Sarbanes Oxley News September 2012

7/28/2019 Sarbanes Oxley News September 2012

1/35

1

Sarbanes Oxley Compliance ProfessionalsAssociation (SOXCPA)

1200 G Street NW Suite 800 Washington, DC 20005-6705 USATel: 202-449-9750 Web: www.sarbanes-oxley-association.com

Dear Member,

In 1964, Arthur C. Clarke, science fictionwriter, inventor and futurist observed:

Trying to predict the future is a discouraging and hazardous

occupation, because the prophet invariably falls between two chairs.

If his predictions sound at all reasonable, you can be quite sure that in20, or at most 50 years, the progress of science and technology has madehim seem ridiculously conservative.

On the other hand, if by some miracle, a prophet could describe thefuture exactly as it was going to take place, his predictions would soundso absurd, so far-fetched, that everybody would laugh him to scorn.

Interesting

The Importance of StrongRisk Management: InsightsFrom The Examination World

By Jason C. Schemmel, Community and Regional supervisory examinerwith the Federal Reserve Bank of Richmond

Introduction

Sarbanes Oxley Compliance Professionals Association (SOXCPA)www.sarbanes-oxley-association.com
http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/


2/35

2

In 1995, the Board of Governors of the Federal Reserve System issued SR95-51, which instructed examiners to begin assigning a formalsupervisory rating to the adequacy of an institutions risk managementprocesses.

Examiners had always emphasized the importance of sound riskmanagement processes, but this guidance heralded an era of heightenedawareness in light of new technologies, product innovation and rapidlychanging banking markets.

Examiners continue to assess and consider factors such as profitability,asset quality and capital adequacy when assigning supervisory ratings,but these indicators, to a large degree, tell a story about the past.

At the heart of risk management is the concept of looking toward thefuture, as being able to identify, measure, monitor and control risksbefore they spread is critical to the conduct of safe and sound banking,regardless of the size and complexity of the institution.

Analysis of banking performance during the recession of 20072009indicates that banks with strong forward-looking risk mitigationstrategies weathered the recession more successfully than other banks,even those taking identical risks (see Weathering the Storm: A CaseStudy of Healthy Fifth District State Member Banks Over the Recent

Downturn in the summer 2012 edition of S&R Perspectives).

These successful institutions all possessed the key elements of a riskmanagement framework, including:

- An active board of directors and senior management team- Policies, procedures and risk limits governing all activities that are

clearly communicated throughout the organization- Timely and accurate management information systems (M IS)- Strong internal controls

To understand the risk management challenges currently facing ourstate member banks, we asked key members of the Federal Reserve

http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/


3/35

3

Bank of RichmondsCommunity and Regional (C&R) managementteam to identify areas that are

(1)Consistently cited in reports of examination as risk managementweaknesses or

(2)Expected to receive heightened attention in the near future. Thisarticle reinforces existing supervisory guidance and expectations anddiscusses the most commonly cited examination issues related to themanagement of credit, liquidity, market, operational, and legal andreputational risks.

Properly addressing these matters will improve the prospects of early riskdetection and help to prevent losses.

Credit Risk

C&R relationship managers and subject matter experts alike expressedconcern over three areas: new product lines, home equity lines of credit(HELOC) and appraisal review.

New Product Lines

Interviews with bankers during examinations over the previous 1224

months revealed that many management teams and boards of directorsintend to reduce future reliance on real estate lending by expanding intocommercial lending.

The number of bankers that stated this intention is striking and indicatesthe potential for fierce competition for commercial business. In fact,several banks have reported recent solicitations from third partiesattempting to negotiate participation in syndicated commercial loans.

Prior to expanding into commercial lending, or any new product line, it

will be critical for banks to properly research the product and ensure italigns with the banksstrategic plan and the risk appetite of the board ofdirectors.



4/35

4

Banks that venture into commercial lending are expected to have theappropriate expertise on staff to underwrite and monitor the credits.

Moreover, the lending staff must be guided by robust policies,procedures and risk limits.

As was the case in the late 1990s, intense competition for commercialloan customers often leads to significant easing of both loan terms andfront-end financial analysis.

Discipline was and will be a key success factor.

