By now, most high-tech conferences have devoted at least one 30-minute session to the topic of Sarbanes-Oxley (aka "Sarbox").

Complexity of language aside, Sarbox has wide-ranging implications that span the breadth of the high-tech industry. It has become increasingly important to know which portions of the law apply to your organization, and to the organizations that you do business with.

HIPAA, GLBA, ISO 17799... In addition to Sarbox, the sheer number and diversity of industry regulations make corporate compliance a challenging combination of company policy, necessary technology, and the ability to implement them both. What appears in nearly all government and industry regulations is the requirement for a comprehensive incident response process, and the technology needed to support it.

There are two critical sides of the equation to consider: That of the corporation, and that of their client. From a corporate perspective, getting a handle on all of the new legislation is not an easy task. An untold number of vendors are touting their ability to sell you magic software that answers all of your compliance needs. One silver band-aid to mend all of your untoward ways! Unfortunately, it doesn’t work that way and in this careful economy, spending money on every new "issue" isn’t looked upon kindly by the CFO. So how do you know which product is right for your organization? Do you really need a product? How about policies? Are the policies you currently have in place enough to call them compliant?


Those questions lead to more questions, such as, what are companies doing about compliance? What should they be doing? Is there a "minimum level of compliance"? Should corporations be as fearful as the ‘compliance camp’ is telling us we should be? The questions are endless.

I decided to consult the oracle of all things, the industry expert that is not me. In this case I turned to Victor Limongelli, General Counsel for Guidance Software in Pasadena, California. Victor spoke to me about what he sees happening in the industry from implementation to compliance enforcement. The changes are real, as is the seriousness of failing to comply.

"A company could have terrible internal controls and zero-ability to conduct internal investigations, but if at the end of the day they’ve had no fraud, then they’ve had no losses. It’d be less likely that the SEC would go after them than the companies that have had fraud occur that the SEC was able to uncover. However, no one really knows what the level of enforcement will be, as most of the provisions of Sarbanes-Oxley haven’t come into effect yet. The 404 provisions relating to internal controls, go into effect later this year for U.S. companies and next year for smaller and foreign issuers."