including SOX.

To bring the organization into compliance, Chugach Electric enlisted an outside consultancy, Certified Security Solutions. Cheryl Klein was the lead consultant for this project. She assembled a team of IT and financial professionals to implement the proper controls and processes for SOX compliance, test them for effectiveness and interface with their external auditor KPMG. (Klein has since started her own company, GRC Consulting Services, which specializes in governance, risk and compliance initiatives.)

The proliferation of spreadsheets for financial reporting was a major issue. By scanning the file server for last-modified dates at the end of the quarter, they were able to determine which spreadsheets were used in financial reporting. “We tested and validated the functionality of each one of those spreadsheets to ensure that all the formulas were being called correctly, the summations used the right ranges… So we knew that those were the key spreadsheets, tested and signed off,” said Klein.

From that point, they looked for a way to secure the spreadsheets by limiting access only to authorized individuals and creating an audit trail around journal entries and approvals. As a midsized organization, Chugach Electric did not have the time or resources to deploy a comprehensive enterprise resource planning (ERP) system such as SAP or Oracle. Instead they wanted a cost-effective, targeted solution that would enable them to achieve and maintain SOX compliance.

Brainloop Secure Dataroom for SOX Controls

Chugach Electric adopted Brainloop Secure Dataroom, a hosted service for managing and sharing confidential documents. It provides a secure, Web-based document repository with user authentication and access rights, a tamper-proof audit trail and collaboration tools. Chugach Electric used the Brainloop platform to establish controls around their financial spreadsheets.

Now they actually have a more streamlined workflow process that is better controlled than they did when just emailing spreadsheets back and forth.”
– Cheryl Klein, GRC Consulting Services

Klein continued, “The goal was to create efficient, repeatable processes for compliance. Because compliance with SOX is not a one-time thing – it’s every year you have to go through this. So the goal was to bring them to the point of initial compliance, and then a cost-effective, repeatable compliance process going forward. The use of Brainloop Secure Dataroom does both of those. We got them into compliance initially. And now they actually have a more streamlined workflow process that is better controlled than they did when just emailing spreadsheets back and forth.”

Time and Money Saved – Every Year

Reining in Excel spreadsheets closed major gap for SOX compliance. The Brainloop platform allowed Chugach Electric to achieve SOX compliance initially, as mandated by law, as well as to save time and money maintaining compliance going forward. SOX requires organizations to perform testing internally, in addition to the testing done by an external auditor. By establishing secure controls and processes around their financial spreadsheets, Chugach Electric and its auditor KPMG only have to confirm that the controls are in place and working instead of manually re-testing and re-validating the spreadsheets each quarter. This saves a tremendous amount of time and money in labor and consulting fees every year.

AIT_Profiles_Blogocon_small

 Copyright © 2010 Apropos LLC. All rights reserved.

Party Innovations Reinforces Its E-Commerce Website with Site Security Monitor

I had to go through every page in the website to clean it out. It was a major hassle.
– Jeff Sadowsky, Owner, Party Innovations

A Breach in the Website

Jeff Sadowsky, owner of Party Innovations, was surprised to see the customer forum on his company’s website had disappeared. “The forum was a place for customers to post messages and get a coupon to use on the website. One day the forum just vanished. It was a white page. I assumed there was some type of database error, so I emailed my hosting company to find out. After several hours, they finally got back with me and said our website had been maliciously attacked by hackers,” he said.

Party Innovations is a third-generation family business that made the leap to the Internet and e-commerce six years ago. Based in Brooklyn, New York, it is a distributor of promotional products and printed items for corporate events, weddings and other types of parties. The company’s website is its main sales channel and includes an e-commerce component for online orders.

About ten months prior to the breach, Sadowsky had deployed a McAfee security service for the website. The McAfee software scanned the site on a daily basis to detect and correct viruses and security vulnerabilities, but it did not catch the breach that erased the customer forum. “Here I am paying all this money for these services that were supposed to be protecting me, and it didn’t. The hackers knocked off parts of my website. I had to go through every page in the website to clean it out. It was a major hassle. I have thousands of HTML pages,” he said.

Fortunately the attack did not affect the e-commerce component of the website, and customer information was secure. But the experience left Sadowsky feeling unsettled and wanting a stronger solution for website security.

Site Security Monitor Shores Up the Site

After researching various security solutions, he picked Site Security Monitor (formerly known as 54F3). “They gave good reviews to that company. I called and spoke to a gentleman there, and he was helpful in getting it set up and assured me that it could detect for malware. And since then the issue seems to be resolved,” he said.