Existing supervisory guidance stresses:

- The importance of using formal forward-looking analysis in the loan

approval process

- The value of assessing alternative ordownsidescenarios- The dangers of unduly weighting the short-term benefit of attracting

or retaining customers through price concessions while givinginsufficient consideration to potential longer-term consequences1

Additionally, exceptions to approved underwriting and pricing policiesshould be rare, properly approved, aggregated and actively monitored bysenior management.

HELOCs

There is considerable concern among C&R credit risk specialists that,unlike many other real estate loans, the losses in HELOC portfolios haveyet to fully materialize.

Many of the loans originated from 2003 to 2007 are approaching the endof their draw periods and will soon convert from interest-only toamortizing loans or have principal due as a balloon payment.



5/35

5

Observations from recent examinations indicate that banks withsignificant concentrations of HELOCs have not fully identified andmeasured the potential impact of these events.

Institutions with significant exposure to HELOCs should ensure that

they are adhering to effective account management practices.

These include:

- Periodically refreshing credit scores on customers- Periodically assessing utilization rates- Periodically assessing payment patterns, including borrowers who

make only minimum payments or those who rely on the line to keeppayments current

- Using reasonably available tools to determine the payment status ofsenior liens associated with junior liens

- Obtaining updated information on the collateralsvalue whenmarket factors indicate a deterioration in value since origination orwhen the borrowerspayment performance deteriorates

Measurement of this data will allow bankers to identify customers whomay default when loan terms change and facilitate the creation ofeffective workout solutions.

Data procured from this analysis should also be incorporated into theinstitutions allowance for loan and lease losses (ALLL) methodology.

Appraisal Review

Examiners continue to observe appraisal review practices that areinconsistent with supervisory guidance.

Too often, appraisal reviews only consist of checklists used by thereviewer to determine compliance with federal regulations.

While determining compliance with regulations is surely critical, it ismerely one aspect of the appraisal review process.



6/35

6

Just as important is an evaluation of whether the methods, assumptionsand data sources in the appraisal (or evaluation) are appropriate andwell-supported.

An institutions policies and procedures for reviewing appraisals and

evaluations should address, at a minimum, the following:

Staff members who review appraisals and evaluations should beindependent of both the property being valued and the loan productionstaff.

Reviewers should also possess the requisite expertise to perform a reviewcommensurate with the level of risk and complexity in the transaction.

The depth of review should be appropriate for the risk and complexity ofthe transaction and property, but always be sufficient to ensure themethods, assumptions and conclusions within the appraisal andevaluation are reasonable and well-supported.

Staff within the institution should have clear written guidance on how toresolve deficiencies uncovered during a review.

All reviews should be thoroughly documented and placed withinappropriate credit files.

Liquidity Risk

All financial institutions, regardless of size and complexity, should havea formal contingency funding plan (CFP) that clearly sets out thestrategies for addressing liquidity shortfalls in emergency situations.

C&R relationship managers indicated that most banks have institutedsome form of CFP; however, many banks continue to struggle with thedetails.

In general, the CFPs reviewed during examinations do not adequatelyaddress a sufficient range of liquidity stress events.



7/35

7

The narrative section of the CFP should contain a thorough description ofany liquidity event or combination of events that could adverselyimpact the banks liquidity.

The events may be institution-specific or arise from external factors.

Examples include, but are not limited to, the inability to fund assetgrowth; the inability to renew or replace a maturing funding source;unexpected deposit runoff; or financial market dislocations.

Additionally, CFPs frequently are not robust enough with regard to thevarious stages and levels of stress severity that can occur during acontingent liquidity event.

The narrative section should fully describe the stages of each event, itsseverity and its expected duration.

Stress events should be modeled with sufficient severity to providemanagement and the board of directors with enough information toascertain the durability of the banks liquidity position.

Moreover, the duration of the event is a critical factor in accuratelymeasuring potential funding gaps and available funding sources.

Some events may be temporary while others may be longer-term.

In either case, the event should ultimately be modeled through its

conclusion.

Designing the CFP in this fashion affords the opportunity to identifyearly-warning indicators for each stage, assess potential funding needs atvarious points in a developing crisis and specify action plans.

Market Risk

Proper measurement of market risk requires regularly assessing thereasonableness of assumptions that underlie an institutionsexposureestimates.



