Synchronizing time is a fundamental business and technology decision that should be an integral part of an effective network and security architecture

1. INDUSTRY VOICE
>>> Stock Options Backdating
In Sync: Network Time
I
N 2006 hundreds of companies were implicated in even that did not stop some companies from continuing back-
stock-option timing scandals, and a number of exec- dating practices. Accurate timing of transactions — stock or
utives were indicted for illegally backdating stock otherwise — is fundamental to any SOX report. Further, begin-
options. While greed is the primary reason for back- ning in August 2002, and pursuant to SOX and other securities
dating, it is abetted by weak enforcement of corpo- laws, the SEC started requiring companies to disclose their
rate governance that should prevent the practice in stock-option awards within two days of options grants.
the first place. Often, there also is a lack of technical With new regulations in place, backdating now is a regula-
controls on corporate networks to deter such activities. tory issue, and, as such, companies can no longer bury their
Options backdating is the dating of employee stock options heads in the sand and hope no one notices. It has become
with an earlier date than the actual date of the grant. The clear that the element of time is now an internal control. Any
objective is to choose a date on which the price of the under- weaknesses in tracking the time of stock-option grants must
lying stock is lower than the current price, resulting in an be investigated, reported and corrected.
instant profit to the grantee. When dealing with tens or hun- Companies now must take the necessary steps to ensure
dreds of thousands of shares, and price differentials in the that any backdating will be detected. Besides the develop-
range of $50 a share, the amount of illicit gain can be immense. ment of policies, procedures and standards around backdat-
This time distortion results not only in the value of the ing, there are technical solutions that can be implemented to
option being much greater to the employee receiving it, but support such an endeavor.
in a correlative detriment to shareholders by way of stock
Time Synchronization Is Imperative
>>> About the Author These technical solutions center on time synchronization.
Ben Rothke, CISSP , Companies must proactively create a time-synchronization
Senior Security Consultant, INS mandate and ensure that it is correctly deployed throughout
Ben Rothke is a senior security consultant at their IT environments. Fortunately, creating such a time syn-
Mountain View, Calif.-based INS and the author of chronization infrastructure is relatively easy, and the ROI on
“Computer Security: 20 Things Every Employee
Should Know” (McGraw-Hill, 2006). You can contact such an undertaking can be significant.
him at ben.rothke@ins.com. As time-synchronization hardware is a needed investment,
properly communicating the need to management is crucial to
price dilution. While backdating of stock options is not nec- getting funding for the technology. Synchronizing time is a fun-
essarily illegal if the grantor of the stock options properly dis- damental business and technology decision that should be an
closes the backdating, it remains to be seen whether some integral part of an effective network and security architecture.
other fiduciary duty has been breached. The need for this is evident in that an enterprise informa-
Most of the legal issues arising from backdating are a result tion network and security infrastructure is highly dependent
of the grantor falsifying documents to conceal the backdating. on synchronized time. In addition, there also are regulatory
According to attorney Louis Brilleman, counsel at Sichenzia issues that require correct synchronized time — from NASD
Ross Friedman Ference in New York, a law firm specializing in OATS, FFIEC and GLBA, to Visa CISP and many more.
securities matters, backdating is illegal under most circum- All of these regulations recognize that correct time is crit-
stances. The practice usually leads to the creation of fraudu- ical for transactions across a network. Many events on the
lent documents through the disclosure of misleading corpo- network need the correct time to initiate jobs, complete
rate earnings and the improper reporting of the option grant transactions, etc. Correct time is critical for billing systems,
under applicable tax rules, Brilleman explains. authentication systems, manufacturing, forensics and more.
Options backdating has been going on for many years. The Common to all of these regulations is the requirement that
rules changed in 2002 with the passage of Sarbanes-Oxley, but financial transactions and changes to electronic records be
w w w. w a l l s t r e e t a n d t e c h . c o m MARCH 2007 41

2. INDUSTRYVOICE >>> Stock Option Backdating
accurately time-stamped. To provide accurate time stamps, Without a policy, there will be no impetus for staff to achieve
all network devices must be synchronized relative to nation- accurate, synchronized time. Often, a simple policy, such as,
al and international time standards “Time synchronization to an accurate time source is required
At the application and operating system level, most appli- on all enterprise network devices,” is a sufficient first step.
cations and networking pro-
tocols require correct syn-
chronized time. Vendors
such as Microsoft, Cisco, Ora-
>>>
“Synchronizing time is a
fundamental business and tech-
Step 4: Architecture
The first step to architecting
an accurate time-synchro-
cle, Red Hat, Novell and Baan nization solution is to estab-
all state that their systems nology decision that should be lish a network time source,
must be configured to an
authoritative time server for
an integral part of an effective known as a reference clock,
for tracability to national and
proper and secure use. network and security architecture.” international standards. A
Time servers cost from typical reference clock would
$2,000 to $10,000, depend- use GPS (Global Positioning
ing on the level of accuracy and redundancy required. Time System) to receive time from satellites. Second, create a
servers, which take but a few hours to install, provide addi- downstream topology for all network components to use the
tional benefits, such as reduced downtime and the ability to reference clock as the network’s master source of time.
mitigate legal exposure.
Options backdating is the problem, and time synchroniza- Step 5: Auditability
tion is the solution. But getting from solution to implementa- Steps 1 through 4 are important from a technical perspective.
tion takes proper planning and project management. With that, But even with the most sophisticated timing device, you still
the following five steps can be used as a high-level framework need to have independent and auditable time controls in
for implementing synchronized time in your organization. place. As part of this, you must be able to prove to auditors
and regulators that the time on any monitored system was
Step 1: Risks and Requirements correctly synchronized with a specified time source.
The first step is to formally determine the risk to your compa- Also, it is important to note that time synchronization will
ny if you do not have synchronized time. Don’t underestimate not magically cure a regulatory material weakness leading to
the risks; if you don’t practice due care pertaining to the time an internal controls problem. Those in control of time syn-
on your network system, you can be legally liable for negligence chronization still can manipulate time and/or data. It
and held accountable for the ramifications of that negligence. becomes an issue, at least in part, of taking control over this
Next, determine how accurate your clocks need to be. This material weakness away from insiders. With that, it is imper-
can be anywhere from milliseconds to a few seconds. Finally, ative to ensure that insiders are not engaging in any time-
advise management of the risks of nonsynchronized time and based data manipulation.
get their approval for the purchase of time-synchronization Also, if something goes to court, you need to prove that all
equipment and the initiation of a time-synchronization project. your devices on your network are synchronized and that all
transactions that took place are able to provide an accurate,
Step 2: Hardware and Software authenticated time source. This requires that all logs are han-
Start meeting with vendors of time-synchronization equipment dled within the context of digital forensics and staff members
to determine the solution that best fits your organization and are following the appropriate rules of evidence.
specific needs. Some of the leading vendors in this space
include Spectracom, Symmetricom and EndRun Technologies. Conclusion
The backdating fiasco demonstrates that the need for syn-
Step 3: Policy chronized time is a crucial business and technology require-
If policies for time synchronization are not in place already, ment. As such, it is an integral part of an effective network and
work with the information security department to ensure that security architecture. Ensuring accurate time is relatively inex-
time synchronization becomes part of the global enterprise pensive and offers a significant ROI. And it is a great way to
information technology policy. Time synchronization must be stop your company from getting negative press — not to men-
made part of the corporate IT systems and security policies. tion to keep your management team from being indicted. <<<
42 MARCH 2007 w w w. w a l l s t r e e t a n d t e c h . c o m