Site Security Monitor scans the website each day and sends Sadowsky a status report by email which categorizes security issues as low, medium and high level concerns. “Their service seems more proactive. I get the email every day and can see if there is something at a medium or high level. Then at least I can react and not have it go on for a period of time without knowing anything. We may have found one or two medium issues so far and corrected it right away. The other ones were minor and won’t affect anything,” he said.

Sadowsky also found Site Security Monitor to be more price-competitive. The fee was about 40% lower and charged on a monthly basis, whereas the previous service required a yearly commitment.

Like many businesses, Party Innovations relies extensively on its company website. This makes it an important asset to protect. After shoring up his company’s website, Sadowsky now feels much more confident about security. “I’m happy with this service so far. I like the fact that I have something that is also detecting for malware,” he said.

AIT_Profiles_Blogocon_small

 Copyright © 2010 Apropos LLC. All rights reserved.

Purewire Relies on Brocade for Delivering a Global Web Security Service with a Cloud-Based Infrastructure

We have two main goals. One is keeping users secure, and the second is not to disrupt normal web browsing activity.”
– Dr. Paul Judge, CTO and Co-Founder, Purewire

Software as a Service – Around the Globe

What infrastructure is needed to deliver a web-based software service with consistently fast performance to users around the world? While it is one matter to deliver performance to users in a dedicated, local environment, it is another altogether to deliver performance globally over the World Wide Web. This question of performance is one Purewire had to answer as it built out a data center infrastructure for its web security service, which it launched a little over a year ago.

Purewire is a software-as-a-service (SaaS) provider of web security services for organizations of all sizes – small businesses to Fortune 1000 enterprises. “Purewire provides a service to secure users while they are surfing the web,” said Dr. Paul Judge, chief technology officer and co-founder of Purewire. “We accelerate traffic, so they are getting legitimate content faster. We also are looking at the destination to make sure they are going to the appropriate places, especially in the case of businesses. And then the third thing we do is examine the responses from those websites to make sure they are not malicious and trying to attack the user’s PC or compromise that user’s computer.”

Purewire acts like a security guard sitting between a user and the web at large. “A user simply points outbound web surfing through the Purewire service. And regardless of the location or destination they are visiting, their web activity is going through this infrastructure,” he said.

The Purewire service appeals to enterprises because it offers comprehensive web security for their workers. Enterprises can enforce a user policy for web activities like browsing, web applications and social networks. It protects users inside and outside of a company’s firewall. Judge continued, “The Purewire service not only protects users when they are at the office, but also when the user picks up that laptop and goes across the street to the coffee shop or across the country to a hotel. Purewire is always in between that user and the web, so we have the same level protection regardless of location.” It applies to laptop PCs as well as mobile devices like the iPhone and Blackberry, which have previously gone unprotected. A cloud-based service also avoids having to install web security appliances at every remote or branch office. Thus, it is easier to deploy and centrally manage.

The challenge for Purewire was to deliver these security benefits without causing a perceivable slowdown in a user’s web experience, regardless of their location. “We have two main goals. One is keeping users secure, and the second is not to disrupt normal web browsing activity,” he said.

Brocade ServerIron for Global Server Load Balancing

Purewire set up server farms hosting its web security service in several data centers around the world. Then it needed a means to direct users to the best data center for the fastest response time, and within a data center, to route requests to the most available server. They chose Brocade ServerIron 350, ServerIron 450 and ServerIron 4G series of application delivery controllers to provide this global server load balancing and traffic routing capability. These application switches offered high performance and application throughput as well as ease of management in a globally distributed environment.

Dr. Judge elaborated, “No matter where a user is in the world, we need to reliably get their data routed to our data center and through our data center. So we use Brocade for load balancing and traffic redirection. Whenever a user is, say, in the middle of South America and decides they need to connect to a Purewire service, the load balancing will direct them to the appropriate data center. Then within that data center, we again use intelligent load balancing to direct that traffic to the best possible server.”

A user doesn’t know we’re there, unless and until we have to protect them from some threat.”
– Dr. Paul Judge

Performance as Designed

When asked if this cloud-based infrastructure is meeting expectations, Judge responded, “Yes, absolutely. Customers are delighted. Our channel partners are delighted. People are becoming more aware of the need to protect their users and more aware of the advantages of deploying that as a service. The number of customers that we service and the amount of traffic that we monitor is steadily increasing… The Purewire service is performing as designed – a user doesn’t know we’re there, unless and until we have to protect them from some threat.”

AIT_Profiles_Blogocon_small

 Copyright © 2009 Apropos LLC. All rights reserved.