8/35

8

C&R subject matter experts have observed repeated weaknesses in threeareas related to model assumptions: documentation, sensitivity testingand corporate governance.

Key model assumptions such as asset prepayments, nonmaturity deposit

price sensitivity and deposit decay rates are often unsupported andundocumented.

Inputs for these assumptions typically have a material impact on themodels output; therefore, it is critical to ensure they are accurate.

Assumptions should be specific to the bank and based on an appropriatelevel of empirical evidence.

The decisions made and the rationale behind them should then bethoroughly documented.

To aid in determining which assumptions exert the greatest impact onmeasurement results, banks should periodically perform sensitivitytesting.

Doing so will provide valuable insight into how to allocate scarceresources, i.e., the most critical assumptions should be given the mostattention. When actual experience differs significantly from pastassumptions and expectations, institutions should use a range ofassumptions to appropriately reflect this uncertainty.

Finally, banks should develop a comprehensive governance system foractively monitoring and regularly updating key underlying assumptions.

This system should include oversight by representatives from any majorbusiness line that can directly or indirectly influence the banks marketrisk exposure.

Deliberations from these meetings and the rationale behind changes tokey assumptions should be thoroughly documented in meeting minutes.



9/35

9

Operational Risk

C&R operational risk specialists have identified two areas of concern astechnology is increasingly integrated into the business of banking:information security and vendor management.

Information Security

One of the most common operational risk deficiencies cited duringexaminations over the last 18 months relates to information security.

It remains a challenge for all banks, regardless of size, because of thecomplex interconnectivity between the bank, its customers and itsvendors.

The proliferation of mobile devices and electronic payment channels hasincreased the opportunities for hackers to compromise bank systems andsteal critical data.

Therefore, strong internal controls surrounding access management areessential, including a robust risk assessment process; effectiveprocedures for administering, logging and monitoring critical systems;and independent validation of controls through audits or penetrationtesting.

Vendor Management

Not surprisingly, the increase in technological banking solutions has ledto an increase in outsourcing.

The scope of activities outsourced, however, has not been limited totraditional activities such as core processing and now may includeinterest rate risk modeling, stress testing or loan loss mitigationstrategies.

Recent examinations indicate that vendor management practices areoften not keeping pace with the growing volume and scope of



10/35

10

outsourcing activities, particularly in the areas of due diligence andservice provider oversight.

Due diligence prior to engagement should fully consider the providersability to meet the institutionsneeds.

Institutions should consider the providers technical and industryexpertise, operations and controls, and financial condition.

Once a contract has been signed, the institution must implement anoversight program to monitor each service providers controls,conditions and performance.

The oversight program should be commensurate with the risk of theoutsourced relationship and be thoroughly documented for use in future

contract negotiations, termination issues and contingency planning.

Legal and Reputational Risk

Finally, C&R operational risk specialists expressed concern with theproliferation of social networking platforms and their potential effect onbanks legal and reputational risks.

A social networking service is an online service, platform or site thatfacilitates the building of social relations among people who sharecommon interests, activities or relationships.

Their use has exploded as companies attempt to reach customers withadvertising and to generate business intelligence for future sales orcustomer service.

Social networks pose several risks to banking organizations, includingthe potential disclosure of nonpublic personal information (NPI),disinformation or derogatory information, and security threats such as

viruses or social engineering.



11/35

11

Any of these or similar events could result in significant lawsuits ordamage to the institutions reputation.

Banks are encouraged to develop sound social connectivity policies thatgovern the use of social media by employees and to provide adequate

training to employees on those policies.

The use of social media should also be considered in the institutionsinformation technology risk assessment.

Conclusion

The current recession has been longer and deeper than any since theGreat Depression, and institutions facing severe earnings pressures maybe tempted to reduce resources dedicated to risk management.

But evidence suggests that strong risk management, not historicalfinancial performance, is the common denominator of successfulcommunity banks.

Institutions should remain vigilant in order to identify risks that couldnegatively affect the bank and take appropriate action to measure,monitor and control them.



12/35

12

Security First: New NIST Guidelineson Securing BIOS for Servers

From N IST Tech Beat: August 21, 2012

The National Institute of Standards and

Technology (NIST) is requesting comments on new draft guidelines forsecuring BIOS systems for server computers.

BIOSBasic Input/ output Systemis the first major software that runswhen a computer starts up.

Both obscure and fundamental, the

BIOS has become a target forhackers.

Server manufacturers routinely updateBIOS to fix bugs, patch vulnerabilitiesor support new hardware.

However, while authorized updates to BIOS can improve functionality orsecurity, unauthorized or malicious changes could be part of asophisticated, targeted attack on an organization, allowing an attacker to

infiltrate an organization's systems or disrupt their operations.

BIOS attacks are an emerging threat area.

In September, 2011, a security company discovered the first malwaredesigned to infect the BIOS, called Mebromi.

An important mechanism for protecting BIOS in servers is to secure theBIOS update process, guarding against unauthorized BIOS updates.

NIST's 2011 publication on BIOS security provided instructions forprotecting BIOS in desktops and laptops.



13/35

13

The guidelines focused on the core principles of authenticating updatesusing digital signatures, BIOS integrity protection and "non-bypassibility" features that ensure that no mechanisms circumvent theBIOS protections.

BIOS Protection Guidelines for Servers addresses BIOS security in thevaried architectures used by servers.

"While laptop and desktop computers have largely converged on a singlearchitecture for system BIOS, server class systems have a more diverse setof architectures, and more mechanisms for updating or modifying thesystem BIOS," says author Andrew Regenscheid.

In addition, many servers contain service processors that perform avariety of management functions that may include BIOS updates, andthis document provides additional security guidelines for serviceprocessors.

Servers require more flexibility, according to Regenscheid, because inaddition to having different architectures, they are almost alwaysmanaged remotely.

BIOS Protection Guidelines for Servers is written for server developersand information system security professionals responsible for server

security, secure boot processes and hardware security modules.

The draft publication BIOS Protections Guidelines for Servers, (NISTSpecial Publication 800-147B), is available athttp:/ / csrc.nist.gov/ publications/ drafts/ 800-147b/ draft-sp800-147b_july2012.pdf

Reports on Computer Systems Technology

The Information Technology Laboratory (ITL) at the National Instituteof Standards and Technology (NIST) promotes the U.S. economy and

http://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdfhttp://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdf


14/35

14

public welfare by providing technical leadership for the Nationsmeasurement and standards infrastructure.

ITL develops tests, test methods, reference data, proof of conceptimplementations, and technical analyses to advance the development

and productive use of information technology.

ITLs responsibilities include the development of management,administrative, technical, and physical standards and guidelines for thecost-effective security and privacy of other than national security-relatedinformation in Federal information systems.

The Special Publication 800-series reports on ITLs research, guidelines,and outreach efforts in information system security, and its collaborativeactivities with industry, government, and academic organizations.

Executive Summary

Modern computers rely on fundamental system firmware, commonlyknown as the system Basic Input/ Output System (BIOS), to facilitatethe hardware initialization process and transition control to theoperating system.

The BIOS is typically developed by both original equipmentmanufacturers (OEMs) and independent BIOS vendors, and isdistributed to end-users by motherboard or computer manufacturers.Manufacturers frequently update system firmware to fix bugs, patchvulnerabilities, and support new hardware.

This document is the second in a series of publications on BIOSprotections.

The first document, SP800-147, BIOS Protection Guidelines, wasreleased in April 2011 and provides guidelines for desktop and laptop

systems deployed in enterprise environments.



15/35

15

In the future, NIST intends to develop a new publication providing anoverview of BIOS protections for IT security professionals to be releasedas SP800-147rev1, and will reissue the current SP800-147 as SP800-147A atthat time.

Unauthorized modification of BIOS firmware by malicious softwareconstitutes a significant threat because of the BIOSsunique andprivileged position within the PC architecture.

Malicious BIOS modification could be part of a sophisticated, targetedattack on an organizationeither a permanent denial of service or apersistent malware presence.

This document covers BIOS protections for managed and blade servers.

These types of servers contain Service Processorsspecialized

microcontrollers that provide administrators with an interface to managethe host server.

Servers, particularly those with Service Processors, may implementmultiple BIOS update mechanisms.

Servers implementing a single BIOS update mechanism, similar to thosein PC client systems, are expected to meet the guidelines in SP800-147.

The security guidelines in this publication do not attempt to preventinstallation of unauthentic BIOSs through the supply chain, by physicalreplacement of the BIOS chip, or through secure local updateprocedures.

Security guidelines are specified for four system BIOS security features:

Authenticated BIOS update mechanisms, where digital signaturesprevent the installation of BIOS update images that are not authentic.

An optional secure local update mechanism, which requires that anadministrator be physically present at the machine in order to installBIOS images without authentication.



16/35

16

Firmware integrity protections, to prevent unintended or maliciousmodification of the BIOS outside the authenticated BIOS updateprocess.

Non-bypassability features, to ensure that there are no mechanisms

that allow the system processor or any other system component tobypass the BIOS protections.

This document also provides additional information andrecommendations for implementing BIOS protections using three BIOSupdate mechanisms that are commonly implemented in servers.

This material is intended to help implementers design systems that meetthe security requirements in this publication.

Service Processors are critical management components in manymodern server designs.

They are responsible for various management features, depending on theimplementation of the system.

Some, but not all, Service Processors are able to update the systemBIOS.

This document describes the possible roles of Service Processors in thesystem BIOS update process, and describes how the security guidelinesapply to systems containing these components.



17/35

17

Understanding better

Information Operations,Electronic Warfare, Computer Network Operations

Information Operations

The integrated employment of the core capabilities of electronic warfare,computer network operations, psychological operations, militarydeception and operations security, in concert with specified supportingand related capabilities, to influence, disrupt, corrupt or usurp adversarialhuman and automated decision making while protecting our own.

Also called IO.

Electronic Warfare

Any military action involving the use of electromagnetic and directedenergy to control the electromagnetic spectrum or to attack the enemy.

Also called EW.

The three major subdivisions within electronic warfare are:electronic

attack, electronic protection, and electronic warfare support.

a. Electronic attack. That division of electronic warfare involving the useof electromagnetic energy, directed energy, or antiradiation weapons toattack personnel, facilities, or equipment with the intent of degrading,neutralizing, or destroying enemy combat capability and is considered aform of fires.

Also called EA.

EA includes:



18/35

18

1)Actions taken to prevent or reduce an enemys effective use of theelectromagnetic spectrum, such as jamming and electromagneticdeception, and

2)Employment of weapons that use either electromagnetic or directed

energy as their primary destructive mechanism (lasers, radio frequencyweapons, particle beams).

b.Electronic protection. That division of electronic warfare involvingpassive and active means taken to protect personnel, facilities, andequipment from any effects of friendly or enemy employment ofelectronic warfare that degrade, neutralize, or destroy friendly combatcapability.

Also called EP.

c.Electronic warfare support. That division of electronic warfare involvingactions tasked by, or under direct control of, an operational commanderto search for, intercept, identify, and locate or localize sources ofintentional and unintentional radiated electromagnetic energy for thepurpose of immediate threat recognition, targeting, planning and conductof future operations.

Thus, electronic warfare support provides information required fordecisions involving electronic warfare operations and other tacticalactions such as threat avoidance, targeting, and homing.

Also called ES.

Electronic warfare support data can be used to produce signalsintelligence, provide targeting for electronic or destructive attack, andproduce measurement and signature intelligence.

Computer Network Operations

Comprised of computer network attack, computer network defense, andrelated computer network exploitation enabling operations.



19/35

19

Also called CNO.

Computer network attack

Actions taken through the use of computer networks to disrupt,deny,

degrade, or destroy information resident in computers and computernetworks, or the computers and networks themselves.

Also called CNA.

Computer network defense

Actions taken through the use of computer networks to protect, monitor,analyze, detect and respond to unauthorized activity within Departmentof Defense information systems and computer networks.

Also called CND.

Computer network exploitation

Enabling operations and intelligence collection capabilities conductedthrough the use of computer networks to gather data from target oradversary automated information systems or networks.

Also called CNE.

Psychological Operations

Planned operations to convey selected information and indicators toforeign audiences to influence their emotions, motives, objectivereasoning, and ultimately the behavior of foreign governments,organizations, groups, and individuals.

The purpose of psychological operations is to induce or reinforce foreignattitudes and behavior favorable to the originator

s objectives.

Also called PSYOP.



20/35

20

Military Deception

Actions executed to deliberately mislead adversary military decisionmakers as to friendly military capabilities, intentions, and operations,thereby causing the adversary to take specific actions (or inactions) thatwill contribute to the accomplishment of the friendly forces mission.

Also called MILDEC.

Operations Security

A process of identifying critical information and subsequently analyzingfriendly actions attendant to military operations and other activities to:

a. Identify those actions that can be observed by adversary intelligencesystems;

b.Determine indicators that hostile intelligence systems might obtainthat could be interpreted or pieced together to derive critical informationin time to be useful to adversaries; and

c.Select and execute measures that eliminate or reduce to an acceptablelevel the vulnerabilities of friendly actions to adversary exploitation.

Also called OPSEC.

Note:

Air University, with headquarters atMaxwell Air Force Base, Ala., is a keycomponent of Air Education and TrainingCommand, and is the Air Force's center forprofessional military education.



21/35

21

An interesting article about China. We will beglad to discuss other opinions in our nextnewsletter.

Chinas Slowdown May Be WorseThan Official Data Suggest

by Janet Koech and Jian Wang

In the months following the 200809 economiccrisis, emerging-market economies robustlyrebounded.

Output in China and India expanded more than

10 percent in 2010, and Brazilsgross domestic product (GDP) growth of

7.5 percent was its best performance in 25 years.



22/35

22

Emerging-market economies retraced their precrisis level of industrialproduction by 2009, while advanced economies remained below theirprecrisis levels in 2012 (Chart 1).

But the strong emerging-market reboundmost significantly inChinahasnt endured.

When Chinasaverage GDP growth remained above 9 percent in 2011,hopes rose that a sustained recovery would prop up the world economyamid the European sovereign debt crisis and subpar growth in the U.S.

However, Chinas economy deteriorated rapidly in 2012, with GDP growthslowing to 8.1 percent in the first quarter from 8.9 percent at year- end

2011.

Second quarter GDP growth slid further, to 7.6 percent, the lowestreading since the height of the global financial crisis in early 2009.

Even with the decline, there is speculation that these figures may stillunderstate economic slowing.

Economists have long doubted the credibility of Chinese output data.

For example, some studies indicate that GDP growth was overstatedduring the 199899 Asian financial crisis, when official figures reportedthat ChinasGDP grew on average 7.7 percent annually.

Alternative estimates using economic activity measures such as energyproduction, air travel and trade data ranged from 2 percent to 5 percent.

The dubious character of the official figures is no secret in China. Senior

government officials, including Vice Premier Li Keqiang, dismissofficial GDP data asman-madeand for reference only because of

political influence, particularly at the local level, on data reporting.



23/35

23

Data Reliability

To get a more accurate picture of Chinas economy, economists examineother measures of activity that closely track growth but are less prone to

political interference than output data.

Industrial electricity consumption, a major production input, serves assuch a proxy.

If industrial output grows at a slower pace, electricity consumptionshould behave similarly.

Chinas year-over-year growth rates of industrial electricity consumptionand industrial production are shownfor 2011 and 2012 in Chart 2.



24/35

24

Red dots, illustrating 2012 activity, are below the blue dots, depicting2011, which indicates that the growth rate of industrial electricityconsumption is relatively lower this year.

This is consistent with Chinas recent economic slowdown.

The chart also shows fitted linear trendsa way of extrapolating activityover a longer periodcomputed using 2011 data only (solid line) and 2011and 2012 data (dashed line).

This depiction relies on just these two years because of limitedelectricity-consumption reporting by the China Electricity Council.

Hence, these results should be viewed with caution.

As expected, Chart 2 shows that there is a tight relationship betweenindustrial electricity consumption and industrial output.

As industrial production growth expands, Chinas industries consumemore electricity, and vice versa.

However, a closer look at the chart raises questions.

Consider a scenario in which electricity consumption doesnt increase.

To illustrate this, we extend the linear trend lines to the horizontal axis

(representingno change in electricity consumption).

The lines intercept the axis at 5 and 7.5, implying that Chinas industrialproduction continues to grow 5 percent or 7.5 percent annually(depending on which trend line we use) even when electricityconsumption remains constant.

Although heightened electricity consumption efficiency could inducepositive industrial production growth, a 7.5 percent growth rate seemstoo large to attribute to efficiency gains alone.



25/35

25

The solid line computed using just 2011 data is flatter than the dashedline computed using both 2011 and 2012 data.

Extrapolating from the trend line that includes just 2011 data pointsyields a lower, more reasonable industrial production growth rate ofabout 5 percent when the electricity consumption growth rate is zero.The same data are shown in Chart 3, with only the 2011 trend linedepicted.

Suspiciously, all 2012 data (red dots) lie below the trend line.

This suggests that given the amount of electricity consumed, Chinas

official industrial production figures for 2012 are higher than thoseimplied by the 2011 data trend.



26/35

26

For instance, Chinas industrial electricity consumption grew 5.6 percenton a year-over-year basis in March 2012.

Using the trend from 2011 data, the estimate for Marchs industrialproduction growth is about 9.3 percent rather than the 11.9 percentreported in the official data.

This discrepancy could be due to unintentional, random survey errors.

However, it is hard to imagine that all available 2012 data erred on theside of overstating industrial production growth.

Rather, it suggests that China might have overstated its 2012 industrialproduction data to mask the economysweakness.

In other words, the slowdown in China could be worse than the officialdata indicate.

Composition of Production

Of course, other factors may explain why all red dots lie below the trendline in Chart 3.

For example, growth of industrial production varied across sectorswhose consumption of electricity per unit of output differs.

For a unit of output, a company involved in steel production willgenerally consume more electricity than a factory making T-shirts.

If the growth rate of the steel industry slowed more than that of thetextile industry, we would expect to see the growth in electricityconsumption decline faster than the growth of total industrial output.

To address this industry composition effect, we include output growth oftwo different sectors in our data: the heavy and light industrial sectors.



27/35

27

The heavy industrial sector (for example, the steel industry) usuallyconsumes more electricity than the light sector (the textile industry).

The relationship between electricity consumption and industrial outputcan be more accurately estimated by analysing the two sectors separatelythan by using aggregate industrial output data.

Accounting for the sectoral difference yields more sensible results when2011 data are analyzed.

When industry electricity consumption remains constantthat is, itshows a zero growth ratelight industrial sectors grow at an annual rateof 2.8 percent, a much smaller reading than the 5 percent for aggregateoutput.

On the other hand, the heavy industrial sectors contract 1.9 percent,reflecting this industrys relatively heavy reliance on electricity.



28/35

28

Chart 4 plots actual electricity consumption growth in China (purpleline) together with estimated electricity consumption using 2011 output

data for light and heavy industries (orange line).

The two lines track each other closely, indicating a tight relationshipbetween electricity consumption and output in the heavy and lightindustries.

The blue line shows the forecast growth of electricity consumption in2012, computed from the relationship estimated from 2011 data.

The official industrial production data square well with electricityconsumption in March 2012; predicted consumption data almostperfectly match the reported data.



29/35

29

During March, growth in heavy industries declined sharply to 11.2percent from 13 percent in December 2011, while growth in the lightindustries increased to 13.9 percent from 12.6 percent over the sameperiod.

The difference in growth between the heavy and light industries explainsthe overall sharp decline in electricity consumption, while overallindustrial output growth remained strong in March 2012.

In the subsequent months, however, the out-of-sample forecasts divergesubstantially from the actual data.

Given the official industrial production numbers, our model suggeststhat China should have consumed about twice as much electricity as it

actually did.

This is not surprising after closer examination of the data.

From April to June, growth in the light industries declined more than inthe heavy industries, a reversal of Marchs activity.

Given such a pattern in Chinasofficial industrial production data,electricity consumption growth should have dropped only moderately.

However, Chinas actual electricity consumption continues to declinesharply from April to June, raising doubts about the accuracy of theofficial industrial production figures.

Improving Data Reporting

Although Chinas economic growth has slowed sharply in recentmonths, evidence suggests that the situation may be worse thanreported.

Several factors contributed to Chinasslowdown.



30/35

30

Demand for Chinasexports in Europe and the U.S. has weakened amidthe deepening European sovereign debt crisis and sluggish U.S.economic activity.

Additionally, Chinas policy response following the global financial crisisis having unintended effects on its economy.

China loosened monetary policy and undertook a massive fiscal stimulusprogram in response to 200809 developments.

These policies, which cushioned the economy from the impact of fallingdemand for exports, had the unintended consequence of generatinghigher inflation and rising asset prices, particularly in the real estatesector.

These developments forced China to reverse course and institute tightermonetary policy last year, creating another round of effects on theeconomy that continue this year.

Chinas abrupt policy changes during the past two years are nothistorically unusual and have been criticized as a source of the countrysbig economic swings, which hurt long-run growth.

Future policymakers will need more, high-quality quantitative (as

opposed to qualitative) economic research to avoid overshooting policytargets and to better stabilize the economy.

A critical first step is acquiring highquality economic data, a processalready in the works.

Chinas National Bureau of Statistics started a new data-collectingsystem under which businesses report industrial production data onlinedirectly to the national statistics agency in Beijing, reducing the chanceof manipulation by local authorities.

As the worldssecond largest economy, China plays an increasingly



31/35

31

important role in the global economy.

Acquiring accurate economic data isnot only useful to Chinaspolicymaking, but also helpful to other nations, allowing them to betterunderstand Chinas current economic conditions and design theirpolicies accordingly.

Koech is an assistant economist and Wang is a senior researcheconomist in the Research Department at the Federal Reserve Bank ofDallas.



32/35

32

Sarbanes Oxley Speakers Bureau

Visit ourSarbanes Oxley Speakers Bureau. The Sarbanes OxleyCompliance Professionals Association (SOXCPA) has established theSpeakers Bureau for firms and organizations that want to access theSarbanes Oxley expertise of Certified Sarbanes Oxley Experts (CSOEs),Certified JSOX Experts (CJSOXEs) and Certified EU Sarbanes OxleyExperts (CEUSOEs) - experts of the 8th Company Law Directive of theEuropean Union.

The SOXCPA will be the liaison between our certified professionals andthese organizations,at no cost. We strongly believe that this can be agreat opportunity for both, our certified professionals and the organizers.We will give the details of an event to one or more Sarbanes Oxley

experts, who will contact directly the organization requesting services.The Sarbanes Oxley experts will negotiate services and fees.

To learn more:www.sarbanes-oxley-association.com/ Sarbanes_Oxley_Speakers_Bureau.html

http://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.htmlhttp://www.sarbanes-oxley-association.com/Sarbanes_Oxley_Speakers_Bureau.html


33/35

33

Certified Sarbanes-Oxley Expert (CSOE)Distance Learning and Online Certification Program.

The all-inclusive cost is $147

What is included in the price:

A.The official presentations we use in our instructor-led classes(2247 slides)

The 1271 slides cover what is needed for the exam and 976slides cover the Dodd Frank Act that is not part of theexam). Updated: February 17, 2011.

The presentations include the Auditing Standards 8 to 15

that apply to Sarbanes Oxley audits, from the PCAOB

Course Synopsis:www.sarbanes-oxley-association.com/ CSOE_Course_Synopsis.htm

B. Up to 3 Online Exams

There is only one exam you need to pass, in order to become a CertifiedSarbanes-Oxley Expert (CSOE).

If you fail, you must study again the official presentations, but you donot need to spend money to try again.

To learn more you may visit:www.sarbanes-oxley-association.com/ Questions_About_The_Certification_And_The_Exams

_1.pdf

www.sarbanes-oxley-association.com/ CSOE_Certification_Steps_1.pdf

C. Personalized Certificate printed in full color

Processing, printing, packing and posting to your office or home

http://www.sarbanes-oxley-association.com/CSOE_Course_Synopsis.htmhttp://www.sarbanes-oxley-association.com/Questions_About_The_Certification_And_The_Exams_1.pdfhttp://www.sarbanes-oxley-association.com/Questions_About_The_Certification_And_The_Exams_1.pdfhttp://www.sarbanes-oxley-association.com/Questions_About_The_Certification_And_The_Exams_1.pdfhttp://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/http://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-association.com/CSOE_Certification_Steps_1.pdfhttp://www.sarbanes-oxley-a

Sarbanes Oxley News September 2012

Documents

Transcript of Sarbanes Oxley News September 2012